tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: HTTPD pass off delegation credentials to Apache Tomcat 8.5.23 for SSO Kerberos
Date Wed, 19 Sep 2018 21:12:00 GMT
Hi.
Much better..
I don't know if I will be able to help you, considering my little knowledge of Kerberos, 
but I'm sure that someone else now will be.

On 19.09.2018 16:08, Thomas Delaney wrote:
> Here is more detail into what I went through for setting up Apache Tomcat.:
> I configured each Apache Tomcat instance using this bit of documentation:
> SPNEGO
> http://spnego.sourceforge.net/
>
> I also used this documentation in order to get my workstation to accept
> Kerberos authentication and not default to NTLM.
> https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM
>
> *I created/configured the following based on what was outlined from the
> SPNEGO doc:*
> login.conf
> krb.conf
> HelloKDC.java successfully connected when testing
> The SPNEGO filter in Apache Tomcat's web.xml
> Took the source code for spnego.jar and placed it in Apache Tomcat's library
> hello_spnego.jsp successfully displayed the correct remote user on the web
> page
> hello_delegate.jsp successfully displayed the correct delegated credentials
> on the webpage.

Ok, so we can assume
- that the basic Kerberos infrastructure works
- that you know how to set it up
- and that it works when you do the Kerberos authentication in Tomcat itself, and access 
tomcat directly from the browser.

>
> Once I was able to verify that the above steps worked on Apache Tomcat. I
> tested the same web pages on Apache HTTPD.

You mean "when accessing Tomcat /through/ the Apache httpd front-end, right ?

 From your original description, I thought that you wanted to do the Kerberos 
authentication in the front-end Apache httpd, and pass on the authenticated user-id to the

back-end Tomcats then.  That's still an option anyway.
But from the description below it looks like you want to keep the SPNEGO/Kerberos 
authentication at the Tomcat level, and just want the front-end httpd to be "transparent"

with respect to the Kerberos authentication exchanges.
Do I get this right ?

I ran into issues when testing
> hello_spnego.jsp and hello_delegate.jsp.
>
> Here have been my results:
> hello_spnego.jsp -> "hello root !" (root being a unix user and not the
> AD/Windows user signed onto the domain).
> hello_delegate.jsp -> "No delegated creds."
>
> *Here is the section of the SPNEGO doc source on how to setup
> hello_delegation.jsp and create hello_spnego.jsp:*
> http://spnego.sourceforge.net/credential_delegation.html

Mmm. This is quite complicated,  but I think that I'm starting to guess what the problem is.
I think that "delegation" is not really what you want to do here. It might work in the 
absolute (if everything was set up correctly to do it), but I believe that it is overkill

in your case; and I believe that you are missing one piece of the puzzle anyway.

Taking into account my total lack of experience with SPNEGO/Kerberos delegation - and thus

taking this with a grain of salt - I believe (from the above documentation page) that for

such a delegation to work with an Apache httpd front-end, your browser would /first/ need

to be authenticated already by the front-end (for example, "as you"), and that this 
front-end /itself/ would need to have /its own (separate) account/ in your infrastructure

- and an account with special properties - in order to be allowed to authenticate "as you"

(otherwise said : "impersonate you") with the Tomcat back-end's SPNEGO/Kerberos Valve.

>
> *Here is how I have Apache HTTPD forwarding requests to Tomcat. *
> Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
> env=BALANCER_ROUTE_CHANGED
> <Proxy balancer://application>
>      BalancerMember "http://localhost:8081/application" route=node1
>     BalancerMember "http://localhost:8082/application" route=node2
>     BalancerMember "http://localhost:8083/application" route=node3
>      ProxySet lbmethod=byrequests stickysession=ROUTEID
> </Proxy>
>
> ProxyPass /application balancer://application/
> ProxyPassReverse /application balancer://application/
>

What you are setting up here is a standard Apache httpd "reverse proxy
  + load-balancer". But, as far as I can see from the above, this proxy does not (itself)

authenticate the browsers which talk to it.

So this front-end proxy does not really have a (browser-originating) user-id for which it

would be able to request a "delegated authentication".
And it is also not set up to do "delegated authentication" with the back-end Tomcat's 
SPNEGO/Krberos Valve.

This may be a bit confusing, and maybe this article explains it better than I could :
 
https://blogs.informatica.com/2018/05/07/the-kerberos-conundrum-a-proxys-plight/#fbid=UtL4Ic19fwv
(Obviously, this is talking about some other front-end proxy software, but you can see 
that one needs something additional on the front-end proxy, to do this kind of thing).

All in all, if all that you need is that the application installed under Tomcat would be 
able to obtain an authenticated "current user-id", I would suggest that instead of trying

to configure this using impersonation/delegation, you try something simpler to set up :

- remove the SPNEGO/Kerberos authentication part in Tomcat
- add an SPNEGO/Kerberos authentication at the Apache httpd front-end level, so that the 
front-end authenticates the user, *before* proxying the requests to the back-end Tomcat
- then configure the front-end to pass along this by now authenticated user-id, in the 
requests that it passes to Tomcat
- and configure Tomcat to pick up this user-id from the request, and take it as the 
Tomcat-level user-id for the request

For the first part, you could use this as a guide :
http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authentication.html
or this :
http://modauthkerb.sourceforge.net/configure.html

For the second part, the easiest way is to use the AJP-protocol proxying between Apache 
httpd and Tomcat, as indicated in a previous message to the list.





>
>
> On Wed, Sep 19, 2018 at 7:57 AM André Warnier (tomcat) <aw@ice-sa.com>
> wrote:
>
>> On 18.09.2018 23:24, Thomas Delaney wrote:
>>> Hello All,
>>>
>>> I have recently configured Apache Tomcat on a SuSe Enterprise 12 SP3
>> server
>>> to get Kerberos SSO working with a web client application. I have also in
>>> addition configured Apache HTTPD 2.4.29 on the same machine.When I reach
>>> that website I am failing to get SSO working. The web server is not
>> passing
>>> off the delegation credentials to Apache Tomcat server. I have the web
>>> server load balance proxying it's request to multiple Apache Tomcat
>>> instances. I have tried applying mody_proxy_http environment variables,
>> but
>>> the site continues to fail SSO. Is there a guide or configuration that
>>> HTTPD and Apache Tomcat both use to involve Apache HTTPD passing off
>>> delegation credentials to Apache Tomcat?
>>>
>>
>> If you would like someone here to be able to help you, you would need to
>> be much more
>>    precise than that.  You write "I have done this" and "I have done that",
>> but without
>>    giving any clue as to /how/ you did this or that.
>> You are not even saying /where/ you have configured the Kerberos SSO.
>> Under the Apache
>> httpd front-end ? or under Tomcat ?
>>
>> To point you nevertheless in a possible direction, read this :
>>
>> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Apache_httpd
>> (and, in your mind, substitute "Windows authentication" by "Kerberos
>> authentication")
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message