I'm facing a difficult setup where I have to configure single sign on, based on the logged in used on my tomcat application.
I already took some steps which allow me to login via single sign on directly on my tomcat application by using waffle.
I have 1 server where I have a tomcat running and a IIS running (but this IIS will move to another server in the same domain in the future).
I have the Tomcat running on port 8205 and the IIS configure to accept url's from authpoc.company.com. IIS does a redirect to localhost:8025 via URL Rewrite.
My web.xml from IIS
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:8205/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
What works
When opening the application directly on localhost:8205 on the server. I get a nice single sign on based on my domain user.
When opening the application directly on the ip of the server. 192.168.1.1:8205. I can log in but single sign on does not work anymore. This I don't understand. (edit: solved, this is a setting in Internet explorer, see SSO waffle asking username and password for more information)
What doesn't work
When redirecting from IIS, I don't get to login into my tomcat application. I have windows authentication enabled, with Negotiate and NTML enabled (in this sequence).
I read a lot on the internet but I can't find anyone with this particular setup. I don't really have the impression I'm doing something exotic.
One possiblity is that I should connect IIS via AJP instead of a much simpeler URL rewrite.
any help is welcome! Thanks
I got an answer on the google groups saying this is not possible because of the reverse proxy counting as a hop.
https://groups.google.com/forum/#!topic/waffle-users/VCaawJMD0Mw
I'm going to try another approach
Related
I have deployed a Spring Boot application in Tomcat in Windows Server and it's accessible on browser via http://server-name:8080/app. Now, for end users I don't want them to hit the app at port 8080, so I have configured an IIS rewrite rule
<rule name="app" enabled="true" stopProcessing="false">
<match url="^app.*" />
<action type="Rewrite" url="http://server-name:8080/{R:0}" logRewriteUrl="true" />
</rule>
Now, when I hit http://server-name/app, it works, but the subsequent calls are going to http://server-name:8080/app.
I am not sure if there is a problem with the IIS rule since I ran the app.war using same application.properties as
java -jar app.war --server.port=8080 --spring.config.import=application.properties
The only caveat here is I am passing context path in properties as
server.servlet.context-path=/app
and in this scenario all the URL calls go without port 8080. If anyone have any insight or solution, please share.
Please NOTE: I can't host Tomcat on port 80 as there are other apps running on port 80 which uses the API from app deployed in Tomcat.
I have embedded Jetty running on port 7000. Also, I have a keycloak server running on same machine on port 8100.
My all clients access goes via Jetty i.e. localhost:7000. So, I have put keycloak as reverse proxy on Jetty i.e localhost:7000/keycloak/auth will redirect to localhost:8100/auth. It is hitting correctly.
Now, there is KeycloakInstalled client to authenticate the user. I have provided auth-url as http://localhost:7000/keycloak/auth. When I run this client, it correctly authenticate the user, but when retruning the token, it gives out the exception that auth-url (localhost:7000/keycloak/auth) given to it does not match the url from keycloak sever (localhost:8100/auth).
I tried out doing following also:
https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html
But, I am unable to generate X-Forward headers from Jetty.
Am I doing any basic thing wrong here?
Any pointers here would be very helpful.
Thanks.
I workaround it by mapping http://localhost:7000/auth (not localhost:7000/keycloak/auth) to http://localhost:8100/auth via Jetty reverse proxy. It worked perfectly.
P.S. I also need to add proxy-address-forwarding="true" in keycloak standalone.xml
IIS is redirecting to Tomcat but SSL is not occurring, basically web page opens but AD user is not "captured" in the process.
Application triggers - "User not Informed" error which is a designed error when AD account is not registered in the system. In our tests users are registered so I can conclude windows authentication does not occurs correctly
I get browser error:
Generic Connector Communication Error:
Please check and adjust your setup:
Ensure that Tomcat is running on given host and port.
If this is a timeout error consider adjusting IIS timeout by changing executionTimeout attribute in web.config (see manual).
connection between Tomcat and IIS experienced error. Please check logat BonCodeAJP13.BonCodeAJP13ServerConnection.p_CreateConnection(BonCodeAJP13PacketCollection packetsToSend)
at BonCodeIIS.BonCodeCallHandler.ProcessRequest(HttpContext context)
Are there any extra settings should I run in IIS or some IIS logs I could check to confirm which AD user is actually accessing tomcat?
