Authenticating through a reverse proxy

[rcoe]

I have a working Waffle enabled web app running in Tomcat.  I now want to set up a reverse proxy to communicate to tomcat using ajp.  I am using apache 2.2 as the proxy server.  At this point, the requests are being proxied to Tomcat but the NTLM auth token is broken somehow:

2013-06-14 11:20:48,171 [ajp-bio-8009-exec-1] WARN waffle.apache.NegotiateAuthenticator - error logging in user: The token supplied to the function is invalid

The packet capture of the http stream looks like:

# Client Request

GET / HTTP/1.1
Host: xxxxxxxxxx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-ca,chrome://global/locale/intl.properties;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: JSESSIONID.49c0fffa=c9a33bc62b8447fc2e48f304d397895c; screenResolution=1920x1080
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAABmAWYBigAAAAAAAABYAAAACAAIAFgAAAASABIAYAAAAAAAAADwAQAABYKIogYBsR0AAAAP9aoHS+XyfKnffQpAyy6oTHIAYwBvAGUATAAxADIAMAAzAC0AMAAwADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/lGPQLjsE8GQPjJ9UjPBSgEBAAAAAAAAis6b7BJpzgHzyOFWdcZqLQAAAAACAAgAQwBPAFIAUAABABIATAAxADIAMAAzAC0AMAAwADgABAAcAGMAbwByAHAALgBjAG8AbQBkAGUAdgAuAGMAYQADADAATAAxADIAMAAzAC0AMAAwADgALgBjAG8AcgBwAC4AYwBvAG0AZABlAHYALgBjAGEABQAcAGMAbwByAHAALgBjAG8AbQBkAGUAdgAuAGMAYQAHAAgAis6b7BJpzgEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAI031remgU6PDeB93Je7TvtOGkWYfMrA4a36TUEM3AowKABAAAAAAAAAAAAAAAAAAAAAAAAkAOABIAFQAVABQAC8AbABpAG0AYQB0AGUAcwB0AC4AYwBvAHIAcAAuAGMAbwBtAGQAZQB2AC4AYwBhAAAAAAAAAAAAAAAAAA==

# Server response

HTTP/1.1 401 Unauthorized
Date: Fri, 14 Jun 2013 15:18:39 GMT
Cache-Control: private
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 951

One thing I noticed in the capture is that the JSESSIONID cookie name has been changed.  It now includes a hex encoded suffix, .49c0fffa, which seems to be static across sessions.  This *may* be that apache is affinitizing the cookie to the proxy worker, I'm not sure.  I'm not even getting to my authentication filter to examine the http request headers; Tomcat is refusing the initial connection.

One thing, which *shouldn't* affect the tcp stream is that the proxy server is running on a linux host, whereas the client and tomcat server are both hosted on the same Windows7 workstation.

I would be happy to include more info, but I'm not sure whether this is expected behaviour, so wanted to open the conversation first.

[rcoe]

I see there's another thread on this topic, https://groups.google.com/forum/#!topic/waffle-users/3dqRP2aPGW8.

So, it seems there is no guaranteed fix, although certain configurations *seem* to work.  Considering that NTLM does not adhere to the HTTP RFC, is there an alternative method that will guarantee the ability to authenticate, using waffle, through a proxy?

[Daniel Doubrovkine]

As far as I know the only proxies that are guaranteed to work implement the proxy NTLM auth protocol, but TBH the last time I ran one (MS ISA server) was 10 years ago. It seems that the solution in that thread is right, keeping the connection is core to the protocol, so it *should* always work.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock