David kerber wrote:
I have several instances of TC 7.x on windows, running the same in-house
developed application for different outside customers. Those instances
are each tied to a specific database, and cannot talk to any other dbs.
My in-house users occasionally need to log into the application instance
for a specific customer to do administrative tasks for them, and the
authentication is tied to the specific instance they are working with
(the database for that instance). I am trying to work out a way of
letting them log into any instance with a single "master" login, which
would require all of the instances to authenticate against the same
server/source/whatever you call it.
I can only come up with two options: LDAP authentication against my
Windows domain controller, or a separate database that any of the
instances can connect to. I know either of these would require
additional code work, which isn't a problem, and I have a good feel for
what's involved in db authentication.
But I don't have a good feel for LDAP auth. How difficult is that to
get working in TC 7.x?
I am also open to other suggestions that I might be missing.
An out-of-the-tomcat-box suggestion :
Install one front-end Apache httpd which does the authentication, then forwards to any of
the back-end tomcats in function of the URL, via mod_jk.(*)
Configure the AJP Connector at the Tomcat side to say :
tomcatAuthentication=false.
mod_jk forwards to Tomcat (as part of the AJP protocol) the authenticated
Apache user-id.
The above attribute in the Connector causes Tomcat to just accept this id as the user's
already-authenticated id (which means that Tomcat won't double-check with whatever
authentication backup it has already and uses normally).
LDAP authentication is quite standard in httpd, but if you have a limited number of
user-ids who need to do that, you might even set this up with Basic Auth and a file
back-end at the httpd level (**). As long as your Tomcats accept AJP connections only
from the internal httpd front-end, and the users doing that are only internal users, this
would not impact security.
(*) you can use mod_rewrite or even SetEnvIf at the httpd level, to trigger the proxying
to the appropriate Tomcat, in function of the original requestd hostname e.g.
(**) with this scheme, it does not really matter *how* Apache does the authentication, as
long as it results in a user-id that is valid for the back-end Tomcat.
It does not even have to use the same password e.g.
The httpd password does not get forwarded to Tomcat, just the user-id.
It would even allow you to login to the Tomcats using real user-ids of the customer users,
which may matter if different users have different roles or permissions.
Caveat and hand-washing : I have never tried this. It just popped up when I read your post
and I imagined with terror having to modify some standard Tomcat component, or implement
something which would leave holes in the customer Tomcat's security.
But I am doing some things already in that area, which might be considered of a similar
enough nature, and they work.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
