File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes Connecting two tomcats such that the second does not need authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Connecting two tomcats such that the second does not need authentication" Watch "Connecting two tomcats such that the second does not need authentication" New topic
Author

Connecting two tomcats such that the second does not need authentication

Dennis Thorn
Greenhorn

Joined: Sep 11, 2013
Posts: 14
    
    1
Hello.

Imagine for a moment a primary tomcat server that is exposed to the outside world. Imagine further that below this tomcat server are 1 to "N" tomcat servers that are NOT exposed to the outside world. These tomcat servers respond to serialized object requests from the primary. We will use the words primary and secondaries.

The secondaries (I hope) do NOT need to use login names and passwords.

My question to you is the following: Is it possible to configure the secondaries such that they allow only https connections from the trusted primary (a trusted certificate?)?

No users will ever access a web page on the secondaries, and if they do try to do so, they will be redirected to an error page.

Thanks in advance.

-
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

Welcome to the JavaRanch, Dennis!

What you are describing is a specific instance of a more general case. For example, a front-end Tomcat communicating with JMS servers or the extremely common occurrence of a Tomcat server communicating with a DBMS server. This is distinct from the case of a proxy server, where the actual returned output is constructed on one of the backend machines.

What security - if any - is maintained between the front-end server and backend servers is entirely up to them. Yes, you can use client certs if the participants support them. Tomcat does.


Customer surveys are for companies who didn't pay proper attention to begin with.
Dennis Thorn
Greenhorn

Joined: Sep 11, 2013
Posts: 14
    
    1
Thanks for the reply. I've got a bit of a long winded reply but hopefully this will make sense...

In my case I have one primary tomcat (call it the Boss for lack of a better word) which uses serialized objects to communicate with other tomcat servers (call them Workers). The worker tomcats do not have web pages, they only respond to serialized object requests (that don't follow any standard / framework). No JMS as an example. The child tomcats themselves DO communicate with local database servers.

This is actually a legacy system that currently uses single sign on protection for ALL tomcats. This isn't needed anymore and here I am attempting to remove the SSO (JOSSO in my case) from the Worker tomcats. For those customers that are really paranoid I would like to setup the Workers so that connections from un-trusted sources - fail. But I wish to do this without a user name and password.

Do you know of a resource where I can research configuring the 'child' tomcat servers such that they will only accept "Insert a Techo Slang Buzz Word Here" certificate connection from the primary tomcat?

Thank you.

-Dennis
Dennis Thorn
Greenhorn

Joined: Sep 11, 2013
Posts: 14
    
    1
I notice that I've mixed my usage of "child" tomcat servers with "worker" tomcat servers. My apologies.
Jayesh A Lalwani
Bartender

Joined: Jan 17, 2008
Posts: 2052
    
  22

How do you protect your database servers from being accessed by the rest of the world?. You need to use the same mechanism to protect your child/worker tomcats. I think what Tim is getting at is in any web infrastructure, you have public servers and private servers. The private servers host various services, database/JMS/LDAP/etc. The networking security doesn't are about what is running on those servers. All it cares about is IP addresses and ports.

In your case, all you need to do is install your child/worker Tomcats on a private server. You might have to go talk to the people who manage your infrastructure and talk to them about adding more servers behind the firewall.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

Putting your support servers behind the firewall in the DMZ is obviously one of the most important things you can do.

But for further protection (say, in case a public server gets pwned or an in-house employee gets rude), you can use certs. I'm fairly certain that Tomcat can be set up so that only cert-certified clients can access it, although I'd have to read the Tomcat manual for details.

And of course, firewall your backend tomcat machines for the Tomcat ports.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12678
    
    5
Pardon my ignorance, but isn't what you are talking about called Single Signon?

Bill

Java Resources at www.wbrogden.com
Jayesh A Lalwani
Bartender

Joined: Jan 17, 2008
Posts: 2052
    
  22

William, That's what I was thinking too when I read the title. The title is misleading

If you read the post, he is describing a setup that has one client facing application that acts as a facade over other worker Tomcats. He has some sort of custom interface between the customer facing tomcats and the worker tomcats in which some serialized objects are going back and forth.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15641
    
  15

Although it's not totally clear, originally all of the Tomcats were apparently part of an SSO net and all capable of serving pages in addition to being invoked as something akin RMI servers from the primary Tomcat server. The new configuration would be to take the secondard servers completely off the open Internet, have the secondary servers act strictly in an RMI-like capacity and lock down security so that the secondary servers could only be accessed from the primary Tomcat server.

Or at least, that's the impression I got.
Dennis Thorn
Greenhorn

Joined: Sep 11, 2013
Posts: 14
    
    1
Jayesh A Lalwani wrote:William, That's what I was thinking too when I read the title. The title is misleading

If you read the post, he is describing a setup that has one client facing application that acts as a facade over other worker Tomcats. He has some sort of custom interface between the customer facing tomcats and the worker tomcats in which some serialized objects are going back and forth.


Here is an example of that custom interface. This was created about 9 years ago and at the time the idea of a framework or J2EE was way to much overhead for what was needed.




Thanks everyone for the feedback. I agree with most of the posts. Since these worker tomcats are behind the firewall this shouldn't be a big issue but I'm dealing with the likes of Verizon and British Telecom. Their network engineers seem rather sensitive to these topics. Worst case is that I cannot find a resource that helps educate me on how to make a trusted connection using some form of certificate between trusted tomcats and I'll have to write my own JAAS module to do something custom. Which will be a lengthy learning process as well.

Thanks again.

-Dennis
Dennis Thorn
Greenhorn

Joined: Sep 11, 2013
Posts: 14
    
    1
Tim Holloway wrote:Although it's not totally clear, originally all of the Tomcats were apparently part of an SSO net and all capable of serving pages in addition to being invoked as something akin RMI servers from the primary Tomcat server. The new configuration would be to take the secondard servers completely off the open Internet, have the secondary servers act strictly in an RMI-like capacity and lock down security so that the secondary servers could only be accessed from the primary Tomcat server.

Or at least, that's the impression I got.


You are absolutely correct.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Connecting two tomcats such that the second does not need authentication
 
Similar Threads
How to check a system (computer) is running and it was not shutdown
Tomcat process definition? More that one?
Reload Servlet-container from the code?
Nokia admits to implementing a Man-In-The-Middle flaw in HTTPS
Connecting a webserver with an apps server