Active Directory --> Java web app

Nikola Milutinovic Nikola.Milutinovic at ev.co.yu
Mon Aug 1 11:29:59 EDT 2005 

Richard Gundersen wrote:

> Hi Nikola
>
> Thanks for your quick and detailed reply. While it would be great if 
> Tomcat could interpret SPNEGO, I don't mind setting up Apache to sit 
> in front of Tomcat (in fact I was going to do this anyway for speeding 
> up the static content).


Most people advocate against it or at least do not advocate for it. The 
rationalle being that Tomcat is fast enough these days. My rationalle is 
that I yet have to see a pure TC web site. With Apache you have tons of 
options, although, employing some of them might take the life of you - I 
have recently had a misfortune of making a TC application which was 
connected to Apache via WARP (mod_webapp, if you remember), with no 
option to change it.

Anyway, given enough room to work in, you can happily run othe peoples 
PHP, make your own rewrites, etc. and keep TC in it's place. The way 
mod_jk (or mod_jk2) can be configured, you can do really seamless 
integration. In my oppinion, the trouble of connecting the two is worth it.

I have a small webapp on our public server, backed by PostgreSQL DB and 
it is running more than a year now, no glitch.

> How would Apache send the details to Tomcat once it's happy with the 
> ticket it's received? Would it be in the form of simple request 
> params? I guess so. I also guess it's time for me to RTFM on 
> mod_krb_auth/mod_spnego :-)


When you connect TC to Apache via mod_jk, you can set an attribute in 
server.xml which tells TC to trust authentication information it gets 
from Apache. So, if the user manages to authenticate as, say, 
"richard.gundersen at YOUR.DOMAIN.COM", Apache will pass that information 
to TC, via mod_jk. So, you can set in your web.xml the protection for 
certain URLs, just as you would with local TC users. It should work, 
regardless of which authentication mechanism Apache uses.

This also means, you have to setup Apache properly, to do the job. The 
upside, there are no n-layers where authentication *can* occur, only one.

Nix.

More information about the Kerberos mailing list