tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: reverse proxy with SSO using CAS.
Date Tue, 05 Apr 2011 10:08:07 GMT
On 04/04/2011 22:28, Jorge Infante Osorio wrote:
> Hi Mark.
> -----Mensaje original-----
> De: Mark Thomas [] 
> Enviado el: viernes, 25 de marzo de 2011 12:57
> Para: Tomcat Users List
> Asunto: Re: reverse proxy with SSO using CAS.
> On 25/03/2011 16:35, Jorge Infante Osorio wrote:
>> I have an issue in reverse proxy with apache, tomcat and SSO using CAS. 
>> The problem is that my reverse proxy work just fine when I use an 
>> Apache Server as the reverse proxy with two back-end tomcats.
>> But when the I include SSO with CAS to authenticate the user with 
>> access to the tomcat servers the internal redirections are missing to 
>> the users that use the reverse proxy and I don´t know why.
>> Can anyone have any idea on this?
> Does the reverse proxy modify the URL in anyway? If so how?
> Mark
> This is my reverse proxy configuration:
> **************************************

I removed the commented out lines for clarity.

> LoadModule proxy_module      /usr/lib/apache2/modules/
> LoadModule proxy_http_module /usr/lib/apache2/modules/
> LoadModule headers_module    /usr/lib/apache2/modules/
> LoadFile                     /usr/lib/
> LoadModule proxy_html_module /usr/lib/apache2/modules/
> LoadModule xml2enc_module    /usr/lib/apache2/modules/
> ProxyRequests off
> # the CAS server
> ProxyPass /cas-web/
> #phpCAS client
> ProxyPass /cascliente/
> #Liferay server
> ProxyPass /    
> ProxyPassReverse /cascliente/
> ProxyPassReverse /cas-web/
> ProxyPassReverse /    

I usually place the ProxyPassReverse line directly below the ProxyPass
line so I can check the two match.

> ProxyPassReverseCookiePath /cas-web/

This is wrong. It should only contain paths. It should probably be:
ProxyPassReverseCookiePath /cas-web  /

> ProxyHTMLEnable On

I always use mod_substitute since that is distributed with httpd.

> ProxyHTMLURLMap    /cas-web
> ProxyHTMLURLMap           /
> ProxyHTMLURLMap      /cascliente

Those don't look right to me. I'd expect something like:
ProxyHTMLURLMap  http://<httpdhostname>
ProxyHTMLURLMap  http://<httpdhostname>
ProxyHTMLURLMap       http://<httpdhostname>

> The reverse proxy don´t change the URL.
> In this moment I have two problem:
> 1. Pass the cookie in the navigator from and application to another.  I used
> ProxyPassReverseCookiePath with not success.

You are looking in the right place. CAS uses both cookies and it also
embeds URLs in login pages and if running behind a reverse proxy these
can need tweaking. Since you aren't changing the URL paths the changes
should be minimal (the ports may need tweaking). Also check the CAS
configuration for URLs that need to be tweaked.

Work you way through the login process monitoring each request and
response with LiveHttpHeaders or Fiddler etc. Check the headers and
request/response bodies and fix one stage before you move on to the next.

> 2. Use the CAS server with https. I don´t know how configure the proxy
> server to do that.

Get CAS working first and worry about this later.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message