Reverse Proxy and Java Application Server Security

Question

Is it possible to have the reverse proxy (Apache HTTP 2.2) handle authentication (HTTP Basic) and then still use the container managed security of the Java application server (GlassFish 3.1 or JBoss 7.0.2) for authorization?

I've got GlassFish doing container managed security (both authentication and authorization together) just fine using both declarative and programmatic container security with form based authentication and a custom GlassFish authentication module. I've even got this working through an Apache HTTP web server reverse proxy using mod_proxy_ajp. Now I'm just trying to find a way to offload the authentication piece to Apache while maintaining the container managed security authorization piece. Maybe there is a single-sign-on interface in the Java application server which would facilitate this (since this is like SSO - Apache requires authentication for everything behind it)?

Answer 1

The user data is available to CGIs and such as environment variables. You'd have to pass that along somehow - either via some gateway cgi, or perhaps by inserting them in a header.

Below is an example of how it might be possible through header insertion. I apologize for suggesting something that I haven't tried myself, but it seems reasonable, yeah?

RequestHeader unset REMOTE-USER
RequestHeader add REMOTE-USER %{REMOTE-USER}e

I suspect, however, that when that environment variable would, it would always be null if you're proxying. If that's the case, you may be able to use look-ahead variables using mod_rewrite. (See mod_rewrite docs for LA-U example and explanation.)

RequestHeader unset REMOTE-USER
RewriteCond %{LA-U:REMOTE_USER} (.*)
RewriteRule .* - [E=MY_REMOTE_USER:%1]
RequestHeader add REMOTE-USER %{MY_REMOTE_USER}e

This requires mod_rewrite and mod_headers.