aspose file tools*
The moose likes Tomcat and the fly likes apache-tomcat-6.0.16 - mod_auth_kerb Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "apache-tomcat-6.0.16 - mod_auth_kerb" Watch "apache-tomcat-6.0.16 - mod_auth_kerb" New topic
Author

apache-tomcat-6.0.16 - mod_auth_kerb

Lars Hogsbro
Greenhorn

Joined: Apr 12, 2008
Posts: 4
Is there a way I can install mod_auth_kerb on the apache-tomcat-6.0.16 running on windows xp.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

No, because mod_auth_kerb is a plugin to the Apache web server, not Tomcat.

There are ways to integrate the Kerberos authentication mechanism in an Apache+Tomcat environment, but they're not very pretty and in some cases you might actually need to change the default internal security settings on each person's web browser. It's not a task to be undertaken lightly.

For less extreme measures, you can use the LDAP Tomcat realm to authenticate against Active Directory. In its basic form, you're using the user's Windows userID and password to sign into each webapp separately. By adding some extra support services, you can share the signon so that the user signs on to a single Tomcat app and all other apps in that server or its domain automatically become authenticated as well.

In the Kerberos method, since you had to signon to Windows to start using the machine, the user is already identified and authenticated, so webapps hooked into that framework don't need to be logged into separately.

Note that a single-signon solution isn't always a good thing. If a single signon automatically hooks you into everything, leaving your desktop unguarded means anyone who wanders by can get instant access to everything. And, it makes it very difficult if you have multiple user accounts on your apps for any reason (for example, you have a special app admin login and a regular account login).


Customer surveys are for companies who didn't pay proper attention to begin with.
Lars Hogsbro
Greenhorn

Joined: Apr 12, 2008
Posts: 4
Thanks a lot for your reply.

I have a webservice running on the Apache-Tomcat
installation on a windows-xp machine. I want to call that webservice from a Java thick client adding the Login ticket(Kerberos) into the request header. And i want to get the credentials(just the username) from the request on the server(Apache-tomcat).

Is there a way to set it up?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

I can pretty well guarantee it, though working out the exact details would require me to do more work than I can afford to do for free.

Because you want to use Kerberos on a fat client+web service instead of the more common setup where a browser is getting its permissions directly tied to a webapp, you'll need to code some Kerberos API calls.
Lars Hogsbro
Greenhorn

Joined: Apr 12, 2008
Posts: 4
Hi again.

Would it be reasonable/possible to let
the thick client encode a message with a Kerberos Key
that it gets from the KDC(session Key) and send that message
to the webservice and the webservice method decodes it
with a key(session key) which it also gets from the KDC.
The thing is I want the client username in the call to the webservice
method either as header information or in the method directly. For making more calls towards LDAP(AD) on the Domain Controller with that username.

And do you know where to find more information on this topic.

Cheers
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

I think you're on the right track. Your best best is probably to look at the docs for JAAS and the javax.security package (also java.security and java.crypt). Also probably the docs for Apache Axis.

I'm just shooting off ideas from the top of my head here, since I estimate it'd take me about 2 days research to come up with a solid set of possible solutions - and while I don't begrudge giving away info on the JavaRanch, that's too much like work to do for free.

One thing you might pay attention to is exactly what parts of the web service request to encrypt. encrypting the envelope is more secure, but you pay for it in routablity. Encrypting only the payload is less secure, but easier for system components not in on the secret to route.

Oh yes, and while I haven't RTFM'd it, I would be very surprised if there isn't a way to get the user's identity from the Kerberos ticket.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: apache-tomcat-6.0.16 - mod_auth_kerb