-
Notifications
You must be signed in to change notification settings - Fork 0
/
INSTALL
35 lines (29 loc) · 1.89 KB
/
INSTALL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
server.xml
<Valve className="org.ege.tomcat.RemoteUserAuthValve" userKey="X-Forwarded-User" roleKey="X-Forwarded-Groups" roleSeparator=";" allows="127.0.0.1" />
Configuration attributes:
userKey: key in the http header send by Web Server/Reverse Proxy in order to store user login.
roleKey: key in the http header send by Web Server/Reverse Proxy in order to store roles. If the Web Server/Reverse Proxy sends a heder containing the user'roles (separated by roleSeparator).
roleSeparator (optional): see above.
allows (optional): filter by remote IP. IP defined in this attribute are allowed (use "," separator for multiple IP). Just set the LemonLDAP::NG handler IP on this attribute in order to add more security. If this attribute is missed all hosts are allowed.
passThrough (optional): Allow anonymous access or not. When it takes "false", HTTP headers have to be send by LemonLDAP to make authentication. So, if the user is not recognized or HTTP headers not present, a 403 error is sent.
<Valve className="org.ege.tomcat.RemoteUserAuthenticator" httpHeaderForSSOAuth="X-Forwarded-User" sessionCookieForSSOAuth="SMSESSION,CTSESSION,ObSSOCookie" />
Comme Authenticator
HTTP_HEADER=org.ege.tomcat.RemoteUserAuthenticator dans org/apache/catalina/startup/Authenticators.properties
tomcat-install/lib/catalina.jar as org/apache/catalina/startup/Authenticators.properties
SPNEGO
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/[email protected]"
useKeyTab=true
keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/[email protected]"
useKeyTab=true
keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
storeKey=true;
};