Application Server does not support auth-passthrough Web
Server 6.1 Add-On.
The Sun Java System Application Server Enterprise Edition 8.2 adds
support for the functionality provided by the auth-passthrough plugin
function available with Sun Java System Application Server Enterprise Edition 7.1. However,
in Application Server Enterprise Edition 8.2 , the auth-passthrough plugin feature is configured differently.
The auth-passthrough plugin function in Application Server Enterprise Edition 7.1
has been useful in two-tier deployment scenarios, where:
In such network architectures, a client connects to a front-end web
server, which has been configured with the service-passthrough plugin
function and forwards HTTP requests to the proxied Application Server instance
for processing. The Application Server instance can only receive requests
from the web server proxy, but never directly from any client hosts. As a
result of this, any applications deployed on the proxied Application Server
instance that query for client information, such as the client's IP address,
will receive the proxy host IP, since that is the actual originating host
of the relayed request.
In Application Server Enterprise Edition 7.1, the auth-passthrough plugin
function could be configured on the proxied Application Server instance in
order to make the remote client's information directly available to any applications
deployed on it; as if the proxied Application Server instance had received
the request directly, instead of via an intermediate web server running the service-passthrough plugin.
In Application Server Enterprise Edition 8.2 , the auth-passthrough feature may be enabled by setting the authPassthroughEnabled property
of the <http-service> element in domain.xml to
TRUE, as follows:
<property name="authPassthroughEnabled" value="true"/>
|
The same security considerations of the auth-passthrough plugin
function in Application Server Enterprise Edition 7.1 also apply to the authPassthroughEnabled property in Application Server Enterprise Edition 8.2 .
Since authPassthroughEnabled makes it possible to override
information that may be used for authentication purposes (such as the IP address
from which the request originated, or the SSL client certificate), it is essential
that only trusted clients or servers be allowed to connect to an Application Server Enterprise Edition 8.2 instance
with authPassthroughEnabled set to TRUE. As a precautionary
measure, it is recommended that only servers behind the corporate firewall
should be configured with authPassthroughEnabled set to
TRUE. A server that is accessible through the Internet must never be configured
with authPassthroughEnabled set to TRUE.
Notice that in the scenario where a proxy web server has been configured
with the service-passthrough plugin and forwards requests
to an Application Server 8.1 Update 2 instance with authPassthroughEnabled set to TRUE, SSL client authentication may be enabled on the web
server proxy, and disabled on the proxied Application Server 8.1 Update 2
instance. In this case, the proxied Application Server 8.1 Update 2 instance
will still treat the request as though it was authenticated via SSL, and provide
the client's SSL certificate to any deployed applications requesting it.
|