tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: [OT] mod_jk inserting Transfer-Encoding Chunked header
Date Sun, 11 Oct 2009 16:08:26 GMT
Rainer Jung wrote:
> On 11.10.2009 14:35, André Warnier wrote:
>> Mark Thomas wrote:
>>> André Warnier wrote:
>>>> Sam Crawford wrote:
>>>>> Apologies for misinterpreting your post.
>>>>> Unfortunately we can't ditch SunONE - it's a requirement from our
>>>>> security guys. We're operating in a two-tier DMZ environment and
>>>>> SunONE will be in the top tier, with an SSO agent running inside it.
>>>>> JBoss will be in the 2nd tier.
>>>> Just by curiosity (and I do not know SunONE) : you mention SSO. I know
>>>> that with Apache and mod_jk, the authenticated Apache user can be passed
>>>> on to Tomcat, and use by Tomcat.  But I don't so far know any other
>>>> connector able to do this.  How does it work with SunONE ?
>>> All the variants of mod_jk (httpd, IIS, Netscape) support this, as does
>>> mod_proxy_ajp. It is a feature supported by the AJP protocol. AFAIR
>>> The Netscape
>>> variant works with SunOne.
>> Thanks for that clarification.
>> Since I work mostly with Apache, my knowledge of IIS-related stuff is
>> scarce, and I have another follow-up question :
>> If the webserver is IIS, connected to Tomcat (as you imply above) via
>> the appropriate version of mod_jk, does that mean that when a HTTP
>> user's browser (IE) connects to IIS, and IIS authenticates the user (via
>> some NTLM scheme), this IE/IIS user-id is automatically being passed to
>> Tomcat via AJP, and (depending on the Tomcat configuration) Tomcat can
>> make use of it ?
>> Or does the above require additional setup steps at the IE/IIS/mod_jk
>> level ?
> As far as I know that works out of the box. In order to let tomcat trust
> the information, you'd need to set tpomcatAuthentication though.
> One unfortunate thing: we use the standard request data REMORE_USER to
> forward, and for IIS this is:
> "The name of the user as it is derived from the authorization header
> sent by the client, before the user name is mapped to a Windows account.
> If you have an authentication filter installed on your Web server that
> maps incoming users to accounts, use LOGON_USER to view the mapped user
> name."
> AFAIR this means yo get a lot of different mixtures of upper an dlower
> case etc. Not a normalized version of the user id.
> When acivating debug log level in mod_jk, there is a line
> Service protocol=%s method=%s host=%s addr=%s name=%s port=%d auth=%s
> user=%s uri=%s
> which contains the authentication protocol ("auth=") and the user name
> ("user=") being forwarded.
Thanks, Rainer.
Do you also happen to remember if the user-id so forwarded is just the 
user-id, or (if NTLM) does it include the NTLM domain ? (like 
domain\user).  Or is the answer to that also of the "it depends" type ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message