RE: Question on workers.properties file
I was FINALLY able to get to my code within Eclipse using the Tomcat connector and NOT getting the login dialog box by adding Jakarta to the trusted sites in the IE browser on my Windows XP box since as I found out from Jeff in the IIS forum browsers do not authenticate untrusted sites on XP. Now the new issue is that I cannot get to the user value which is Texas\SavoyM using the following partial method: public User authenticate(final HttpServletRequest request, final HttpServletResponse response) throws IOException { // Initialize the User object User user = null; // 1. Initiate the IIS authentication process. final String auth_user = request.getRemoteUser(); // 2. Create a User object with the user name if (auth_user != null) user = new User(auth_user, ); // 3. Check to see if the user is populated if (auth_user == null) throw new UnauthorizedException(response, user); Is there another way to get the user value other than using the HttpServletRequest object? Thanks. -Original Message- From: Savoy, Melinda Sent: Wednesday, May 26, 2010 2:12 PM To: 'Tomcat Users List' Subject: RE: Question on workers.properties file I did as you suggested below. I removed SCMIS virtual website from within the jakarta virtual website and I got this in the log: [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1835): Filter started [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/localhost/SCMIS/index.jsp' from 3 maps [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/SCMIS/*.jsp=scmisWorker' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1916): check if [/SCMIS/index.jsp] points to the web-inf directory [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1932): [/SCMIS/index.jsp] is a servlet url - should redirect to scmisWorker [Wed May 26 14:00:09.286 2010] [3036:4236] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/SCMIS/index.jsp] In IIS I changed had the DEFAULT WEBSITE directory security back to ANONYMOUS access checked only and left the jakarta directory security to windows authentication only. And I got a dialog box to login for authentication purposes. I tried to login and the dialog box just kept coming back. I guess what I do not understand is HOW does IIS know about my SCMIS website if it is NOT included in IIS? I thought I needed the SCMIS virtual website included in IIS in order to retrieve the user id that I am suppose to be getting from IIS? What will my URL be now since I was using http://localhost/SCMIS/index.jsp Thanks again. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, May 26, 2010 1:18 PM To: Tomcat Users List Subject: Re: Question on workers.properties file On 26.05.2010 19:53, Savoy, Melinda wrote: Ranier - thanks for the reply. 1. I just tried this again, but I set all 3 (Default Website, jakarta virtual website and SCMIS virtual website) to Windows Authentication checked and Anonymous access unchecked and I was prompted with a login dialog box. I could not get authenticated and then I hit cancel and when I did my log showed the following: [Wed May 26 12:38:41.480 2010] [4684:228] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=Negotiate user=TEXAS\SavoyM uri=/SCMIS/index.jsp My objective here is to have IIS authenticate without a user logging in and then I acquire the user value via the getRemoteUser() method. 2. I understood that I had to have the website that I am running currently in Tomcat setup as a virtual website in IIS under the jakarta virtual website in IIS so that it would serve up the /SCMIS/*.jsp pages in Tomcat? Are you saying that is not the case and I can get rid of the SCMIS
Re: Question on workers.properties file
I finally suggest you start a new topic. I know André didn't like your last attempt to do so, but now your first problem is solved, you get something out of request.getRemoteUser() (at least this is something I interprete into your last Mail), and the next question goes more to the Java developpers instead of connector and web server people. It's likely you'll find more readers if you now choose a new appropriate subject for your mail. If you like, you can also send a second Email with [Solved] prepended to the old subject, and shortly describe which settings finally worked for the getremoteUser() part (browser and IIS, virtual websites, which auth method). This will help other people in the future. Regards, Rainer On 27.05.2010 16:21, Savoy, Melinda wrote: I was FINALLY able to get to my code within Eclipse using the Tomcat connector and NOT getting the login dialog box by adding Jakarta to the trusted sites in the IE browser on my Windows XP box since as I found out from Jeff in the IIS forum browsers do not authenticate untrusted sites on XP. Now the new issue is that I cannot get to the user value which is Texas\SavoyM using the following partial method: public User authenticate(final HttpServletRequest request, final HttpServletResponse response) throws IOException { // Initialize the User object User user = null; // 1. Initiate the IIS authentication process. final String auth_user = request.getRemoteUser(); // 2. Create a User object with the user name if (auth_user != null) user = new User(auth_user, ); // 3. Check to see if the user is populated if (auth_user == null) throw new UnauthorizedException(response, user); Is there another way to get the user value other than using the HttpServletRequest object? Thanks. -Original Message- From: Savoy, Melinda Sent: Wednesday, May 26, 2010 2:12 PM To: 'Tomcat Users List' Subject: RE: Question on workers.properties file I did as you suggested below. I removed SCMIS virtual website from within the jakarta virtual website and I got this in the log: [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1835): Filter started [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/localhost/SCMIS/index.jsp' from 3 maps [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/SCMIS/*.jsp=scmisWorker' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1916): check if [/SCMIS/index.jsp] points to the web-inf directory [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1932): [/SCMIS/index.jsp] is a servlet url - should redirect to scmisWorker [Wed May 26 14:00:09.286 2010] [3036:4236] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/SCMIS/index.jsp] In IIS I changed had the DEFAULT WEBSITE directory security back to ANONYMOUS access checked only and left the jakarta directory security to windows authentication only. And I got a dialog box to login for authentication purposes. I tried to login and the dialog box just kept coming back. I guess what I do not understand is HOW does IIS know about my SCMIS website if it is NOT included in IIS? I thought I needed the SCMIS virtual website included in IIS in order to retrieve the user id that I am suppose to be getting from IIS? What will my URL be now since I was using http://localhost/SCMIS/index.jsp Thanks again. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, May 26, 2010 1:18 PM To: Tomcat Users List Subject: Re: Question on workers.properties file On 26.05.2010 19:53, Savoy, Melinda wrote: Ranier - thanks for the reply. 1. I just tried this again, but I set all 3 (Default Website, jakarta virtual website and SCMIS virtual website) to Windows Authentication checked and Anonymous access unchecked and I was prompted with a login
RE: Question on workers.properties file [SOLVED]
Ranier, I will do as you said and put in a NEW topic because I am getting a NULL value from the getRemoteUser() when using the HttpServletRequest object. Again, the fix was that the JAKARTA virtual website, if you're working in Windows XP, must be added to the Trusted Sites in IE. Thank you so much to both you and Andre for all your help!! This list is VERY HELPFUL. Regards. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Thursday, May 27, 2010 9:29 AM To: Tomcat Users List Subject: Re: Question on workers.properties file I finally suggest you start a new topic. I know André didn't like your last attempt to do so, but now your first problem is solved, you get something out of request.getRemoteUser() (at least this is something I interprete into your last Mail), and the next question goes more to the Java developpers instead of connector and web server people. It's likely you'll find more readers if you now choose a new appropriate subject for your mail. If you like, you can also send a second Email with [Solved] prepended to the old subject, and shortly describe which settings finally worked for the getremoteUser() part (browser and IIS, virtual websites, which auth method). This will help other people in the future. Regards, Rainer On 27.05.2010 16:21, Savoy, Melinda wrote: I was FINALLY able to get to my code within Eclipse using the Tomcat connector and NOT getting the login dialog box by adding Jakarta to the trusted sites in the IE browser on my Windows XP box since as I found out from Jeff in the IIS forum browsers do not authenticate untrusted sites on XP. Now the new issue is that I cannot get to the user value which is Texas\SavoyM using the following partial method: public User authenticate(final HttpServletRequest request, final HttpServletResponse response) throws IOException { // Initialize the User object User user = null; // 1. Initiate the IIS authentication process. final String auth_user = request.getRemoteUser(); // 2. Create a User object with the user name if (auth_user != null) user = new User(auth_user, ); // 3. Check to see if the user is populated if (auth_user == null) throw new UnauthorizedException(response, user); Is there another way to get the user value other than using the HttpServletRequest object? Thanks. -Original Message- From: Savoy, Melinda Sent: Wednesday, May 26, 2010 2:12 PM To: 'Tomcat Users List' Subject: RE: Question on workers.properties file I did as you suggested below. I removed SCMIS virtual website from within the jakarta virtual website and I got this in the log: [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1835): Filter started [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/localhost/SCMIS/index.jsp' from 3 maps [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/SCMIS/*.jsp=scmisWorker' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1916): check if [/SCMIS/index.jsp] points to the web-inf directory [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1932): [/SCMIS/index.jsp] is a servlet url - should redirect to scmisWorker [Wed May 26 14:00:09.286 2010] [3036:4236] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/SCMIS/index.jsp] In IIS I changed had the DEFAULT WEBSITE directory security back to ANONYMOUS access checked only and left the jakarta directory security to windows authentication only. And I got a dialog box to login for authentication purposes. I tried to login and the dialog box just kept coming back. I guess what I do not understand is HOW does IIS know about my SCMIS website if it is NOT included in IIS? I thought I needed the SCMIS virtual website included in IIS in order to retrieve the user id that I
RE: Question on workers.properties file
