Re: problem in handlins request for JK2

sunil chandran Thu, 05 Apr 2007 00:14:30 -0700

hello Johnny,

I am sorry to confuse you...
see my problem is that i used mod_auth_kerb for implementing single sing-on
in a Japan server.i finsihed the project..then we found the problem ...


that module works only in Apache and not in tomcat.so we needed something to
connect Apache and tomcat to request the servlet inside webapps of Tomcat.

first i wrote a Perl script which will redirect the request to the servlet.
that gave temporary relief. it was working fine.

so a client request for a servlet (http://ipaddress/cert) will run perfectly
from a Japan machine.
but running it from my system will say " authentication required"

thats how it should run...

*i should not be able to run that servlet in JP server from my machine..
thats where authentication prompt comes.. instead if i remote login to a JP
machine and run the url ..it works perfectly..*

thats how my project should work.

i hope till here you are clear !

now i went for JK2 connector.

now after configuring the appropriate files ..
i checked the URL from JP machine. it works perfectly ( now no need of the
perl script !)
but when i run from my machine ....also i am able to get the result...(
which is not what i should get ) that means now i am not getting that
authentication message ..but am able to run the url and get the result from
my machine also.

thats what i mentioned about a security issue...no security for the URL..

so i should change some thing inside httpd.conf file...

thats what my doubt is.....

hope you understood the scenario...

this is the data i have given for Kerberos authentication inside my
httpd.conf..

<Directory />

AuthType Kerberos

AuthName "Kerberos Login"

KrbAuthRealms JP.SONY.COM

KrbServiceName HTTP/[EMAIL PROTECTED]

Krb5Keytab /usr/local/apache/conf/jptkysip99.keytab

KrbMethodNegotiate on

KrbMethodK5Passwd off

Require valid-user

</Directory>




On 4/5/07, Johnny Kewl <[EMAIL PROTECTED]> wrote:

 Hello Sunil,

I'm not sure if I understand what you trying to do...

If you want Apache to authenticate there should be something like this in
httpd.conf

<Location /secure>
AuthType basic
AuthName "japan area"
AuthBasicProvider dbm
AuthDBMType SDBM
AuthDBMUserFile /www/etc/dbmpasswd
Require valid-user
</Location>

If you want Tomcat to do the authentication then

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>HARBOR Security</realm-name>
    </login-config>

    <security-constraint>
        <!--this section dictates which URLS will invoke security-->
        <web-resource-collection>
            <web-resource-name>Test</web-resource-name>
            <url-pattern>/service/admin</url-pattern>
        </web-resource-collection>
        <!--only users in these roles will get access to the above uri-->
        <!--users are set in the conf/tomcat-users.xml file-->
        <auth-constraint>
            <role-name>japan_admin</role-name>
        </auth-constraint>
    </security-constraint>

I tried to find a good example for you, but I couldnt find anything for
mod_jk2.... maybe someone else can comment on this but I think mod_jk2 has
been deprecated (its old)... yes the numbering doesnt make sense. Anyway I
think if you use mod_jk in future, you will find many more people can help.

If you want SSL as well then have a look at the apache help file ie
http://apacheserver/manual

I dont know mod_jk2 but I think that any Cert or Ssl stuff in worker files
must be for SSL between Apache and Tomcat... and its not often needed or
wanted.

Anyway... if you want little login box's to prompt the user.... must do
something like the above. If you do it in Apache then local users can still
get into Tomcat through a connector, if you do it in Tomcat then all users
via Apache or direct to tomcat will have to login. It depends on what your
system looks like... I think it will probably be easier to do it on Tomcat
and then deliver the WAR package to Japan. That way Apache admin person just
needs a simple connector setup.

Here is some sample stuff for mod_jk that will help you get going

http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html

and some more for SSL

https://spaces.internet2.edu/display/SHIB/JKIdPInstall

Main point is if you start using MOD_JK then just googling for Tomcat
Mod_jk will give you losts of info....
Your english is much better than my japanese, but for prompting user login
the word to search for is AUTHENTICATION... searching for "security" will
probably give you SSL.

Hope that helps

----- Original Message -----
*From:* sunil chandran <[EMAIL PROTECTED]>
 *To:* Tomcat Users List <users@tomcat.apache.org>
*Cc:* JOHN <[EMAIL PROTECTED]>
*Sent:* Wednesday, April 04, 2007 10:58 AM
*Subject:* Re: problem in handlins request for JK2

Hi ,

   this is the modifictaion i made in workers2.properties file:
------------------------------------------------------------------------------------------------------------------------

[channel.socket:localhost:8009]

info=Ajp13 forwarding over socket

debug=0

tomcatId=localhost:8009

# define the worker

[ajp13:localhost:8009]

channel=channel.socket:localhost:8009

group=lb

[uri:/cert]

info=Colavo Authentication.

debug=0

[uri:/]

info=Colavo Authentication.

debug=0

[uri:/event]

info=Colavo Authentication.

debug=0

[uri:/status]

[uri:/status02]

info=Colavo Authentication.

debug=0
-------------------------------------------------------------------
then i added

LoadModule jk2_module modules/mod_jk2.so
inside httpd.conf file in apache.

now i can succesfully run

http://serverIP/status <http://serverip/status>
http://serverIP/cert?username=....&password<http://serverip/cert?username=....&password>
=...

this is working fine. but i need to restrict from opening this URL from my
systtem

that url should ask for authorization required (401 error)

but the problem is i am able to run this url of server located in Japan
from my system also. which i should restrict.

i need to do some changes in httpd.conf file itself..

please help me forward

On 4/4/07, JOHN <[EMAIL PROTECTED]> wrote:
>
> Please show us the setup files...
>
>
>
> ----- Original Message -----
> From: "sunil chandran" < [EMAIL PROTECTED]>
> To: <users@tomcat.apache.org>
> Sent: Wednesday, April 04, 2007 9:02 AM
> Subject: problem in handlins request for JK2
>
>
> > Hello all,
> >
> >                  I am Sunil C.
> >                  i have used JK2 connector to connect Apache and
> Tomcat
> > I am having a servlet (Certserv) folder in webapps folder in Tomcat.
> > i gave uri to that cert program in my workers2.properties file.
> >
> > everything is working fine.
> >
> > but i face a secuirty issue. this machine is in other domain. i mean
> > Japan.
> > i did a remote login and checked the uri . its working fine.
> >
> > the real problem lies ...when i type the uri from my machine. it
> should
> > show
> > "authentication required"
> > because that folder is authentication restricted.
> > but now ..i am able to run the uri from machine also.
> >
> > please tell me how can i restrict it.
> >
> > i tried giving :
> >
> > <Location "/cert">
> >        JkUriSet worker ajp13:localhost:8009
> >    </Location>
> >
> > but it doesnt seem to work.
> >
> > is there something i have to include in my httpd.conf file of Apache?
> >
> > please help me forward
> >
> > thanks in advance.
> >
> >
> >
> >
> > --
> > Sunil
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

--
Sunil



--
Sunil

Re: problem in handlins request for JK2

Reply via email to