Jorge Infante Osorio wrote:
-----Mensaje original-----
De: André Warnier [mailto:a...@ice-sa.com]
Enviado el: viernes, 25 de marzo de 2011 13:09
Para: Tomcat Users List
Asunto: Re: reverse proxy with SSO using CAS.
Jorge Infante Osorio wrote:
I have an issue in reverse proxy with apache, tomcat and SSO using CAS.
The problem is that my reverse proxy work just fine when I use an
Apache Server as the reverse proxy with two back-end tomcats.
But when the I include SSO with CAS to authenticate the user with
access to the tomcat servers the internal redirections are missing to
the users that use the reverse proxy and I don´t know why.
Thanks, for reposting as a new message.
I don't know CAS. I just read the Wikipedia entry right now.
I just want to point out something to you, in case you would not know and in
case it may help.
If you use mod_jk as a proxying connector between Apache and Tomcat, and you
set the "tomcatAuthentication=false" attribute on the AJP Connector in
Tomcat, then Tomcat will accept the user authentication from Apache (which
mod_jk forwards to Tomcat).
This allows to do the user authentication at the front-end Apache level, and
pass the user-id to the Tomcat back-end(s) easily. It may simplify your
problem.
It is possible that mod_proxy_ajp provides a similar capability, I don't
know.
There are plenty more possibilities for similar schemes, but my time is
running out right now, because yes I am in my late afternoon mode, and I am
taking a holiday starting tomorrow (in what increasingly looks like the
wrong region to be right now).
From what I read about CAS, it looks similar to another scheme named OpenId
I think. I understood once how that works, but right now something eludes
me in the redirections schema. I'll think about it next week on the beach.
But a question : in your CAS scheme, which is/are the server(s) which need
to talk to the CAS server ?
When I try to access any tomcat server I'm redirected to the CAS server, I
authenticate in CAS and then I´m forward to the server that made the call.
So if I want to authenticate to App1, this App1 redirect me to CAS, I
authenticate in CAS and then forward me again to App1.
Right.
And if I understand this correctly, this all works with external redirects.
And probably, when the CAS server sends the final re-direct to the browser, back to
Tomcat, it must append something to the URL (I mean to the Location: header of the
redirect), whereby the Tomcat-resident CAS module should detect that the call is now
authenticated.
And since this is all going back-and-forth a couple of times between the front-end Apache
and the back-end Tomcat, the potential for mangling that URL during the proxying is not
immaterial.
That is probably why Mark was asking if your proxying modifies the URL, and how.
I'll leave you with Mark then for the follow-up.
But I remain convinced that you would do yourself a favor and simplify your world, by
doing the CAS authentication at the front-end Apache level, and then just pass the user-id
to the Tomcat back-end.
Subsidiary question : there must be a moment in all this, where the back-end Tomcat speaks
directly to the CAS server, no ? or do these two exchange information just by means of
the redirects, always going through the browser ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