Trying again to see if I can respond to Andre's question regarding what my directory structure is in order to help me determine where I've gone wrong in my setup and why I'm not getting the auth and user values in the request that is being forwarded to my Tomcat server. I can connect via the Tomcat connector to my site successfully however, I cannot authenticate my userid and therefore I cannot get to my application which is dependent on that value so that the authenticated user can access the web app. Here is my setup: 1. Andre, before you ask, I am still waiting on a test Windows 2003 server to be setup where I can test this on a server rather than my XP box as you suggested to me previously, but I'm stuck testing on my Windows XP box until then. 2. Currently I am testing to see if using the Tomcat connector will work on my local Windows XP box. 3. I am testing my web app within Eclipse using Tomcat 6.0 (meaning my web app is a dynamic web project within Eclipse and has been added to the Tomcat server in Eclipse). 4. My URL is: http://localhost/SCMIS/index.jsp 5. The directory structure on my local box where my web app is located is: C:\Snaps\savoym_remote_scmis_phase5_dev\scmis_phase5_vob and the directories directly under this directory is: Build Common Libraries Lookup Lost+found Maintenance PurchaseOrder Requisition SCMIS (this is the where the JSP's are located and this is the directory that is defined in my SCMIS IIS virtual web site) Security 6. In IIS 5.1, on my Windows XP box, the setup is as follows: a. Default website has a directory security setting of (Anonymous access - checked) b. jakara virtual website has a directory security setting of (Anonymous access - checked) c. SCMIS virtual website, within the jakarta virtual website, has a directory security setting of (Windows Authentication - checked) Thanks for anyone taking the time to read this post and for any help/direction anyone can provide. From: André Warnier [...@ice-sa.com] Sent: Monday, May 24, 2010 15:49 To: Tomcat Users List Subject: Re: Question on workers.properties file Savoy, Melinda wrote: Andre, Thanks for the reply. I was finally able to get my the LOG file created. I had NOT setup my virtual website, SCMIS, in addition to the JAKARTA virtual website in IIS and consequently I kept using Tomcat to authenticate instead of using IIS to do so and it was never hitting my website I think it has something to do with the settings in my IIS setting. I still cannot get the value from getRemoteUser() because the user is blank as is indicated in the log below. ANY help/direction would be greatly appreciated. The URL that I am using to access my SCMIS virtual website is: http://localhost/SCMIS/index.jsp In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I have attached the entries in the log file that just happened: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker Now in your logfile, you have : [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/servlet/*=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/*.jsp=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/*.jsp=scmisWorker' Assuming the mappings above, then why is it trying to match '/servlet/*=scmisWorker' and '/*.jsp=scmisWorker' ? That does not fit. Those mappings are not in your list above. Again, I am no expert on IIS or on the Jk redirector in conjunction with it, but my little finger tells me that there is something very wrong somewhere. I have the feeling that your problem is not really related to authentication (or the lack of it). It is that there is some confusion as to the proper setup of IIS and Tomcat together, and how IIS handles virtual websites. Maybe we should restart from the beginning, like here : When you look at the ...\Tomcat 6.0\webapps directory, what are the sub-directories located just below it ? And , just to gain time, out of these, which is the one that corresponds to the application which /should/ be authenticated ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only
Re: Question on workers.properties file
On 26.05.2010 18:30, Savoy, Melinda wrote: Trying again to see if I can respond to Andre's question regarding what my directory structure is in order to help me determine where I've gone wrong in my setup and why I'm not getting the auth and user values in the request that is being forwarded to my Tomcat server. I can connect via the Tomcat connector to my site successfully however, I cannot authenticate my userid and therefore I cannot get to my application which is dependent on that value so that the authenticated user can access the web app. Here is my setup: 1. Andre, before you ask, I am still waiting on a test Windows 2003 server to be setup where I can test this on a server rather than my XP box as you suggested to me previously, but I'm stuck testing on my Windows XP box until then. 2. Currently I am testing to see if using the Tomcat connector will work on my local Windows XP box. 3. I am testing my web app within Eclipse using Tomcat 6.0 (meaning my web app is a dynamic web project within Eclipse and has been added to the Tomcat server in Eclipse). 4. My URL is: http://localhost/SCMIS/index.jsp 5. The directory structure on my local box where my web app is located is: C:\Snaps\savoym_remote_scmis_phase5_dev\scmis_phase5_vob and the directories directly under this directory is: Build Common Libraries Lookup Lost+found Maintenance PurchaseOrder Requisition SCMIS (this is the where the JSP's are located and this is the directory that is defined in my SCMIS IIS virtual web site) Security 6. In IIS 5.1, on my Windows XP box, the setup is as follows: a. Default website has a directory security setting of (Anonymous access - checked) b. jakara virtual website has a directory security setting of (Anonymous access - checked) c. SCMIS virtual website, within the jakarta virtual website, has a directory security setting of (Windows Authentication - checked) Does it work, if you switch all of those three to Anonymous access unchecked and Windows Authentication checked? What is the SCMIS virtual website in IIS for? Are you trying to serve static content directly form IIS? If no, I don't see a reason why you would want to have that virtual website. Are you forwarding /SCMIS/* to Tomcat, or only JSPs? As I wrote in a previous post, it didn't work for me when i only switched the jakarta virtual website to Windows auth. It only started to work, when I changed the default website too. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
Ranier - thanks for the reply. 1. I just tried this again, but I set all 3 (Default Website, jakarta virtual website and SCMIS virtual website) to Windows Authentication checked and Anonymous access unchecked and I was prompted with a login dialog box. I could not get authenticated and then I hit cancel and when I did my log showed the following: [Wed May 26 12:38:41.480 2010] [4684:228] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=Negotiate user=TEXAS\SavoyM uri=/SCMIS/index.jsp My objective here is to have IIS authenticate without a user logging in and then I acquire the user value via the getRemoteUser() method. 2. I understood that I had to have the website that I am running currently in Tomcat setup as a virtual website in IIS under the jakarta virtual website in IIS so that it would serve up the /SCMIS/*.jsp pages in Tomcat? Are you saying that is not the case and I can get rid of the SCMIS virtual website? Could this possibly the issue? 3. I remember your previous post but I thought you also said that you got a login prompt which is what I'm trying to avoid. Again the hope is that IIS can authenticate and forward the user value to Tomcat seamlessly. Thanks again for the reply and your help. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, May 26, 2010 11:52 AM To: Tomcat Users List Subject: Re: Question on workers.properties file On 26.05.2010 18:30, Savoy, Melinda wrote: Trying again to see if I can respond to Andre's question regarding what my directory structure is in order to help me determine where I've gone wrong in my setup and why I'm not getting the auth and user values in the request that is being forwarded to my Tomcat server. I can connect via the Tomcat connector to my site successfully however, I cannot authenticate my userid and therefore I cannot get to my application which is dependent on that value so that the authenticated user can access the web app. Here is my setup: 1. Andre, before you ask, I am still waiting on a test Windows 2003 server to be setup where I can test this on a server rather than my XP box as you suggested to me previously, but I'm stuck testing on my Windows XP box until then. 2. Currently I am testing to see if using the Tomcat connector will work on my local Windows XP box. 3. I am testing my web app within Eclipse using Tomcat 6.0 (meaning my web app is a dynamic web project within Eclipse and has been added to the Tomcat server in Eclipse). 4. My URL is: http://localhost/SCMIS/index.jsp 5. The directory structure on my local box where my web app is located is: C:\Snaps\savoym_remote_scmis_phase5_dev\scmis_phase5_vob and the directories directly under this directory is: Build Common Libraries Lookup Lost+found Maintenance PurchaseOrder Requisition SCMIS (this is the where the JSP's are located and this is the directory that is defined in my SCMIS IIS virtual web site) Security 6. In IIS 5.1, on my Windows XP box, the setup is as follows: a. Default website has a directory security setting of (Anonymous access - checked) b. jakara virtual website has a directory security setting of (Anonymous access - checked) c. SCMIS virtual website, within the jakarta virtual website, has a directory security setting of (Windows Authentication - checked) Does it work, if you switch all of those three to Anonymous access unchecked and Windows Authentication checked? What is the SCMIS virtual website in IIS for? Are you trying to serve static content directly form IIS? If no, I don't see a reason why you would want to have that virtual website. Are you forwarding /SCMIS/* to Tomcat, or only JSPs? As I wrote in a previous post, it didn't work for me when i only switched the jakarta virtual website to Windows auth. It only started to work, when I changed the default website too. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
On 26.05.2010 19:53, Savoy, Melinda wrote: Ranier - thanks for the reply. 1. I just tried this again, but I set all 3 (Default Website, jakarta virtual website and SCMIS virtual website) to Windows Authentication checked and Anonymous access unchecked and I was prompted with a login dialog box. I could not get authenticated and then I hit cancel and when I did my log showed the following: [Wed May 26 12:38:41.480 2010] [4684:228] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=Negotiate user=TEXAS\SavoyM uri=/SCMIS/index.jsp My objective here is to have IIS authenticate without a user logging in and then I acquire the user value via the getRemoteUser() method. 2. I understood that I had to have the website that I am running currently in Tomcat setup as a virtual website in IIS under the jakarta virtual website in IIS so that it would serve up the /SCMIS/*.jsp pages in Tomcat? Are you saying that is not the case and I can get rid of the SCMIS virtual website? Could this possibly the issue? I think you don't need it (and thus should get rid of it), but it is not related to your auth issue. Keep the jakarta entry, but not the SCMIS one below the jakarta one. 3. I remember your previous post but I thought you also said that you got a login prompt which is what I'm trying to avoid. Again the hope is that IIS can authenticate and forward the user value to Tomcat seamlessly. Did you notice, that are are other checkboxes you can choose your auth style from? I'd try all of those and try to read about their meaning. Did you use MSIE or some other browser? Some of the automatic auth methods used on Windows might only work with MSIE and maybe only if the web server is configured as being trusted in MSIE. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
