tomcat, apache with mod_jk and mod_auth_kerb

[Nikhil <mnikhil@xxxxxxxxx>]

Hi,

I am using httpd v2.0.58 installed on a Solaris-10 system, also have mod_auth_kerb with proper kerberos infrastructure.
I am hosting few new applications on tomcat and wanted to integrate with the kerberos but via the httpd as the front end.
As in, the httpd will do the front-end kerberos authentication and it passes on the authentication details like REMOTE_USER/kerb_cache to the tomcat through mod_jk.

I have earlier tried using the mod_rewrite module with proxy  .. but
that would ask me to enable the http connector port of the tomcat instance and will prompt to keep the spoofing chances wide open.
Like instead of "my apache" instance doing the authentication and pass on the remote_user variable, there can be speculations of any arbitrary user hosting his own httpd instance and could get to send a spoofed up REMOTE_USER variable to the tomcat instance and thus breaking the whole secured system.
Hence, I just want to use the ajp connection of the tomcat and keep the http connector of the tomcat instance closed.

Reminding of the ajp, I searched for a while and found mod_jk and mod_proxy_ajp are the two best around for integrating the tomcat with apache but
after learning that mod_proxy_ajp is only available for httpd v2.2 or after and unfortunately my system installed version is httpd v2.0.58.
So, mod_proxy_ajp choice is perhaps ruled out for now and I am left with using the configuration overhead involved mod_jk module.
I have no problems in using mod_jk but could not figure out the ways of passing the remote_user variable effectively to the tomcat instance....
would also desire to have a scalability that with a single httpd instance supporting the multiple tomcat instances (may be on a single host/spanned across multiple hosts).

 

I have tried using SetEnvIf, JkEnvVar, RequestHeader directives to only to find of no use.

Could anyone please help me figure out the much needed lines that I need to put into the httpd.conf to get the authentication information right passed to the tomcat from the kerberized http access.

This is the glimpse of the httpd configuration (non-working) that I have for my httpd instance and the tomcat right now.. any corrections/suggestions are most welcome.

 

----------
Listen 8080

LoadModule jk_module  libexec/mod_jk.so
JkLogFile /home/me/httpd/logs/jk_log
JkLogLevel DEBUG
JkShmFile /home/me/httpd/logs/jkshmfile
JkWorkersFile /home/me/httpd/conf/worker-properties

<VirtualHost *:8080>
ServerName httpdauth.mysub.mydomain.com
ServerAlias httpdauth.mysub httpdauth

<Location /default>
    AuthType Kerberos
    AuthName "Testing"
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    KrbAuthRealms MYDOMAIN.COM UNIX.MYDOMAIN.COM
    KrbServiceName HTTP/httpdauth.mysub.mydomain.com@xxxxxxxxxxxxxxxxx
    KrbSaveCredentials on
    Krb5Keytab /home/me/httpd/conf/httpdauth.http.keytab
    require valid-user
</Location>

  SetHandler jakarta-servlet
  RequestHeader set X_REQHDR_REMOTE_USER %{remoteUser}e
  SetEnv X_ENV_REMOTE_USER %{remoteUser}e
  JkEnvVar X_JK_REMOTE_USER %{remoteUser}e

 # earlier rewrite configuration
 #   RewriteEngine On
 #   RewriteRule ^/(.*)$ http://intranet/~me/printenv.cgi [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
 #   RequestHeader set X_REMOTE_USER %{remoteUser}e
 #   RequestHeader add "X-H-USER" "%{remoteUser}e"

</VirtualHost>
----------

With worker properties being :
----------
workers.tomcat_home=/home/me/httpd/tomcat/apache-tomcat-5.5.12
workers.java_home=/usr/local/java/jdk
ps=/
worker.list=default

worker.default.port=64089
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1

----------

Are there any other ways? or I could be also missing any lines/directives in the configuration?

 

Thanks, Nikhil