tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: reverse proxy with SSO using CAS.
Date Fri, 25 Mar 2011 22:42:13 GMT
Jorge Infante Osorio wrote:
> -----Mensaje original-----
> De: André Warnier [] 
> Enviado el: viernes, 25 de marzo de 2011 13:09
> Para: Tomcat Users List
> Asunto: Re: reverse proxy with SSO using CAS.
> Jorge Infante Osorio wrote:
>> I have an issue in reverse proxy with apache, tomcat and SSO using CAS. 
>> The problem is that my reverse proxy work just fine when I use an 
>> Apache Server as the reverse proxy with two back-end tomcats.
>> But when the I include SSO with CAS to authenticate the user with 
>> access to the tomcat servers the internal redirections are missing to 
>> the users that use the reverse proxy and I don´t know why.
> Thanks, for reposting as a new message.
> I don't know CAS.  I just read the Wikipedia entry right now.
> I just want to point out something to you, in case you would not know and in
> case it may help.
> If you use mod_jk as a proxying connector between Apache and Tomcat, and you
> set the "tomcatAuthentication=false" attribute on the AJP Connector in
> Tomcat, then Tomcat will accept the user authentication from Apache (which
> mod_jk forwards to Tomcat).
> This allows to do the user authentication at the front-end Apache level, and
> pass the user-id to the Tomcat back-end(s) easily.  It may simplify your
> problem.
> It is possible that mod_proxy_ajp provides a similar capability, I don't
> know.
> There are plenty more possibilities for similar schemes, but my time is
> running out right now, because yes I am in my late afternoon mode, and I am
> taking a holiday starting tomorrow (in what increasingly looks like the
> wrong region to be right now).
>  From what I read about CAS, it looks similar to another scheme named OpenId
> I think.  I understood once how that works, but right now something eludes
> me in the redirections schema. I'll think about it next week on the beach.
> But a question : in your CAS scheme, which is/are the server(s) which need
> to talk to the CAS server ?
> When I try to access any tomcat server I'm redirected to the CAS server, I
> authenticate in CAS and then I´m forward to the server that made the call. 
> So if I want to authenticate to App1, this App1 redirect me to CAS, I
> authenticate in CAS and then forward me again to App1.

And if I understand this correctly, this all works with external redirects.
And probably, when the CAS server sends the final re-direct to the browser, back to 
Tomcat, it must append something to the URL (I mean to the Location: header of the 
redirect), whereby the Tomcat-resident CAS module should detect that the call is now 
And since this is all going back-and-forth a couple of times between the front-end Apache

and the back-end Tomcat, the potential for mangling that URL during the proxying is not 

That is probably why Mark was asking if your proxying modifies the URL, and how.
I'll leave you with Mark then for the follow-up.

But I remain convinced that you would do yourself a favor and simplify your world, by 
doing the CAS authentication at the front-end Apache level, and then just pass the user-id

to the Tomcat back-end.

Subsidiary question : there must be a moment in all this, where the back-end Tomcat speaks

directly to the CAS server, no ?  or do these two exchange information just by means of 
the redirects, always going through the browser ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message