Pass authentication from Apache to JBoss

apache-2.2jboss

I have an Apache server setup that is passing requests over to a JBoss server to serve Java content. I've been able to get this working without a problem. However, it appears that the authentication from Apache is not being sent.

When I go to a given URL, Apache challenges me for the username/password, but when the request gets over to JBoss and I try to getRemoteUser(), I get nothing. I'm pretty new to configuring any type of server (I'm a developer setting up a test environment), so any help would be greatly appreciated!

Best Answer

Several possible solutions; if you're using mod_proxy_ajp or mod_jk for the connector then make sure that this is set in your server.xml connector:

tomcatAuthentication="false"

That will most likely fix the problem. If not, it's a bit more difficult depending on which module you're using for the AJP13 connection; we'll need to know which one before helping further.

Related Solutions

How to setup apache redirect or custom 401 document on Kerberos SSO login failure

In order not to interrupt the Kerberos/SSO authentication process, use the following:

ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/login.htm\"></html>"

This will cause a redirect to occur only when the user clicks cancel on the browser dialog box.

Ssl – Configure JBoss AS 5 and LDAP

I think you need to import the trusted root certificate, (possibly any intermediary certs as well) into the Java keystore that JBoss is using. (When running on Linux, only place I have run JBoss, it uses Tomcat to run JBoss in it).

I am not sure where the default Java key store would be for Tomcat. You can use keytool from any Java JDK install, and import the trusted root that way. The keystore password should be 'default' since there is nothing secret about trusted root public keys.

Sample Keytool syntax might be:

keytool -importcert -keystore Path/to/store -storepass Password (Usually default or changeit) -alias Something -file FileWithPublicKey

To get the trusted root, an easy way is if the same cert is used for an HTTP interface. But I think IE will let you try ldaps://serverIP/ and then in the icon with a lock, you can see certificate details.

There is a tab for the certification chain. The top item is the CA who signed this cert (aka the Root that we need to Trust, to make it a Trusted Root).

If all this is too much, then here is a funny trick! Get the 600K Java based LDAP browser, called LBE and delete the local file lbecacert then run the LDAP Browser, make a config for your LDAP server, with SSL enabled, and when you first connect it will get the Trusted Root, prompt you to Trust it once, always, or never. Select Always, and exit.

The newly created lbecacert file now has just the one trusted root in it. Cute eh? I use this when I am lazy and it works fine.

Now where should the Tomcat cacerts be? Well it might be sufficient in your JVM install, lib/security to either add the trusted root to the cacerts there, or else replace that file with this one (which is not the best option, since you might want some of those default trusted roots).

Best Answer

Related Solutions

How to setup apache redirect or custom 401 document on Kerberos SSO login failure

Ssl – Configure JBoss AS 5 and LDAP

Related Topic