I did as you suggested below. I removed SCMIS virtual website from within the jakarta virtual website and I got this in the log: [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1835): Filter started [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/localhost/SCMIS/index.jsp' from 3 maps [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/SCMIS/*.jsp=scmisWorker' [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1916): check if [/SCMIS/index.jsp] points to the web-inf directory [Wed May 26 14:00:09.271 2010] [3036:4236] [debug] jk_isapi_plugin.c (1932): [/SCMIS/index.jsp] is a servlet url - should redirect to scmisWorker [Wed May 26 14:00:09.286 2010] [3036:4236] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/SCMIS/index.jsp] In IIS I changed had the DEFAULT WEBSITE directory security back to ANONYMOUS access checked only and left the jakarta directory security to windows authentication only. And I got a dialog box to login for authentication purposes. I tried to login and the dialog box just kept coming back. I guess what I do not understand is HOW does IIS know about my SCMIS website if it is NOT included in IIS? I thought I needed the SCMIS virtual website included in IIS in order to retrieve the user id that I am suppose to be getting from IIS? What will my URL be now since I was using http://localhost/SCMIS/index.jsp Thanks again. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, May 26, 2010 1:18 PM To: Tomcat Users List Subject: Re: Question on workers.properties file On 26.05.2010 19:53, Savoy, Melinda wrote: Ranier - thanks for the reply. 1. I just tried this again, but I set all 3 (Default Website, jakarta virtual website and SCMIS virtual website) to Windows Authentication checked and Anonymous access unchecked and I was prompted with a login dialog box. I could not get authenticated and then I hit cancel and when I did my log showed the following: [Wed May 26 12:38:41.480 2010] [4684:228] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=Negotiate user=TEXAS\SavoyM uri=/SCMIS/index.jsp My objective here is to have IIS authenticate without a user logging in and then I acquire the user value via the getRemoteUser() method. 2. I understood that I had to have the website that I am running currently in Tomcat setup as a virtual website in IIS under the jakarta virtual website in IIS so that it would serve up the /SCMIS/*.jsp pages in Tomcat? Are you saying that is not the case and I can get rid of the SCMIS virtual website? Could this possibly the issue? I think you don't need it (and thus should get rid of it), but it is not related to your auth issue. Keep the jakarta entry, but not the SCMIS one below the jakarta one. 3. I remember your previous post but I thought you also said that you got a login prompt which is what I'm trying to avoid. Again the hope is that IIS can authenticate and forward the user value to Tomcat seamlessly. Did you notice, that are are other checkboxes you can choose your auth style from? I'd try all of those and try to read about their meaning. Did you use MSIE or some other browser? Some of the automatic auth methods used on Windows might only work with MSIE and maybe only if the web server is configured as being trusted in MSIE. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender
Re: Question on workers.properties file
Melinda, from one of your previous posts : In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I believe the above is wrong : you should only have the first two. The SCMIS site should in fact be a sub-case of the Jakarta virtual site. All this is a bit confusing since we are dealing here with two classes of products and two distinct vocabularies : the Microsoft vocabulary for IIS (with virtual websites etc..), and the vocabulary for Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
On 25.05.2010 12:02, André Warnier wrote: Melinda, from one of your previous posts : In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I believe the above is wrong : you should only have the first two. The SCMIS site should in fact be a sub-case of the Jakarta virtual site. All this is a bit confusing since we are dealing here with two classes of products and two distinct vocabularies : the Microsoft vocabulary for IIS (with virtual websites etc..), and the vocabulary for Tomcat. I did a small test on XP using IIS 5.1. I switched the default web site *and* the jakarta virtual web site *both* from Anonymous to Anonymous unchecked and Integrated Windows checked. With those setting I get prompted for User and PW by IIS and the Username is forwarded to Tomcat in the usual windows style notation MACHINE\USER. When setting tomcatAuthentication=false on the AJP connector, a call to request.getRemoteUser() returns the string MACHINE\USER (MACHINE and USER replaced by my actual data). The redirector log contains Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=MACHINE\USER uri=/user.jsp and the Tomcat access log contains the info too: 127.0.0.1 - MACHINE\USER [25/May/2010:12:09:03 +0200] GET /user.jsp HTTP/1.1 200 21 Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
On 25.05.2010 12:14, Rainer Jung wrote: On 25.05.2010 12:02, André Warnier wrote: Melinda, from one of your previous posts : In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I believe the above is wrong : you should only have the first two. The SCMIS site should in fact be a sub-case of the Jakarta virtual site. All this is a bit confusing since we are dealing here with two classes of products and two distinct vocabularies : the Microsoft vocabulary for IIS (with virtual websites etc..), and the vocabulary for Tomcat. I did a small test on XP using IIS 5.1. I switched the default web site *and* the jakarta virtual web site *both* from Anonymous to Anonymous unchecked and Integrated Windows checked. With those setting I get prompted for User and PW by IIS and the Username is forwarded to Tomcat in the usual windows style notation MACHINE\USER. When setting tomcatAuthentication=false on the AJP connector, a call to request.getRemoteUser() returns the string MACHINE\USER (MACHINE and USER replaced by my actual data). The redirector log contains Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=MACHINE\USER uri=/user.jsp and the Tomcat access log contains the info too: 127.0.0.1 - MACHINE\USER [25/May/2010:12:09:03 +0200] GET /user.jsp HTTP/1.1 200 21 Post Scriptum: I neve got it straight, after which configuration changes you had to restart iIS. Keep in mind, that usually there are three services in the Windows service administration, that make up IIS. Something like WWW publishing, HTTP-SSL and IIS Admin. When you change config and it doesn't work, retry after stopping all of those and starting them again. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
Andre, Just to get some clarification. When you say that SCMIS should be a sub-case of the Jakarta virtual website, are you saying that SCMIS should be a virtual website within the Jakarta virtual website? Just want to confirm my understanding. Thanks again for all your help. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, May 25, 2010 5:02 AM To: Tomcat Users List Subject: Re: Question on workers.properties file Melinda, from one of your previous posts : In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I believe the above is wrong : you should only have the first two. The SCMIS site should in fact be a sub-case of the Jakarta virtual site. All this is a bit confusing since we are dealing here with two classes of products and two distinct vocabularies : the Microsoft vocabulary for IIS (with virtual websites etc..), and the vocabulary for Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
Ranier, I do not want the user to get prompted at all. I need this to work as a single sign-on (seamless to the user). Is that not possible? I had tested where when I got the prompt then I got the Domain\User name but I am needing to avoid the login dialog box altogether. Thank you for taking the time to test and your help. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, May 25, 2010 5:14 AM To: Tomcat Users List Subject: Re: Question on workers.properties file On 25.05.2010 12:02, André Warnier wrote: Melinda, from one of your previous posts : In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I believe the above is wrong : you should only have the first two. The SCMIS site should in fact be a sub-case of the Jakarta virtual site. All this is a bit confusing since we are dealing here with two classes of products and two distinct vocabularies : the Microsoft vocabulary for IIS (with virtual websites etc..), and the vocabulary for Tomcat. I did a small test on XP using IIS 5.1. I switched the default web site *and* the jakarta virtual web site *both* from Anonymous to Anonymous unchecked and Integrated Windows checked. With those setting I get prompted for User and PW by IIS and the Username is forwarded to Tomcat in the usual windows style notation MACHINE\USER. When setting tomcatAuthentication=false on the AJP connector, a call to request.getRemoteUser() returns the string MACHINE\USER (MACHINE and USER replaced by my actual data). The redirector log contains Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=MACHINE\USER uri=/user.jsp and the Tomcat access log contains the info too: 127.0.0.1 - MACHINE\USER [25/May/2010:12:09:03 +0200] GET /user.jsp HTTP/1.1 200 21 Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
Savoy, Melinda wrote: Ranier, I do not want the user to get prompted at all. I need this to work as a single sign-on (seamless to the user). Is that not possible? I had tested where when I got the prompt then I got the Domain\User name but I am needing to avoid the login dialog box altogether. Rainer got prompted because he did this test on a loose XP workstation, and he was not yet logged into any domain. If the workstation is part of a Windows domain, and the user already logged into the domain, there will be no extra prompt. What Rainer did, was confirm that when conditions are right for IIS to authenticate, and the setup is right for this authentication to be passed to Tomcat, it is, and the gerRemoteUser() returns the logged-in id. The issue you have, is in the basic setup of how some URLs are or are not passed to the right Tomcat worker. I believe you have one virtual website or whatever IIS calls it, too many, and that the URLs that are of interest here are not being passed through the channel you think, and therefore either IIS does not authenticate these SCIMIS URLs (and consequently does not pass this authentication to Tomcat). Can you tell us precisely : - which URLs should be authenticated (give some examples) - which sub-directories are present under the (tomcat-dir)/webapps directory (where (tomcat-dir) is the top of your Tomcat installation. Then we might be able to work out how the virtual websites and redirector should be configured to make this all work as it should. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
