tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject Re: Setting JK_REMOTE_USER help
Date Wed, 16 Jun 2010 14:58:43 GMT
OK, come context first:

What I'm trying to do is integrate a Commercial Off The Shelf (COTS)
application that relies on container security into a Web Access
Manager (WAM).  In a typical WAM deployment there are AAA is broken up
into multiple layers:

Web Server - Authentication (via the WAM) and course grained
Authorization (can the user access this app?)
Application - Fine grained Authorization aka Entitlements (can the
user perform task x?)

Since the authentication is done at the web server but the
entitlements are done by the application the web server needs to tell
the application server who the user is and the application server then
needs to fulfill the J2EE contract by providing information about the
user to the application.

In commercial application servers (Weblogic, WebSphere, JBoss) this is
done with an agent of some kind that satisfies the application
server's security requirements (usually by phoning home to the WAM to
validate the request).  However commercial WAM products (SiteMinder,
OAM, etc) don't provide an "agent" for Tomcat.  Given that what I'm
working on is a POC I'm not overly concerned with security as in
production this app will likely run on weblogic but for my purposes
Tomcat is a better pick for now.

That being said, the sequence of events should be:
1.  Web server authenticates the user (works)
2.  Pass the context to Tomcat (works)
3.  Tomcat calls the realm to retrieve the user information and set
the context (doesn't presently occur)

#3 appears to be the issue.  Authenticaiton and Authorization should
be separate steps entirely in order to satisfy the J2EE contract in an
enterprise environment (which often involves WAMs).

So it doesn't sound like there is a configuration way to handle this.
I think I'll try hacking around to see if I can solve this with some
kind of custom Realm.

>>
>> As for the versions, thanks for the reminder:
>> Tomcat 6.0.26
>> Apache 2.2.15
>> mod_jk 1.2   <== you are missing a number here, and for some things it
>> really matters
>> CentOS 5.5
>>
>

mod_jk 1.2.30

> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message