Richard Gundersen wrote:
Hi Nikola
Thanks for your quick and detailed reply. While it would be great if
Tomcat could interpret SPNEGO, I don't mind setting up Apache to sit
in front of Tomcat (in fact I was going to do this anyway for speeding
up the static content).
Most people advocate against it or at least do not advocate for it. The
rationalle being that Tomcat is fast enough these days. My rationalle is
that I yet have to see a pure TC web site. With Apache you have tons of
options, although, employing some of them might take the life of you - I
have recently had a misfortune of making a TC application which was
connected to Apache via WARP (mod_webapp, if you remember), with no
option to change it.
Anyway, given enough room to work in, you can happily run othe peoples
PHP, make your own rewrites, etc. and keep TC in it's place. The way
mod_jk (or mod_jk2) can be configured, you can do really seamless
integration. In my oppinion, the trouble of connecting the two is worth it.
I have a small webapp on our public server, backed by PostgreSQL DB and
it is running more than a year now, no glitch.
How would Apache send the details to Tomcat once it's happy with the
ticket it's received? Would it be in the form of simple request
params? I guess so. I also guess it's time for me to RTFM on
mod_krb_auth/mod_spnego :-)
When you connect TC to Apache via mod_jk, you can set an attribute in
server.xml which tells TC to trust authentication information it gets
from Apache. So, if the user manages to authenticate as, say,
"[EMAIL PROTECTED]", Apache will pass that information
to TC, via mod_jk. So, you can set in your web.xml the protection for
certain URLs, just as you would with local TC users. It should work,
regardless of which authentication mechanism Apache uses.
This also means, you have to setup Apache properly, to do the job. The
upside, there are no n-layers where authentication *can* occur, only one.
Nix.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
