httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From g f <gfo...@gmail.com>
Subject [users@httpd] getting mod_auth_kerb to trust a request from tomcat?
Date Fri, 04 Jun 2010 20:22:21 GMT
Hello all,

I am running tomcat 6.0.24 ,  jre 1.6.0_16, Apache/2.2.15 (Debian) ,
mod_auth_kerb/5.4  , mod_jk/1.2.28 mod_python/3.3.1 all installed via apt on
Debian Lenny.

I have successfully been able to get all of this working (authentication,
forwarding etc).

I have a java web app that has a servlet that serves as a proxy to get
around cross site scripting.
http://myapp/Proxy?url=www.somesite.com

I let Apache and mod_auth_kerb handle all authentication and it does it
very  well.

If I access my Proxy servlet like so:

http://MY_DOMAIN.COM/my_proxy_app/Proxy?url=http://MY_DOMAIN.COM/index.html<http://my_domain.com/my_proxy_app/Proxy?url=http://MY_DOMAIN.COM/index.html>

(Notice I am proxying to the same domain but different application)

I get a 401 error.

Here is what the access log (for apache) looks like for this request.
10.150.15.116 - - [04/Jun/2010:18:06:55 +0000] "GET /index.html HTTP/1.1"
401 829 "-" "Java/1.6.0_16"
10.150.15.212 - validUser@MY_DOMAIN.COM
<gforte@MY_DOMAIN.COM>[04/Jun/2010:18:06:54 +0000] "GET
/my_proxy_app/Proxy?url=
http://MY_DOMAIN.COM/index.html <http://my_domain.com/index.html> HTTP/1.1"
500 394 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3)
Gecko/20100401 Firefox/3.6.3 ( .NET CLR 3.5.30729)"
o

Now if you notice the request from ip address 212 is actually the browser
request to the proxy.
The request from ip address 116 is the request from tomcat (notice the
Java/1.6.0_16).

So it appears that Apache sees this request from the jre and tries to
authenticate against mod_auth_kerb and of course it fails.

Is it possible to force tomcat to pass on the credentials it receives from
the initial request(browser) along to tomcats own request back to apache?
I have been trying to use mod_rewrite to pass along Authorization Header to
no avail.
Hopefully this is somewhat clear?

Flow:
Browser makes request to ---->
http://MY_DOMAIN.COM/my_proxy_app/Proxy<http://my_domain.com/my_proxy_app/Proxy>
----> mod_auth_kerb authenticates and then mod_jk realizes it is a java app
so it hands off the request to tomcat
----> Proxy servlet runs on tomcat and makes a URL request to
http://MY_DOMAIN.COM/index.html <http://my_domain.com/index.html>  --->
Apache attempts to authenticate this request but since it is coming from the
jre it disallows this request.

BTW, I also tried this with a python proxy running inside of apache with the
same results.
10.150.15.116 - - [04/Jun/2010:20:21:48 +0000] "GET /index.html HTTP/1.1"
401 791 "-" "Python-urllib/2.5"

Thanks in advance!
GF

Mime
View raw message