Authenticated rewrite from ASP.NET to Tomcat

Topics: User Forum
Jul 27, 2009 at 6:09 PM



I've got a problem hopefully someone can give me assistance on.


We have an IIS server hosting a portal and acting as a proxy/rewriter to a number of web base appliance applications.  These localised applicances appear to run Tomcat, and wee can't modify the Tomcat side since it's an appliance which we cannot log in to.  We'd like to provide this application inside the portal that's under development by a third party.  The developers don't have any experience with proxying or rewriting hence why I am writing this message.


To make things more difficult, the appliance needs to run own its own 'root directory' for it to operate correctly.  So alleviate this we have a setup multiple web sites as follows:


All of these URLs are pointing to one internet IP behind a firewall.    Because of the host name filtering IIS can point them to the correct appliance on the same IP due to the rewriting.   The plot however, thickens. Effectively the portal application (ASP.NET) authenticates the end web user.  We cannot have an unauthenticated user can open the appliance. 


The challenge is we need to pass something like a session varible from and make sure that that per user variable is used as authentication for access to and so on.


Has anyone done anything like this before or can you suggest ideas on how this could be done?




Jul 28, 2009 at 1:54 AM

This might work: with IIRF you can proxy the request (ProxyPass). Once the ASPNET authenticates the user, presumably it responds to the browser with an authentication token.  The browser then sends a new request back to IIS, intended for the application hosted on the "appliance".  IIRF can then proxy that request to Tomcat.

ProxyPass works only with IIRF v2.0. 



Jul 28, 2009 at 11:50 AM

Thanks.  The Tomcat application doesn't do any authentication -- hence why it needs to be protected.  What I need is a simple way for IIRF to understand that the client came from the ASP.NET application on a different virtual site.  Hope this makes sense. 

Jul 28, 2009 at 4:23 PM

Nope!  I don't get it.  I understand the Tomcat appliance is not doing authentication.  That's why I wrote that ASPNET does the authentication, passes back a token, and the browser can then pass that authn token around to anyone who wants it.   Or maybe you mean that the Tomcat app doesn't do authorization checks?  That's different.  I guess in that case you wouldn't need the token at all, since it would be totally ignored by the Tomcat app.  But that only makes things simpler for the rewrite engine.

I don't know what you mean by "a simple way for IIRF to understand that the client came from ASPNET on a different virtual site."   IIRF has rules. In the rules you can match on HTTP_HOST and the query string and other request variables.  It can do what you describe - IIRF can distinguish between requests that arrive for different virtual sites.

I have this problem often.  People use lots of words to describe what they want, when a few simple examples would clarify things immediately. What is it that you want to do?   Eg, For an Incoming URL request that looks like (??), it should get (rewritten, redirected, proxied) to (ASPNET, Tomcat1, Tomcat2, etc), in a form like (??).