Important notes:
IIS8 (Windows SErver 2012) / apache-tomcat-7.0.64 / jdk-7u79-windows-x64
Tomcat service is impersonating (log on as) an AD service account which connects to a SQL 2012 database. Connection to the database occurs through Microsoft JDBC driver.
Only IIS root has a web.config file, application itself does not.
Anonymous + Windows Authentication (Kerberos) are enabled in IIS.
Please let me know of any other relevant information should I provide to help on this troubleshooting.
Thank you so much for all help!
BR
I was able to figure out the problem and fix it.
It was a misconfiguration on Tomcat server.xml "Connector" settings, Added up tomcatauthentication-"false" and now it works flawless.
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"/>
I'm new with this authentication through kerberos protocol so I tried to read a lot of howto on it but seems like I can't find any specifics with my constraints. Here is what I have :
An Active Directory Server on which users authenticate to log into their workstations
Each end user uses IE 7 to connect to my intranet application
An Apache server with load balancing
Some Tomcats servers acting as workers for the Apache server.
on each tomcat, I have 2 jakarta servlet running, users connect only on one servlet (further i will call it the servlet as if there is only one)
my tomcats need to run under jdk5. not jdk6 or jdk4. it's jdk5 period.
Now I want one to automatically get logged on my servlet. Basically I just need my servlet to retrieve the client's principal then I can manage the rest.
Based on what I understood, my client has a ticket, he ask the KDC for a special ticket for accessing the apache server, then he tries to connect to the Apache server. Based on his keytab, the apache server then decode the auth data and grant/refuse the access to specified resource.
Am I right? please guide me through this, I've been reading pages for 4 days and still no clue on which solution is the more appropriate. I tried mod_auth_kerberos for Apache but instead of grabbing the user's ticket he ask it like a basic auth. Apparently spgneo
Thanks
Ok I got this working :
Install Kerberos 5 + apache 2 + mod_auth_kerb.
On your AD, generate a keytab with only the principal you will use for Apache, I use HTTP/apache.mydom.com#MYDOM.COM
Put this keytab file on your apache server and make it readable only
by your Apache user.
Then edit your apache conf with these directive for your secure
location
apache.conf:
[…]
ServerName apache.mydom.com:80
[…]
LoadModule auth_kerb_module modules/mod_auth_kerb.so
[…]
<LocationMatch /secure)>
[… some other stuff …]
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Authentification requise"
KrbAuthRealms MYDOM.COM
#this allows user to be saved in the request
KrbSaveCredentials on
#this one force Negotiate AuthType instead of basic fallback
KrbMethodNegotiate on
#this trim the realm from username saved in the request (request.getRemoteUser() will give you "user" instead of "user#MYDOM.COM"
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Krb5Keytab /install/binaries/httpd/apache.keytab
KrbServiceName HTTP
require valid-user
</LocationMatch>
And the one thing I almost failed to find on the web, you have to modify your tomcat server config (tomcat/conf/server.xml) :
<Connector [... AJP connector configuration ...] request.tomcatAuthentication="false"/>
This is really important because without it you tomcat won't retrieve any info from tomcat auth.
Don't forget too, DNS is really really really really important for a Kerberos install. If you have any issue try checking your DNS for all of your servers.
I want to capture data that my web application sends and receives from a CAS server via HTTPS. I tried using Fiddler2, but couldn't make it capture traffic from Java web application. It seems I need to configure it to use Fiddler2 as a proxy. How do I do it correctly?
Some additional info. I have already imported Fiddler's certificate with keytool. Running web application on Tomcat 7. Using IntelliJ Idea.
Run the JVM with these parameters:
-Dhttps.proxyHost=yourhostwithfiddler -Dhttps.proxyPort=8888
Alternately, you could set the Java default proxy through a GUI - see http://www.java.com/en/download/help/proxy_setup.xml
In addition to Piskvor answer, make sure you configure Fiddler to capture the HTTPS traffic: Tools --> Fiddler Options --> HTTPS --> Capture HTTPS CONNECTs
You can also use directly the settings screen:
"File / Settings...", then choose"IDE Settings / HTTP Proxy".
Then tick "Use proxy", "Host name": localhost, "Port number": 8888