IMHO the IIS redirection is a total hack. It's a lot of additional load, a whole other web server to deal with, configure and administer. Because you're merely hiding Tomcat behind IIS you're not really getting rid of your tomcat server, you're just masking the problem. I'll allow myself to theorize that Jakarta redirector was a stop gap solution because people didn't want a Windows-only valve to do NTLM or because they couldn't write one. If you end up using waffle, please do let me know. Good luck. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Monday, May 24, 2010 8:30 PM To: Tomcat Users List Subject: RE: Question on workers.properties file Yes. dB, we are a microsoft shop for all practical purposes. We were the first Java web app that was created here at our company and now since JCIFS is not NTLMv2 compliant we had thought we'd go ahead and use IIS that is being used for everything else internet and intranet wise. Thanks for the info again. I had actually emailed you last week asking if the web.xml setting were required and you stated they were not. I think I'm very close to getting this IIS-Tomcat integration resolved but if I cannot get it to work by the end of the week I'll probably try Waffle. There does not seem to be a lot of documentation on the IIS side to make this work so it seems to be more complicated than I had anticipated. I'm trying to recheck, as Andre suggested, again tomorrow and hope that I can get this to work. Regards. From: dB. [dbl...@dblock.org] Sent: Monday, May 24, 2010 18:09 To: Tomcat Users List Subject: RE: Question on workers.properties file I am curious whether you're using IIS for anything other than single sign-on / authentication? If you're not, check out http://waffle.codeplex.com - there's a new Negotiate (Kerberos + NTLM) authenticator. This could remove IIS from your entire picture. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Monday, May 24, 2010 7:03 PM To: Tomcat Users List; Tomcat Users List Subject: RE: Question on workers.properties file Andre, Sorry for creating confusion on the other post. I will stick with this post as well. I made changes to the setting here: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker to /*=scmisWorker /*.jsp=scmisWorker /servlet/*=scmisWorker That is why in the log that I had sent stated it as such. I have looked on the Apache Tomcat website to find documentation on the setup of IIS with Tomcat. I made the change above because I had forgotten to change it from the example that I found in the documentation, again my apologies for that. Given the settings that I identified in IIS I can not get authenticated. That is why I think it is an authentication issue. I have gone back and checked each setting but cannot find a problem. That is why I sent my setting so that perhaps someone on this list might see something that I have overlooked. I'll keep trying. Thanks. From: André Warnier [...@ice-sa.com] Sent: Monday, May 24, 2010 15:49 To: Tomcat Users List Subject: Re: Question on workers.properties file Savoy, Melinda wrote: Andre, Thanks for the reply. I was finally able to get my the LOG file created. I had NOT setup my virtual website, SCMIS, in addition to the JAKARTA virtual website in IIS and consequently I kept using Tomcat to authenticate instead of using IIS to do so and it was never hitting my website I think it has something to do with the settings in my IIS setting. I still cannot get the value from getRemoteUser() because the user is blank as is indicated in the log below. ANY help/direction would be greatly appreciated. The URL that I am using to access my SCMIS virtual website is: http://localhost/SCMIS/index.jsp In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I have attached the entries in the log file that just happened: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker Now in your logfile, you have : [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/servlet/*=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c
Re: Question on workers.properties file
On 25.05.2010 12:22, Savoy, Melinda wrote: Ranier, in^^ :) I do not want the user to get prompted at all. I need this to work as a single sign-on (seamless to the user). Is that not possible? I had tested where when I got the prompt then I got the Domain\User name but I am needing to avoid the login dialog box altogether. Thank you for taking the time to test and your help. That's an IIS question. The described test shows us, that the redirector forwards correctly the user identity, once it is established by IIS. The IIS configuration window for authentication allows several types of authentication. You might need to play around with those options. It is also possible, that some of those might only be supported by MSIE. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
On 25.05.2010 13:44, André Warnier wrote: Savoy, Melinda wrote: Ranier, I do not want the user to get prompted at all. I need this to work as a single sign-on (seamless to the user). Is that not possible? I had tested where when I got the prompt then I got the Domain\User name but I am needing to avoid the login dialog box altogether. Rainer got prompted because he did this test on a loose XP workstation, and he was not yet logged into any domain. If the workstation is part of a Windows domain, and the user already logged into the domain, there will be no extra prompt. Right, I didn't test that, but I would expect the same as you. What Rainer did, was confirm that when conditions are right for IIS to authenticate, and the setup is right for this authentication to be passed to Tomcat, it is, and the gerRemoteUser() returns the logged-in id. The issue you have, is in the basic setup of how some URLs are or are not passed to the right Tomcat worker. I believe you have one virtual website or whatever IIS calls it, too many, and that the URLs that are of interest here are not being passed through the channel you think, and therefore either IIS does not authenticate these SCIMIS URLs (and consequently does not pass this authentication to Tomcat). Can you tell us precisely : - which URLs should be authenticated (give some examples) - which sub-directories are present under the (tomcat-dir)/webapps directory (where (tomcat-dir) is the top of your Tomcat installation. Then we might be able to work out how the virtual websites and redirector should be configured to make this all work as it should. Good plan. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
dB. wrote: IMHO the IIS redirection is a total hack. It's a lot of additional load, a whole other web server to deal with, configure and administer. Because you're merely hiding Tomcat behind IIS you're not really getting rid of your tomcat server, you're just masking the problem. I'll allow myself to theorize that Jakarta redirector was a stop gap solution because people didn't want a Windows-only valve to do NTLM or because they couldn't write one. dB, I believe that you are missing the point. Tomcat does things that Apache and/or IIS do not, running Java webapps being the main one. IIS and/or Apache do things that Tomcat does not, or not well. There are legitimate cases for using an Apache or IIS front-end to Tomcat, most of which having nothing to do with authentication. And that is where one uses the Jk redirector. You are right that using an IIS front-end /only/ to do authentication is a bit of a hack, but that is the express purpose here. Basically, the OP is just trying to retrieve in Tomcat the user-id that should be there anyway at the IIS level, because in the OP's particular case it was the easiest path to follow, application-wise. That it turns out to be such a difficult birth is mainly because of the OP's lack of familiarity with the IIS/JKRedirector/Tomcat configuration, not because of any flaw in the redirector or in the OP's basic plan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
Thank you, I really meant that using IIS for authentication only is a hack. Now Tomcat can do Integrated Auth as well as IIS, if not better (with a lot more granularity). IIS and/or Apache do things that Tomcat does not, or not well. For my personal education, do you have any production-type examples? Thx dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, May 25, 2010 4:10 PM To: Tomcat Users List Subject: Re: Question on workers.properties file dB. wrote: IMHO the IIS redirection is a total hack. It's a lot of additional load, a whole other web server to deal with, configure and administer. Because you're merely hiding Tomcat behind IIS you're not really getting rid of your tomcat server, you're just masking the problem. I'll allow myself to theorize that Jakarta redirector was a stop gap solution because people didn't want a Windows-only valve to do NTLM or because they couldn't write one. dB, I believe that you are missing the point. Tomcat does things that Apache and/or IIS do not, running Java webapps being the main one. IIS and/or Apache do things that Tomcat does not, or not well. There are legitimate cases for using an Apache or IIS front-end to Tomcat, most of which having nothing to do with authentication. And that is where one uses the Jk redirector. You are right that using an IIS front-end /only/ to do authentication is a bit of a hack, but that is the express purpose here. Basically, the OP is just trying to retrieve in Tomcat the user-id that should be there anyway at the IIS level, because in the OP's particular case it was the easiest path to follow, application-wise. That it turns out to be such a difficult birth is mainly because of the OP's lack of familiarity with the IIS/JKRedirector/Tomcat configuration, not because of any flaw in the redirector or in the OP's basic plan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2894 - Release Date: 05/25/10 02:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
From: dB. [mailto:dbl...@dblock.org] Subject: RE: Question on workers.properties file IIS and/or Apache do things that Tomcat does not, or not well. For my personal education, do you have any production-type examples? PHP and other external CGI mechanisms, for starters (at least for httpd; I can't - or won't - speak about IIS). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
: # uriworkermap.properties - IIS settings from http://onjava.com/pub/a/onjava/2002/12/18/tomcat.html?page=2 # # This file provides sample mappings for example wlb # worker definted in workermap.properties.minimal # The general syntax for this file is: # [URL]=[Worker name] /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker #/admin/*=wlb #/manager/*=wlb #/examples/*=wlb #/servlets-examples/*=wlb # Optionally filter out all .jpeg files inside that context # For no mapping the url has to start with exclamation(!) #!/servlets-examples/*.jpeg=wlb # # Mount jkstatus to /jkmanager # For production servers you will need to # secure the access to the /jkmanager url # #/jkmanager=jkstatus In my workers.properties file: # workers.properties from = http://onjava.com/pub/a/onjava/2002/12/18/tomcat.html # # This file provides minimal jk configuration properties needed to # connect to Tomcat. # # The workers that jk should create and work with #worker.list=wlb,jkstatus worker.list=scmisWorker # # Defining a worker named ajp13w and of type ajp13 # Note that the name and the type do not have to match. # #worker.ajp13w.type=ajp13 #worker.ajp13w.host=localhost #worker.ajp13w.port=8009 worker.scmisWorker.port=8009 worker.scmisWorker.host=localhost worker.scmisWorker.type=ajp13 # # Defining a load balancer # #worker.wlb.type=lb #worker.wlb.balance_workers=ajp13w # # Define status worker # #worker.jkstatus.type=status -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Thursday, May 20, 2010 3:55 PM To: Tomcat Users List Subject: Re: Question on workers.properties file Hi André, Melinda and everyone else, On 20.05.2010 14:31, André Warnier wrote: savoym wrote: I Rainer Jung is around, he may tell us if my assumptions are correct, that IIS+redirector also sends the IIS user-id to Tomcat, if there is any. If not, then tonight I might be able to send you a servlet filter to dump the HTTP headers of the requests sent by IIS to Tomcat, to see if there is a user-id in there somewhere. Unless you have already checked that ? I checked before my original reply and it seems the IIS variable AUTH_USER is automatically forwarded by the isapi plugin. When setting tomcatAuthentication=false on the AJP connector (!), the value can be retrieved by the getRemoteUser() method. I would set the log level of the redirector to trace on an idle test environment and then do a single request there that is expected to be authenticated. The log lines in the redirector log should tell us, what is actually being forwarded (lots of log lines, but lots of info too). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
to provide quotes around it here ? # Log level (debug, info, warn, error or trace) log_level=trace Should that not be debug ? I know Rainer said trace, but hey, even the gurus might slip up from time to time. (try debug anyway, just for security). # Full path to the workers.properties file worker_file=c:\server\Tomcat 6.0\conf\workers.properties # Full path to the uriworkermap.properties file worker_mount_file=c:\server\Tomcat 6.0\conf\uriworkermap.properties Same note for the paths, although I suppose they work here, otherwise you'd get plenty of other errors. In my uriworkermap.properties file: # uriworkermap.properties - IIS settings from http://onjava.com/pub/a/onjava/2002/12/18/tomcat.html?page=2 # # This file provides sample mappings for example wlb # worker definted in workermap.properties.minimal # The general syntax for this file is: # [URL]=[Worker name] /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker These are kind of redundant. /examples/* should cover all the others. They will not cause an error, but maybe a lot of unnecessary comparisons. #/admin/*=wlb #/manager/*=wlb #/examples/*=wlb #/servlets-examples/*=wlb # Optionally filter out all .jpeg files inside that context # For no mapping the url has to start with exclamation(!) #!/servlets-examples/*.jpeg=wlb # # Mount jkstatus to /jkmanager # For production servers you will need to # secure the access to the /jkmanager url # #/jkmanager=jkstatus In my workers.properties file: # workers.properties from = http://onjava.com/pub/a/onjava/2002/12/18/tomcat.html # # This file provides minimal jk configuration properties needed to # connect to Tomcat. # # The workers that jk should create and work with #worker.list=wlb,jkstatus worker.list=scmisWorker # # Defining a worker named ajp13w and of type ajp13 # Note that the name and the type do not have to match. # #worker.ajp13w.type=ajp13 #worker.ajp13w.host=localhost #worker.ajp13w.port=8009 worker.scmisWorker.port=8009 worker.scmisWorker.host=localhost worker.scmisWorker.type=ajp13 # # Defining a load balancer # #worker.wlb.type=lb #worker.wlb.balance_workers=ajp13w # # Define status worker # #worker.jkstatus.type=status -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Thursday, May 20, 2010 3:55 PM To: Tomcat Users List Subject: Re: Question on workers.properties file Hi André, Melinda and everyone else, On 20.05.2010 14:31, André Warnier wrote: savoym wrote: I Rainer Jung is around, he may tell us if my assumptions are correct, that IIS+redirector also sends the IIS user-id to Tomcat, if there is any. If not, then tonight I might be able to send you a servlet filter to dump the HTTP headers of the requests sent by IIS to Tomcat, to see if there is a user-id in there somewhere. Unless you have already checked that ? I checked before my original reply and it seems the IIS variable AUTH_USER is automatically forwarded by the isapi plugin. When setting tomcatAuthentication=false on the AJP connector (!), the value can be retrieved by the getRemoteUser() method. I would set the log level of the redirector to trace on an idle test environment and then do a single request there that is expected to be authenticated. The log lines in the redirector log should tell us, what is actually being forwarded (lots of log lines, but lots of info too). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
3C 2F 75 3E 3C 2F 70 3E - source)./u/p [Mon May 24 10:10:02.953 2010] [8124:7912] [debug] jk_ajp_common.c (1336): 0400 3C 48 52 20 73 69 7A 65 3D 22 31 22 20 6E 6F 73 - HR.size=1.nos [Mon May 24 10:10:02.953 2010] [8124:7912] [debug] jk_ajp_common.c (1336): 0410 68 61 64 65 3D 22 6E 6F 73 68 61 64 65 22 3E 3C - hade=noshade [Mon May 24 10:10:02.953 2010] [8124:7912] [debug] jk_ajp_common.c (1336): 0420 68 33 3E 41 70 61 63 68 65 20 54 6F 6D 63 61 74 - h3Apache.Tomcat [Mon May 24 10:10:02.953 2010] [8124:7912] [debug] jk_ajp_common.c (1336): 0430 2F 36 2E 30 2E 31 38 3C 2F 68 33 3E 3C 2F 62 6F - /6.0.18/h3/bo [Mon May 24 10:10:02.953 2010] [8124:7912] [debug] jk_ajp_common.c (1336): 0440 64 79 3E 3C 2F 68 74 6D 6C 3E 00 00 00 00 00 00 - dy/html.. [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_ajp_common.c (1340): exit [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_ajp_common.c (1781): enter [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_isapi_plugin.c (1215): enter [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_isapi_plugin.c (1185): enter [Mon May 24 10:10:02.953 2010] [8124:7912] [debug] jk_isapi_plugin.c (1188): Writing 1095 bytes of data to client [Mon May 24 10:10:02.953 2010] [8124:7912] [debug] jk_isapi_plugin.c (1201): Wrote 1095 bytes of data successfully [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_isapi_plugin.c (1203): exit [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_isapi_plugin.c (1322): exit [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_ajp_common.c (1965): exit [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_ajp_common.c (1211): enter [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_connect.c (889): enter [Mon May 24 10:10:02.953 2010] [8124:7912] [trace] jk_connect.c (918): exit [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_connect.c (889): enter [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_connect.c (918): exit [Mon May 24 10:10:02.968 2010] [8124:7912] [debug] jk_ajp_common.c (1336): received from ajp13 pos=0 len=2 max=8192 [Mon May 24 10:10:02.968 2010] [8124:7912] [debug] jk_ajp_common.c (1336): 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_ajp_common.c (1340): exit [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_ajp_common.c (1781): enter [Mon May 24 10:10:02.968 2010] [8124:7912] [debug] jk_ajp_common.c (1940): AJP13 protocol: Reuse is OK [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_isapi_plugin.c (1337): enter [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_isapi_plugin.c (1343): exit [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_ajp_common.c (1954): exit [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_ajp_common.c (2114): exit [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_ajp_common.c (2455): exit [Mon May 24 10:10:02.968 2010] [8124:7912] [debug] jk_isapi_plugin.c (2185): service() returned OK [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_ajp_common.c (2980): enter [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_ajp_common.c (754): enter [Mon May 24 10:10:02.968 2010] [8124:7912] [debug] jk_ajp_common.c (757): (scmisWorker) resetting endpoint with sd = 2116 [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_ajp_common.c (764): exit [Mon May 24 10:10:02.968 2010] [8124:7912] [debug] jk_ajp_common.c (3010): recycling connection pool slot=0 for worker scmisWorker [Mon May 24 10:10:02.968 2010] [8124:7912] [trace] jk_ajp_common.c (3013): exit [Mon May 24 10:10:02.984 2010] [8124:7912] [trace] jk_isapi_plugin.c (2226): exit -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, May 24, 2010 9:39 AM To: Tomcat Users List Subject: Re: Question on workers.properties file Hi. Your general settings look ok to me. See in text. Savoy, Melinda wrote: Ranier, Again, thanks for the reply below. Apparently I do not have something setup correctly because I cannot get a LOG file created when I execute a single request that is a valid login ID. What is the exact URL you are trying ? (just to check if it is supposed to go through the re-director) I'm sure I've setup something incorrectly and any help/direction would be greatly appreciated. Here are my settings in the following files (server.xml, isapi_redirect.properties file, uriworkermap.properties file and workers.properties file): Server.xml: Service name=Catalina !--The connectors can use a shared executor, you can define one or more named thread pools-- !-- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ -- !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector
Re: Question on workers.properties file
Savoy, Melinda wrote: Andre, Thanks for the reply. I was finally able to get my the LOG file created. I had NOT setup my virtual website, SCMIS, in addition to the JAKARTA virtual website in IIS and consequently I kept using Tomcat to authenticate instead of using IIS to do so and it was never hitting my website I think it has something to do with the settings in my IIS setting. I still cannot get the value from getRemoteUser() because the user is blank as is indicated in the log below. ANY help/direction would be greatly appreciated. The URL that I am using to access my SCMIS virtual website is: http://localhost/SCMIS/index.jsp In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I have attached the entries in the log file that just happened: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker Now in your logfile, you have : [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/servlet/*=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/*.jsp=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/*.jsp=scmisWorker' Assuming the mappings above, then why is it trying to match '/servlet/*=scmisWorker' and '/*.jsp=scmisWorker' ? That does not fit. Those mappings are not in your list above. Again, I am no expert on IIS or on the Jk redirector in conjunction with it, but my little finger tells me that there is something very wrong somewhere. I have the feeling that your problem is not really related to authentication (or the lack of it). It is that there is some confusion as to the proper setup of IIS and Tomcat together, and how IIS handles virtual websites. Maybe we should restart from the beginning, like here : When you look at the ...\Tomcat 6.0\webapps directory, what are the sub-directories located just below it ? And , just to gain time, out of these, which is the one that corresponds to the application which /should/ be authenticated ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
Andre, Sorry for creating confusion on the other post. I will stick with this post as well. I made changes to the setting here: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker to /*=scmisWorker /*.jsp=scmisWorker /servlet/*=scmisWorker That is why in the log that I had sent stated it as such. I have looked on the Apache Tomcat website to find documentation on the setup of IIS with Tomcat. I made the change above because I had forgotten to change it from the example that I found in the documentation, again my apologies for that. Given the settings that I identified in IIS I can not get authenticated. That is why I think it is an authentication issue. I have gone back and checked each setting but cannot find a problem. That is why I sent my setting so that perhaps someone on this list might see something that I have overlooked. I'll keep trying. Thanks. From: André Warnier [...@ice-sa.com] Sent: Monday, May 24, 2010 15:49 To: Tomcat Users List Subject: Re: Question on workers.properties file Savoy, Melinda wrote: Andre, Thanks for the reply. I was finally able to get my the LOG file created. I had NOT setup my virtual website, SCMIS, in addition to the JAKARTA virtual website in IIS and consequently I kept using Tomcat to authenticate instead of using IIS to do so and it was never hitting my website I think it has something to do with the settings in my IIS setting. I still cannot get the value from getRemoteUser() because the user is blank as is indicated in the log below. ANY help/direction would be greatly appreciated. The URL that I am using to access my SCMIS virtual website is: http://localhost/SCMIS/index.jsp In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I have attached the entries in the log file that just happened: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker Now in your logfile, you have : [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/servlet/*=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/*.jsp=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/*.jsp=scmisWorker' Assuming the mappings above, then why is it trying to match '/servlet/*=scmisWorker' and '/*.jsp=scmisWorker' ? That does not fit. Those mappings are not in your list above. Again, I am no expert on IIS or on the Jk redirector in conjunction with it, but my little finger tells me that there is something very wrong somewhere. I have the feeling that your problem is not really related to authentication (or the lack of it). It is that there is some confusion as to the proper setup of IIS and Tomcat together, and how IIS handles virtual websites. Maybe we should restart from the beginning, like here : When you look at the ...\Tomcat 6.0\webapps directory, what are the sub-directories located just below it ? And , just to gain time, out of these, which is the one that corresponds to the application which /should/ be authenticated ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
I am curious whether you're using IIS for anything other than single sign-on / authentication? If you're not, check out http://waffle.codeplex.com - there's a new Negotiate (Kerberos + NTLM) authenticator. This could remove IIS from your entire picture. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Monday, May 24, 2010 7:03 PM To: Tomcat Users List; Tomcat Users List Subject: RE: Question on workers.properties file Andre, Sorry for creating confusion on the other post. I will stick with this post as well. I made changes to the setting here: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker to /*=scmisWorker /*.jsp=scmisWorker /servlet/*=scmisWorker That is why in the log that I had sent stated it as such. I have looked on the Apache Tomcat website to find documentation on the setup of IIS with Tomcat. I made the change above because I had forgotten to change it from the example that I found in the documentation, again my apologies for that. Given the settings that I identified in IIS I can not get authenticated. That is why I think it is an authentication issue. I have gone back and checked each setting but cannot find a problem. That is why I sent my setting so that perhaps someone on this list might see something that I have overlooked. I'll keep trying. Thanks. From: André Warnier [...@ice-sa.com] Sent: Monday, May 24, 2010 15:49 To: Tomcat Users List Subject: Re: Question on workers.properties file Savoy, Melinda wrote: Andre, Thanks for the reply. I was finally able to get my the LOG file created. I had NOT setup my virtual website, SCMIS, in addition to the JAKARTA virtual website in IIS and consequently I kept using Tomcat to authenticate instead of using IIS to do so and it was never hitting my website I think it has something to do with the settings in my IIS setting. I still cannot get the value from getRemoteUser() because the user is blank as is indicated in the log below. ANY help/direction would be greatly appreciated. The URL that I am using to access my SCMIS virtual website is: http://localhost/SCMIS/index.jsp In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I have attached the entries in the log file that just happened: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker Now in your logfile, you have : [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/servlet/*=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/*.jsp=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/*.jsp=scmisWorker' Assuming the mappings above, then why is it trying to match '/servlet/*=scmisWorker' and '/*.jsp=scmisWorker' ? That does not fit. Those mappings are not in your list above. Again, I am no expert on IIS or on the Jk redirector in conjunction with it, but my little finger tells me that there is something very wrong somewhere. I have the feeling that your problem is not really related to authentication (or the lack of it). It is that there is some confusion as to the proper setup of IIS and Tomcat together, and how IIS handles virtual websites. Maybe we should restart from the beginning, like here : When you look at the ...\Tomcat 6.0\webapps directory, what are the sub-directories located just below it ? And , just to gain time, out of these, which is the one that corresponds to the application which /should/ be authenticated ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system
RE: Question on workers.properties file
Yes. dB, we are a microsoft shop for all practical purposes. We were the first Java web app that was created here at our company and now since JCIFS is not NTLMv2 compliant we had thought we'd go ahead and use IIS that is being used for everything else internet and intranet wise. Thanks for the info again. I had actually emailed you last week asking if the web.xml setting were required and you stated they were not. I think I'm very close to getting this IIS-Tomcat integration resolved but if I cannot get it to work by the end of the week I'll probably try Waffle. There does not seem to be a lot of documentation on the IIS side to make this work so it seems to be more complicated than I had anticipated. I'm trying to recheck, as Andre suggested, again tomorrow and hope that I can get this to work. Regards. From: dB. [dbl...@dblock.org] Sent: Monday, May 24, 2010 18:09 To: Tomcat Users List Subject: RE: Question on workers.properties file I am curious whether you're using IIS for anything other than single sign-on / authentication? If you're not, check out http://waffle.codeplex.com - there's a new Negotiate (Kerberos + NTLM) authenticator. This could remove IIS from your entire picture. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Monday, May 24, 2010 7:03 PM To: Tomcat Users List; Tomcat Users List Subject: RE: Question on workers.properties file Andre, Sorry for creating confusion on the other post. I will stick with this post as well. I made changes to the setting here: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker to /*=scmisWorker /*.jsp=scmisWorker /servlet/*=scmisWorker That is why in the log that I had sent stated it as such. I have looked on the Apache Tomcat website to find documentation on the setup of IIS with Tomcat. I made the change above because I had forgotten to change it from the example that I found in the documentation, again my apologies for that. Given the settings that I identified in IIS I can not get authenticated. That is why I think it is an authentication issue. I have gone back and checked each setting but cannot find a problem. That is why I sent my setting so that perhaps someone on this list might see something that I have overlooked. I'll keep trying. Thanks. From: André Warnier [...@ice-sa.com] Sent: Monday, May 24, 2010 15:49 To: Tomcat Users List Subject: Re: Question on workers.properties file Savoy, Melinda wrote: Andre, Thanks for the reply. I was finally able to get my the LOG file created. I had NOT setup my virtual website, SCMIS, in addition to the JAKARTA virtual website in IIS and consequently I kept using Tomcat to authenticate instead of using IIS to do so and it was never hitting my website I think it has something to do with the settings in my IIS setting. I still cannot get the value from getRemoteUser() because the user is blank as is indicated in the log below. ANY help/direction would be greatly appreciated. The URL that I am using to access my SCMIS virtual website is: http://localhost/SCMIS/index.jsp In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I have attached the entries in the log file that just happened: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker Now in your logfile, you have : [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/servlet/*=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/*.jsp=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/*.jsp=scmisWorker' Assuming the mappings above, then why is it trying to match '/servlet/*=scmisWorker' and '/*.jsp=scmisWorker' ? That does not fit. Those mappings are not in your list above. Again, I am no expert on IIS or on the Jk redirector in conjunction with it, but my little finger tells me that there is something very wrong somewhere. I have the feeling that your problem is not really related to authentication (or the lack of it). It is that there is some confusion as to the proper setup of IIS and Tomcat together, and how IIS handles virtual websites
Re: Question on workers.properties file
