Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Tomcat security and Kerberos
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message

Joined: 21 Mar 2003
Posts: 168
Location: /home/España/Valencia

PostPosted: Wed May 30, 2012 5:45 am    Post subject: Tomcat security and Kerberos Reply with quote

Hi all,

I'm trying to "kerberize" access to some webapplications deployed in Tomcat. Authorization is provided via JDNI realm and role-mapping, looking for in LDAP (Active Directory).
Using Tomcat 7.0.25, I have succesfully configured Tomcat to use Kerberos for authentication. This allows me to use the SPNEGO authenticator instead of the BASIC one, so if the user has a kerberos tgt, she can access the webapps without entering a password.

The problem is that I want this system to fallback to BASIC authentication if no kerberos ticket is provided by the browser, but I fail to see if there is a way to accomplish this. I have already tried the following:
- Considered the possibility of configuring two authenticators for a webapp. It seems not possible so far:
- Tried to duplicate the webapp and have one configured with SPNEGO and the other with BASIC auth. So I configured a custom 401 error page for the SPNEGO one that redirects to the other. Using a custom 401 page just breaks SPNEGO auth.
- As mod_auth_kerb handles this just fine, I have tried to use Apache httpd in front of tomcat, with mod_jk. However, if I set "tomcatAuthentication" to "true" in the AJP connector in tomcat, authentication provided by apache httpd is just ignored. If "tomcatAuthentication" is set to "false", tomcat trusts the authentication passed by httpd, but I have found no way to get security role-mapping, because if "tomcatAuthentication=false" then no Realm configured in tomcat is executed (I have even tried with third-party modules configured for authorization only). Apparently there is no way to set certain environment variables in httpd that tomcat could use to map security roles.

So, I have been succesful kerberizing access to ssh and http using tickets or passwords, and using LDAP groups for authorization. But it seems that this approach is not possible in tomcat. I think it is a fairly common scenario, so I'm a bit surprised...

I have googled and read the documentation, now I think what I want to do is simply not possible in tomcat today. Do you have any idea? I appreciate your help. Thanks in advance!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum