Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 54485 invoked from network); 11 Oct 2009 16:09:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Oct 2009 16:09:26 -0000 Received: (qmail 37477 invoked by uid 500); 11 Oct 2009 16:09:21 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 37447 invoked by uid 500); 11 Oct 2009 16:09:21 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 37436 invoked by uid 99); 11 Oct 2009 16:09:21 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 11 Oct 2009 16:09:21 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 11 Oct 2009 16:09:11 +0000 Received: from localhost (localhost [127.0.0.1]) by tor.combios.es (Postfix) with ESMTP id E55AA226073 for ; Sun, 11 Oct 2009 18:08:49 +0200 (CEST) Received: from tor.combios.es ([127.0.0.1]) by localhost (tor.combios.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 109c1iZBDPhc for ; Sun, 11 Oct 2009 18:08:49 +0200 (CEST) Received: from [192.168.245.129] (p549E84BB.dip0.t-ipconnect.de [84.158.132.187]) by tor.combios.es (Postfix) with ESMTPA id 77A38226070 for ; Sun, 11 Oct 2009 18:08:49 +0200 (CEST) Message-ID: <4AD202FA.2070105@ice-sa.com> Date: Sun, 11 Oct 2009 18:08:26 +0200 From: =?ISO-8859-15?Q?Andr=E9_Warnier?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: [OT] mod_jk inserting Transfer-Encoding Chunked header References: <4AD0BEA9.3080103@kippdata.de> <99C8B2929B39C24493377AC7A121E21F84056C1409@USEA-EXCH8.na.uis.unisys.com> <99C8B2929B39C24493377AC7A121E21F84056C1415@USEA-EXCH8.na.uis.unisys.com> <4AD103B1.1010302@ice-sa.com> <4AD104B7.3070505@apache.org> <4AD1D0FF.7000302@ice-sa.com> <4AD1FC1F.9020606@kippdata.de> In-Reply-To: <4AD1FC1F.9020606@kippdata.de> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Rainer Jung wrote: > On 11.10.2009 14:35, Andr� Warnier wrote: >> Mark Thomas wrote: >>> Andr� Warnier wrote: >>>> Sam Crawford wrote: >>>>> Apologies for misinterpreting your post. >>>>> >>>>> Unfortunately we can't ditch SunONE - it's a requirement from our >>>>> security guys. We're operating in a two-tier DMZ environment and >>>>> SunONE will be in the top tier, with an SSO agent running inside it. >>>>> JBoss will be in the 2nd tier. >>>>> >>>> Just by curiosity (and I do not know SunONE) : you mention SSO. I know >>>> that with Apache and mod_jk, the authenticated Apache user can be passed >>>> on to Tomcat, and use by Tomcat. But I don't so far know any other >>>> connector able to do this. How does it work with SunONE ? >>> All the variants of mod_jk (httpd, IIS, Netscape) support this, as does >>> mod_proxy_ajp. It is a feature supported by the AJP protocol. AFAIR >>> The Netscape >>> variant works with SunOne. >>> >> Thanks for that clarification. >> Since I work mostly with Apache, my knowledge of IIS-related stuff is >> scarce, and I have another follow-up question : >> If the webserver is IIS, connected to Tomcat (as you imply above) via >> the appropriate version of mod_jk, does that mean that when a HTTP >> user's browser (IE) connects to IIS, and IIS authenticates the user (via >> some NTLM scheme), this IE/IIS user-id is automatically being passed to >> Tomcat via AJP, and (depending on the Tomcat configuration) Tomcat can >> make use of it ? >> Or does the above require additional setup steps at the IE/IIS/mod_jk >> level ? > > As far as I know that works out of the box. In order to let tomcat trust > the information, you'd need to set tpomcatAuthentication though. > > One unfortunate thing: we use the standard request data REMORE_USER to > forward, and for IIS this is: > > "The name of the user as it is derived from the authorization header > sent by the client, before the user name is mapped to a Windows account. > If you have an authentication filter installed on your Web server that > maps incoming users to accounts, use LOGON_USER to view the mapped user > name." > > AFAIR this means yo get a lot of different mixtures of upper an dlower > case etc. Not a normalized version of the user id. > > When acivating debug log level in mod_jk, there is a line > > Service protocol=%s method=%s host=%s addr=%s name=%s port=%d auth=%s > user=%s uri=%s > > which contains the authentication protocol ("auth=") and the user name > ("user=") being forwarded. > Thanks, Rainer. Do you also happen to remember if the user-id so forwarded is just the user-id, or (if NTLM) does it include the NTLM domain ? (like domain\user). Or is the answer to that also of the "it depends" type ? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org