Ok then. I am not familiar with IIS, but try the following : In the AJP Connector of Tomcat, in server.xml, add the attribute tomcatAuthentication=false. Then try again in your servlet with getRemoterUser(). If that does not work, then we wiil have to find an easy way to dump the HTTP request headers received by Tomcat, to see if there is one there from which we can obtain the user-id. Note that this is all a shortcut that may work in some cases. If your real final purpose is to do SSO at the Tomcat level, based on the user's Domain login, then I suggest that you have a look here : www.ioplex.com (Jespa) savoym wrote: Yes. The users are already being authenticated by IIS before IIS forwards the request to Tomcat. And yes, I am wanting to retrieve in my java app this userid from what I thought would be through the HttpServletRequest class. However, that is not working. I tried to retrieve it using this class on the header Authorization but I am still getting a NULL value. I understood, that maybe through the workers.properties file I could SET a server environment variable using the Request.ServerVariable(AUTH_USER) method but I'm not sure how to accomplish that if that is a possibility. I guess I'm just not sure how to get at the USERID that IIS should already have in some form or fashion. I hope that is more clear. I appreciate very much the question and reply. Regards. awarnier wrote: savoym wrote: I just got IIS to forward my request to Tomcat using the Apache Tomcat-Connectors doc. I am trying to authenticate the user login/id that executes the request to my web app to be able to grab the user login and use in my java app. Can you explain a little bit more in detail, or maybe just in another way, what you are trying to achieve ? Are users already authenticated by IIS (as per their Windows Domain user-id), before IIS forwards the request to Tomcat ? And do you want to retrieve this user-id in Tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
Thanks again for the reply. I do already have the tomcatAuthentication=false setting as you stated below and I had tried the getRemoteUse() from the HttpRequestServlet but that unfortunately did not work unless I did something wrong. I will try again but I do not think that is working. Again, I appreciate the time and help. Regards. awarnier wrote: Ok then. I am not familiar with IIS, but try the following : In the AJP Connector of Tomcat, in server.xml, add the attribute tomcatAuthentication=false. Then try again in your servlet with getRemoterUser(). If that does not work, then we wiil have to find an easy way to dump the HTTP request headers received by Tomcat, to see if there is one there from which we can obtain the user-id. Note that this is all a shortcut that may work in some cases. If your real final purpose is to do SSO at the Tomcat level, based on the user's Domain login, then I suggest that you have a look here : www.ioplex.com (Jespa) savoym wrote: Yes. The users are already being authenticated by IIS before IIS forwards the request to Tomcat. And yes, I am wanting to retrieve in my java app this userid from what I thought would be through the HttpServletRequest class. However, that is not working. I tried to retrieve it using this class on the header Authorization but I am still getting a NULL value. I understood, that maybe through the workers.properties file I could SET a server environment variable using the Request.ServerVariable(AUTH_USER) method but I'm not sure how to accomplish that if that is a possibility. I guess I'm just not sure how to get at the USERID that IIS should already have in some form or fashion. I hope that is more clear. I appreciate very much the question and reply. Regards. awarnier wrote: savoym wrote: I just got IIS to forward my request to Tomcat using the Apache Tomcat-Connectors doc. I am trying to authenticate the user login/id that executes the request to my web app to be able to grab the user login and use in my java app. Can you explain a little bit more in detail, or maybe just in another way, what you are trying to achieve ? Are users already authenticated by IIS (as per their Windows Domain user-id), before IIS forwards the request to Tomcat ? And do you want to retrieve this user-id in Tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Question-on-workers.properties-file-tp28599711p28619632.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
savoym wrote: Thanks again for the reply. I do already have the tomcatAuthentication=false setting as you stated below and I had tried the getRemoteUse() from the HttpRequestServlet but that unfortunately did not work unless I did something wrong. I will try again but I do not think that is working. Again, I appreciate the time and help. No problem, that's why we're here. As mentioned earlier, I'm not too sure that this works with IIS and the mod_jk redirector for IIS. I am working on the assumption that it does the same thing as Apache/mod_jk : if Apache already has a user-id, then mod_jk forwards it to Tomcat. When in Tomcat the tomcatAuthentication=false is set, Tomcat accepts this user-id from Apache/mod_jk instead of trying to get its own. Maybe IIS+ jk redirector does the same, maybe not. If not, there is another possibility : if IIS authenticates the user, it /might/ automatically add a HTTP header to the request, before even forwarding it to Tomcat through the redirector. If so, a servlet filter at the Tomcat level might be able to pick up this header, extract the user-id, and pass it to your webapp in a way it can use it. If all of that is negative, then you need something like the Jespa filter from ioplex. That filter /will/ authenticate the call on the base of the user's domain user-id, and set it in Tomcat, allowing your webapp to pick it up via getRemoteUser(). This is a certainty, not a guess. I use this often. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
My understanding is that IIS+ jk redirector is suppose to give us windows authentication what I cannot find either on the IIS website or the Apache Tomcat Connector website is HOW one gets to the authentication properties. I've read the HOW to get it setup but that is as far as it goes on the Apache Tomcat Connector website. I am hoping that this is still a viable solution. We did look at Jespa and talked to Michael Allen extensively. Unfortunately, we have a security paradigm that is underlying our entire web app. I have no time to re-write my app. Our app currently uses JCIFS but some of our users are using Windows 7/IE 8 and because JCIFS does not work with NTLMv2 the web app no longer comes up on Windows 7 that does not use NTLMv1. There in lies my dilemma. I appreciate again all the help. Hopefully someone who has made this work will reply. Regards. awarnier wrote: savoym wrote: Thanks again for the reply. I do already have the tomcatAuthentication=false setting as you stated below and I had tried the getRemoteUse() from the HttpRequestServlet but that unfortunately did not work unless I did something wrong. I will try again but I do not think that is working. Again, I appreciate the time and help. No problem, that's why we're here. As mentioned earlier, I'm not too sure that this works with IIS and the mod_jk redirector for IIS. I am working on the assumption that it does the same thing as Apache/mod_jk : if Apache already has a user-id, then mod_jk forwards it to Tomcat. When in Tomcat the tomcatAuthentication=false is set, Tomcat accepts this user-id from Apache/mod_jk instead of trying to get its own. Maybe IIS+ jk redirector does the same, maybe not. If not, there is another possibility : if IIS authenticates the user, it /might/ automatically add a HTTP header to the request, before even forwarding it to Tomcat through the redirector. If so, a servlet filter at the Tomcat level might be able to pick up this header, extract the user-id, and pass it to your webapp in a way it can use it. If all of that is negative, then you need something like the Jespa filter from ioplex. That filter /will/ authenticate the call on the base of the user's domain user-id, and set it in Tomcat, allowing your webapp to pick it up via getRemoteUser(). This is a certainty, not a guess. I use this often. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Question-on-workers.properties-file-tp28599711p28620069.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
Hi. I am a bit busy right now, and I'll have more time tonight to answer. But in short, if you are using jCIFS until now, then Jespa is really a drop-in replacement. You get the user-id via getRemoteUser() just the same way. Only web.xml changes, the application does not, as far as I know. But we'll look at the other possibilities later. For now, maybe make sure that IIS is /really/ authenticating the URLs that go to Tomcat. You may need to tell IIS something, for it to do that. savoym wrote: My understanding is that IIS+ jk redirector is suppose to give us windows authentication what I cannot find either on the IIS website or the Apache Tomcat Connector website is HOW one gets to the authentication properties. I've read the HOW to get it setup but that is as far as it goes on the Apache Tomcat Connector website. I am hoping that this is still a viable solution. We did look at Jespa and talked to Michael Allen extensively. Unfortunately, we have a security paradigm that is underlying our entire web app. I have no time to re-write my app. Our app currently uses JCIFS but some of our users are using Windows 7/IE 8 and because JCIFS does not work with NTLMv2 the web app no longer comes up on Windows 7 that does not use NTLMv1. There in lies my dilemma. I appreciate again all the help. Hopefully someone who has made this work will reply. Regards. awarnier wrote: savoym wrote: Thanks again for the reply. I do already have the tomcatAuthentication=false setting as you stated below and I had tried the getRemoteUse() from the HttpRequestServlet but that unfortunately did not work unless I did something wrong. I will try again but I do not think that is working. Again, I appreciate the time and help. No problem, that's why we're here. As mentioned earlier, I'm not too sure that this works with IIS and the mod_jk redirector for IIS. I am working on the assumption that it does the same thing as Apache/mod_jk : if Apache already has a user-id, then mod_jk forwards it to Tomcat. When in Tomcat the tomcatAuthentication=false is set, Tomcat accepts this user-id from Apache/mod_jk instead of trying to get its own. Maybe IIS+ jk redirector does the same, maybe not. If not, there is another possibility : if IIS authenticates the user, it /might/ automatically add a HTTP header to the request, before even forwarding it to Tomcat through the redirector. If so, a servlet filter at the Tomcat level might be able to pick up this header, extract the user-id, and pass it to your webapp in a way it can use it. If all of that is negative, then you need something like the Jespa filter from ioplex. That filter /will/ authenticate the call on the base of the user's domain user-id, and set it in Tomcat, allowing your webapp to pick it up via getRemoteUser(). This is a certainty, not a guess. I use this often. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
