getting mod_auth_kerb to trust a request from tomcat?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: getting mod_auth_kerb to trust a request from tomcat?
From: g f <gforty@xxxxxxxxx>
Date: Fri, 4 Jun 2010 15:22:21 -0500
Reply-to: users@xxxxxxxxxxxxxxxx

Hello all,

I am running tomcat 6.0.24 , jre 1.6.0_16, Apache/2.2.15 (Debian) , mod_auth_kerb/5.4 , mod_jk/1.2.28 mod_python/3.3.1 all installed via apt on Debian Lenny.

I have successfully been able to get all of this working (authentication, forwarding etc).

I have a java web app that has a servlet that serves as a proxy to get around cross site scripting.
http://myapp/Proxy?url="">

I let Apache and mod_auth_kerb handle all authentication and it does it very well.

If I access my Proxy servlet like so:

http://MY_DOMAIN.COM/my_proxy_app/Proxy?url="">

(Notice I am proxying to the same domain but different application)

I get a 401 error.

Here is what the access log (for apache) looks like for this request.
10.150.15.116 - - [04/Jun/2010:18:06:55 +0000] "GET /index.html HTTP/1.1" 401 829 "-" "Java/1.6.0_16"
10.150.15.212 - validUser@xxxxxxxxxxxxx [04/Jun/2010:18:06:54 +0000] "GET /my_proxy_app/Proxy?url="" href="http://my_domain.com/index.html" target="_blank">http://MY_DOMAIN.COM/index.html HTTP/1.1" 500 394 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 ( .NET CLR 3.5.30729)"
o

Now if you notice the request from ip address 212 is actually the browser request to the proxy.
The request from ip address 116 is the request from tomcat (notice the Java/1.6.0_16).

So it appears that Apache sees this request from the jre and tries to authenticate against mod_auth_kerb and of course it fails.

Is it possible to force tomcat to pass on the credentials it receives from the initial request(browser) along to tomcats own request back to apache?
I have been trying to use mod_rewrite to pass along Authorization Header to no avail.
Hopefully this is somewhat clear?

Flow:
Browser makes request to ----> http://MY_DOMAIN.COM/my_proxy_app/Proxy ----> mod_auth_kerb authenticates and then mod_jk realizes it is a java app so it hands off the request to tomcat
----> Proxy servlet runs on tomcat and makes a URL request to http://MY_DOMAIN.COM/index.html ---> Apache attempts to authenticate this request but since it is coming from the jre it disallows this request.

BTW, I also tried this with a python proxy running inside of apache with the same results.
10.150.15.116 - - [04/Jun/2010:20:21:48 +0000] "GET /index.html HTTP/1.1" 401 791 "-" "Python-urllib/2.5"

Thanks in advance!
GF

Prev by Date: Re: how does ProxyPass works
Next by Date: reverse proxy and file download problems for the client
Previous by thread: how does ProxyPass works
Next by thread: reverse proxy and file download problems for the client
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]