Joined: 21 Mar 2003
|Posted: Wed May 30, 2012 5:45 am Post subject: Tomcat security and Kerberos
I'm trying to "kerberize" access to some webapplications deployed in Tomcat. Authorization is provided via JDNI realm and role-mapping, looking for in LDAP (Active Directory).
Using Tomcat 7.0.25, I have succesfully configured Tomcat to use Kerberos for authentication. This allows me to use the SPNEGO authenticator instead of the BASIC one, so if the user has a kerberos tgt, she can access the webapps without entering a password.
The problem is that I want this system to fallback to BASIC authentication if no kerberos ticket is provided by the browser, but I fail to see if there is a way to accomplish this. I have already tried the following:
- Considered the possibility of configuring two authenticators for a webapp. It seems not possible so far: http://mail-archives.apache.org/mod_mbox/tomcat-users/201202.mbox/%3C4F2AB437.firstname.lastname@example.org%3E
- Tried to duplicate the webapp and have one configured with SPNEGO and the other with BASIC auth. So I configured a custom 401 error page for the SPNEGO one that redirects to the other. Using a custom 401 page just breaks SPNEGO auth.
- As mod_auth_kerb handles this just fine, I have tried to use Apache httpd in front of tomcat, with mod_jk. However, if I set "tomcatAuthentication" to "true" in the AJP connector in tomcat, authentication provided by apache httpd is just ignored. If "tomcatAuthentication" is set to "false", tomcat trusts the authentication passed by httpd, but I have found no way to get security role-mapping, because if "tomcatAuthentication=false" then no Realm configured in tomcat is executed (I have even tried with third-party modules configured for authorization only). Apparently there is no way to set certain environment variables in httpd that tomcat could use to map security roles.
So, I have been succesful kerberizing access to ssh and http using tickets or passwords, and using LDAP groups for authorization. But it seems that this approach is not possible in tomcat. I think it is a fairly common scenario, so I'm a bit surprised...
I have googled and read the documentation, now I think what I want to do is simply not possible in tomcat today. Do you have any idea? I appreciate your help. Thanks in advance!