Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to pass credentials from iis 6 to apache tomcat

43 views
Skip to first unread message

Fritz Theiss

unread,
Dec 11, 2009, 9:23:01 AM12/11/09
to
hi,

my company is currently developing a new application running on apache
tomcat (please note: not apache web server!), which needs credentials of the
user first requesting iis 6 website. from iis 6 website the request is
forwarded using isapi_redirect.dll.

my question: how can the credentials of iis 6 website logged-in user be
forwarded to apache tomcat? is there another isapi-filter available doing
this? or what else can be done assuming iis 6-website is set to "windows
integrated" and kerberos is used?

--
thanks in advance / danke im voraus, fritz
--
Fritz Theiss

John Elliot

unread,
Dec 11, 2009, 4:06:15 PM12/11/09
to
On 12/11/2009 9:23 AM, Fritz Theiss wrote:
> hi,
>
> my company is currently developing a new application running on apache
> tomcat (please note: not apache web server!), which needs credentials of the
> user first requesting iis 6 website. from iis 6 website the request is
> forwarded using isapi_redirect.dll.
>
> my question: how can the credentials of iis 6 website logged-in user be
> forwarded to apache tomcat? is there another isapi-filter available doing
> this? or what else can be done assuming iis 6-website is set to "windows
> integrated" and kerberos is used?
>


Hi,

What you are trying to do is called Single sign-on. Here is the first
link I got from Google when searching for "single signon iis tomcat"

http://www.opentaps.org/docs/index.php/Configuring_Single_Sign_On


JE.

David Wang

unread,
Dec 14, 2009, 4:18:01 AM12/14/09
to
Ability to "forward credentials" depends on the authentication
protocol.

Windows Integrated and Kerberos authentication protocols specifically
disallow the forwarding of credentials because that is considered a
man-in-the-middle attack by the protocols.

Your choices for forwarding authentication are to either:
1. Use other "single sign on" protocols like OpenID or LiveID
2. Use other insecure protocols like Basic or Forms auth to pass
username+password around
3. Work with how Kerberos specification allows delegation of user
tokens
4. Write your own "Single Sign On" authentication protocol.

Due to your implementation constraints, the easiest choice will be #2.
It happens to be the most insecure, but that's the weakness when
dealing with Tomcat's relative insecurity. If Tomcat ran natively on
IIS, this would not be an issue. But, it wants to be architecturally
neutral, and security is the tradeoff.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

On Dec 11, 6:23 am, Fritz Theiss

0 new messages