Re: Tomcat 5.025 across multiple servers
On Jul 11, 2004, at 11:39 PM, Ty Mercer wrote: There isn't much reason to do the auth against an AD? Why woudl that be, it's our only point of auth in the entire company and the only one we need for everything up until now. I'm simply trying to get users home directories into apache from a second server, which I have done to an extent, but jsp/php/cgi/ etc don't work due to the cross platform issue I still haven't figured out yet. Sorry, meant that there's not reason to consider it as AD vs. just LDAP - you'll find more help out there using it as LDAP particularly. I've had a rather easy time of using LDAP (provided by Win2003 Server) for authentication with Linux apps... Maybe some details on what exactly you're trying to do would help pin down a solution. For example, I had a web app using PHP's LDAP support properly logging in users in about 15 minutes. Samba + Winbind (for SSH access) took the better part of two days because of goofy kerberos issues. -Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.025 across multiple servers
On Jul 11, 2004, at 2:10 PM, Ty Mercer wrote: Might be easy, but I looked over the archive and didn't see anything requested like this before, so here goes. [snip] 2) how do you authenticate to a Windows AD instead of OpenLDAP or some other xnix variant, I've looked for modules and haven't found one that works as of yet. Not really much reason to do that, Windows AD is a reasonably capable LDAP server. (For certain values of the word capable, anyway. It will certainly handle basic authentication.) Just point an LDAP authentication module at a server that has a domain controller role. Port 3268 rather than 389 is generally faster - it's the global catalog port and will answer queries from a pre-indexed lookup cache if the answer is available there - but 389 works too. If you REALLY want native AD integration, you'll need to look at Samba 3.x and winbind (part of Samba 3.x). It's a mess to set up and I don't think I'd bother unless there's a strong reason to. -Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container managed security
On Jul 9, 2004, at 8:11 AM, QM wrote: On Thu, Jul 08, 2004 at 11:19:39PM -0500, Steve Luzynski wrote: : Using Tomcat 5.0.25 on Mac OS X (10.3.4 specifically). Trying to : implement container managed security. : : [snip: deployment descriptor] : : When I try to hit a url like : http://localhost:9006/IPBoss/add/add_network.html, which as near as I : can tell should trigger authentication, I just get the page I'm asking : for - no login. Humor me -- is there an Apache server in front of Tomcat that's intercepting the .html? Nope, Tomcat is running an http connector directly on port 9006. (I hate to ask this) but did you restart Tomcat after making the web.xml changes? Repeatedly. :) Otherwise, web.xml looks spec-compliant as far as I can tell. I thought so. Any other ideas? I'm stumped. Thanks much, Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container managed security
On Jul 9, 2004, at 12:40 PM, Robert F. Hall wrote: Have you tried adding http-method/ elements to web-resource-collection ? web-resource-collection http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection No go there either, tried it with and without. Is there some logging or debugging I can turn on? The stock logs aren't showing me anything other than just a normal access to the resources that I'm wanting to protect. Thanks, Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container managed security
On Jul 9, 2004, at 5:52 PM, QM wrote: On Fri, Jul 09, 2004 at 03:20:39PM -0500, Steve Luzynski wrote: : Is there some logging or debugging I can turn on? The stock logs aren't : showing me anything other than just a normal access to the resources : that I'm wanting to protect. Another silly question, then: what's the deployed webapp? Is IPBoss a proper context, or is IPBoss the subdir of something mapped to the root context? It's a context. Does it matter that there are no actual servlets in the web.xml file yet? I'm in the process of switching away from Struts to a different framework and decided this was a good time to move to container managed security since I destroyed the entire view anyway. :) So because of that there is no servlet mapping yet, I'm just trying to get Tomcat to properly access control some static HTML right now. (I'm grasping too...) Thanks, Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Container managed security
I've been scratching my head most of the day on this... Using Tomcat 5.0.25 on Mac OS X (10.3.4 specifically). Trying to implement container managed security. I have a JDBC Realm set up in server.xml for the context in question. The web.xml file for the application is set up just like the examples: ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app display-nameIPBoss/display-name security-contraint web-resource-collection web-resource-namerestricted pages/web-resource-name url-pattern/add/*/url-pattern url-pattern/edit/*/url-pattern url-pattern/delete/*/url-pattern /web-resource-collection auth-contraint role-nameuser/role-name /auth-contraint /security-contraint login-config auth-methodFORM/auth-method realm-nameIPBoss application/realm-name form-login-config form-login-page/index.html/form-login-page form-error-page/index.html/form-error-page /form-login-config /login-config security-role description The role of any user of this application. /description role-nameuser/role-name /security-role welcome-file-list welcome-fileindex.html/welcome-file /welcome-file-list /web-app When I try to hit a url like http://localhost:9006/IPBoss/add/add_network.html, which as near as I can tell should trigger authentication, I just get the page I'm asking for - no login. I'm sure I'm missing something easy but I just can't figure it out. Thanks! -Steve
