Application Server does not support auth-passthrough Web Server 6.1 Add-On (6188932) (Sun Java System Application Server 9.1 Update 1-9.1 Update 2 Release Notes)

Sun Java System Application Server 9.1 Update 1-9.1 Update 2 Release Notes

Application Server does not support `auth-passthrough` Web Server 6.1 Add-On (6188932)

Description

The Sun Java System Application Server 9.1 adds support for the functionality provided by the auth-passthrough plugin function available with Sun Java System Application Server Enterprise Edition 7.1. However, in Application Server 9.1, the auth-passthrough plugin feature is configured differently.

The auth-passthrough plugin function in Application Server Enterprise Edition 7.1 has been useful in two-tier deployment scenarios, where:

Application Server instance is protected by a second firewall behind the corporate firewall.
No client connections are permitted directly to the Application Server instance.

In such network architectures, a client connects to a front-end web server, which has been configured with the service-passthrough plugin function and forwards HTTP requests to the proxied Application Server instance for processing. The Application Server instance can only receive requests from the web server proxy, but never directly from any client hosts. As a result of this, any applications deployed on the proxied Application Server instance that query for client information, such as the client's IP address, will receive the proxy host IP, since that is the actual originating host of the relayed request.

Solution

In Application Server Enterprise Edition 7.1, the auth-passthrough plugin function could be configured on the proxied Application Server instance in order to make the remote client's information directly available to any applications deployed on it; as if the proxied Application Server instance had received the request directly, instead of via an intermediate web server running the service-passthrough plugin.

In Application Server 9.1, the auth-passthrough feature may be enabled by setting the authPassthroughEnabled property of the <http-service> element in domain.xml to TRUE, as follows:

<property name="authPassthroughEnabled" value="true"/>

The same security considerations of the auth-passthrough plugin function in Application Server Enterprise Edition 7.1 also apply to the authPassthroughEnabled property in Application Server 9.1. Since authPassthroughEnabled makes it possible to override information that may be used for authentication purposes (such as the IP address from which the request originated, or the SSL client certificate), it is essential that only trusted clients or servers be allowed to connect to an Application Server 9.1 instance with authPassthroughEnabled set to TRUE. As a precautionary measure, it is recommended that only servers behind the corporate firewall should be configured with authPassthroughEnabled set to TRUE. A server that is accessible through the Internet must never be configured with authPassthroughEnabled set to TRUE.

Notice that in the scenario where a proxy web server has been configured with the service-passthrough plugin and forwards requests to an Application Server 8.1 Update 2 instance with authPassthroughEnabled set to TRUE, SSL client authentication may be enabled on the web server proxy, and disabled on the proxied Application Server 8.1 Update 2 instance. In this case, the proxied Application Server 8.1 Update 2 instance will still treat the request as though it was authenticated via SSL, and provide the client's SSL certificate to any deployed applications requesting it.