• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

apache-tomcat-6.0.16 - mod_auth_kerb

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is there a way I can install mod_auth_kerb on the apache-tomcat-6.0.16 running on windows xp.
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No, because mod_auth_kerb is a plugin to the Apache web server, not Tomcat.

There are ways to integrate the Kerberos authentication mechanism in an Apache+Tomcat environment, but they're not very pretty and in some cases you might actually need to change the default internal security settings on each person's web browser. It's not a task to be undertaken lightly.

For less extreme measures, you can use the LDAP Tomcat realm to authenticate against Active Directory. In its basic form, you're using the user's Windows userID and password to sign into each webapp separately. By adding some extra support services, you can share the signon so that the user signs on to a single Tomcat app and all other apps in that server or its domain automatically become authenticated as well.

In the Kerberos method, since you had to signon to Windows to start using the machine, the user is already identified and authenticated, so webapps hooked into that framework don't need to be logged into separately.

Note that a single-signon solution isn't always a good thing. If a single signon automatically hooks you into everything, leaving your desktop unguarded means anyone who wanders by can get instant access to everything. And, it makes it very difficult if you have multiple user accounts on your apps for any reason (for example, you have a special app admin login and a regular account login).
 
Lars Hogsbro
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks a lot for your reply.

I have a webservice running on the Apache-Tomcat
installation on a windows-xp machine. I want to call that webservice from a Java thick client adding the Login ticket(Kerberos) into the request header. And i want to get the credentials(just the username) from the request on the server(Apache-tomcat).

Is there a way to set it up?
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I can pretty well guarantee it, though working out the exact details would require me to do more work than I can afford to do for free.

Because you want to use Kerberos on a fat client+web service instead of the more common setup where a browser is getting its permissions directly tied to a webapp, you'll need to code some Kerberos API calls.
 
Lars Hogsbro
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi again.

Would it be reasonable/possible to let
the thick client encode a message with a Kerberos Key
that it gets from the KDC(session Key) and send that message
to the webservice and the webservice method decodes it
with a key(session key) which it also gets from the KDC.
The thing is I want the client username in the call to the webservice
method either as header information or in the method directly. For making more calls towards LDAP(AD) on the Domain Controller with that username.

And do you know where to find more information on this topic.

Cheers
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think you're on the right track. Your best best is probably to look at the docs for JAAS and the javax.security package (also java.security and java.crypt). Also probably the docs for Apache Axis.

I'm just shooting off ideas from the top of my head here, since I estimate it'd take me about 2 days research to come up with a solid set of possible solutions - and while I don't begrudge giving away info on the JavaRanch, that's too much like work to do for free.

One thing you might pay attention to is exactly what parts of the web service request to encrypt. encrypting the envelope is more secure, but you pay for it in routablity. Encrypting only the payload is less secure, but easier for system components not in on the secret to route.

Oh yes, and while I haven't RTFM'd it, I would be very surprised if there isn't a way to get the user's identity from the Kerberos ticket.
reply
    Bookmark Topic Watch Topic
  • New Topic