The issue is that we do not currently use web.xml to set the particulars for JCIFS. A wrapper was built by our former team lead who has now left the company and Michael Allen had stated that we had to use the settings as he has it in his doc in order for JESPA to work. As I stated previously, we cannot rip out the security code that is currently there and just replace it with the JESPA instructions because there is a lot more that the security package does than just wrap JCIFS it has built-in security components for a second layer of security against our legacy system. Thanks again. awarnier wrote: Hi. I am a bit busy right now, and I'll have more time tonight to answer. But in short, if you are using jCIFS until now, then Jespa is really a drop-in replacement. You get the user-id via getRemoteUser() just the same way. Only web.xml changes, the application does not, as far as I know. But we'll look at the other possibilities later. For now, maybe make sure that IIS is /really/ authenticating the URLs that go to Tomcat. You may need to tell IIS something, for it to do that. savoym wrote: My understanding is that IIS+ jk redirector is suppose to give us windows authentication what I cannot find either on the IIS website or the Apache Tomcat Connector website is HOW one gets to the authentication properties. I've read the HOW to get it setup but that is as far as it goes on the Apache Tomcat Connector website. I am hoping that this is still a viable solution. We did look at Jespa and talked to Michael Allen extensively. Unfortunately, we have a security paradigm that is underlying our entire web app. I have no time to re-write my app. Our app currently uses JCIFS but some of our users are using Windows 7/IE 8 and because JCIFS does not work with NTLMv2 the web app no longer comes up on Windows 7 that does not use NTLMv1. There in lies my dilemma. I appreciate again all the help. Hopefully someone who has made this work will reply. Regards. awarnier wrote: savoym wrote: Thanks again for the reply. I do already have the tomcatAuthentication=false setting as you stated below and I had tried the getRemoteUse() from the HttpRequestServlet but that unfortunately did not work unless I did something wrong. I will try again but I do not think that is working. Again, I appreciate the time and help. No problem, that's why we're here. As mentioned earlier, I'm not too sure that this works with IIS and the mod_jk redirector for IIS. I am working on the assumption that it does the same thing as Apache/mod_jk : if Apache already has a user-id, then mod_jk forwards it to Tomcat. When in Tomcat the tomcatAuthentication=false is set, Tomcat accepts this user-id from Apache/mod_jk instead of trying to get its own. Maybe IIS+ jk redirector does the same, maybe not. If not, there is another possibility : if IIS authenticates the user, it /might/ automatically add a HTTP header to the request, before even forwarding it to Tomcat through the redirector. If so, a servlet filter at the Tomcat level might be able to pick up this header, extract the user-id, and pass it to your webapp in a way it can use it. If all of that is negative, then you need something like the Jespa filter from ioplex. That filter /will/ authenticate the call on the base of the user's domain user-id, and set it in Tomcat, allowing your webapp to pick it up via getRemoteUser(). This is a certainty, not a guess. I use this often. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Question-on-workers.properties-file-tp28599711p28620453.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
savoym wrote: The issue is that we do not currently use web.xml to set the particulars for JCIFS. A wrapper was built by our former team lead who has now left the company and Michael Allen had stated that we had to use the settings as he has it in his doc in order for JESPA to work. As I stated previously, we cannot rip out the security code that is currently there and just replace it with the JESPA instructions because there is a lot more that the security package does than just wrap JCIFS it has built-in security components for a second layer of security against our legacy system. Ok, that's more understandable then. (And believe it or not, I am not a Jespa salesman ;-) ) I Rainer Jung is around, he may tell us if my assumptions are correct, that IIS+redirector also sends the IIS user-id to Tomcat, if there is any. If not, then tonight I might be able to send you a servlet filter to dump the HTTP headers of the requests sent by IIS to Tomcat, to see if there is a user-id in there somewhere. Unless you have already checked that ? Thanks again. awarnier wrote: Hi. I am a bit busy right now, and I'll have more time tonight to answer. But in short, if you are using jCIFS until now, then Jespa is really a drop-in replacement. You get the user-id via getRemoteUser() just the same way. Only web.xml changes, the application does not, as far as I know. But we'll look at the other possibilities later. For now, maybe make sure that IIS is /really/ authenticating the URLs that go to Tomcat. You may need to tell IIS something, for it to do that. savoym wrote: My understanding is that IIS+ jk redirector is suppose to give us windows authentication what I cannot find either on the IIS website or the Apache Tomcat Connector website is HOW one gets to the authentication properties. I've read the HOW to get it setup but that is as far as it goes on the Apache Tomcat Connector website. I am hoping that this is still a viable solution. We did look at Jespa and talked to Michael Allen extensively. Unfortunately, we have a security paradigm that is underlying our entire web app. I have no time to re-write my app. Our app currently uses JCIFS but some of our users are using Windows 7/IE 8 and because JCIFS does not work with NTLMv2 the web app no longer comes up on Windows 7 that does not use NTLMv1. There in lies my dilemma. I appreciate again all the help. Hopefully someone who has made this work will reply. Regards. awarnier wrote: savoym wrote: Thanks again for the reply. I do already have the tomcatAuthentication=false setting as you stated below and I had tried the getRemoteUse() from the HttpRequestServlet but that unfortunately did not work unless I did something wrong. I will try again but I do not think that is working. Again, I appreciate the time and help. No problem, that's why we're here. As mentioned earlier, I'm not too sure that this works with IIS and the mod_jk redirector for IIS. I am working on the assumption that it does the same thing as Apache/mod_jk : if Apache already has a user-id, then mod_jk forwards it to Tomcat. When in Tomcat the tomcatAuthentication=false is set, Tomcat accepts this user-id from Apache/mod_jk instead of trying to get its own. Maybe IIS+ jk redirector does the same, maybe not. If not, there is another possibility : if IIS authenticates the user, it /might/ automatically add a HTTP header to the request, before even forwarding it to Tomcat through the redirector. If so, a servlet filter at the Tomcat level might be able to pick up this header, extract the user-id, and pass it to your webapp in a way it can use it. If all of that is negative, then you need something like the Jespa filter from ioplex. That filter /will/ authenticate the call on the base of the user's domain user-id, and set it in Tomcat, allowing your webapp to pick it up via getRemoteUser(). This is a certainty, not a guess. I use this often. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
I have not checked that. I will try that today. Don't know where you are located in the world but it's about 7:35AM where I am in the state of Texas - USA Thanks again for all your help. awarnier wrote: savoym wrote: The issue is that we do not currently use web.xml to set the particulars for JCIFS. A wrapper was built by our former team lead who has now left the company and Michael Allen had stated that we had to use the settings as he has it in his doc in order for JESPA to work. As I stated previously, we cannot rip out the security code that is currently there and just replace it with the JESPA instructions because there is a lot more that the security package does than just wrap JCIFS it has built-in security components for a second layer of security against our legacy system. Ok, that's more understandable then. (And believe it or not, I am not a Jespa salesman ;-) ) I Rainer Jung is around, he may tell us if my assumptions are correct, that IIS+redirector also sends the IIS user-id to Tomcat, if there is any. If not, then tonight I might be able to send you a servlet filter to dump the HTTP headers of the requests sent by IIS to Tomcat, to see if there is a user-id in there somewhere. Unless you have already checked that ? Thanks again. awarnier wrote: Hi. I am a bit busy right now, and I'll have more time tonight to answer. But in short, if you are using jCIFS until now, then Jespa is really a drop-in replacement. You get the user-id via getRemoteUser() just the same way. Only web.xml changes, the application does not, as far as I know. But we'll look at the other possibilities later. For now, maybe make sure that IIS is /really/ authenticating the URLs that go to Tomcat. You may need to tell IIS something, for it to do that. savoym wrote: My understanding is that IIS+ jk redirector is suppose to give us windows authentication what I cannot find either on the IIS website or the Apache Tomcat Connector website is HOW one gets to the authentication properties. I've read the HOW to get it setup but that is as far as it goes on the Apache Tomcat Connector website. I am hoping that this is still a viable solution. We did look at Jespa and talked to Michael Allen extensively. Unfortunately, we have a security paradigm that is underlying our entire web app. I have no time to re-write my app. Our app currently uses JCIFS but some of our users are using Windows 7/IE 8 and because JCIFS does not work with NTLMv2 the web app no longer comes up on Windows 7 that does not use NTLMv1. There in lies my dilemma. I appreciate again all the help. Hopefully someone who has made this work will reply. Regards. awarnier wrote: savoym wrote: Thanks again for the reply. I do already have the tomcatAuthentication=false setting as you stated below and I had tried the getRemoteUse() from the HttpRequestServlet but that unfortunately did not work unless I did something wrong. I will try again but I do not think that is working. Again, I appreciate the time and help. No problem, that's why we're here. As mentioned earlier, I'm not too sure that this works with IIS and the mod_jk redirector for IIS. I am working on the assumption that it does the same thing as Apache/mod_jk : if Apache already has a user-id, then mod_jk forwards it to Tomcat. When in Tomcat the tomcatAuthentication=false is set, Tomcat accepts this user-id from Apache/mod_jk instead of trying to get its own. Maybe IIS+ jk redirector does the same, maybe not. If not, there is another possibility : if IIS authenticates the user, it /might/ automatically add a HTTP header to the request, before even forwarding it to Tomcat through the redirector. If so, a servlet filter at the Tomcat level might be able to pick up this header, extract the user-id, and pass it to your webapp in a way it can use it. If all of that is negative, then you need something like the Jespa filter from ioplex. That filter /will/ authenticate the call on the base of the user's domain user-id, and set it in Tomcat, allowing your webapp to pick it up via getRemoteUser(). This is a certainty, not a guess. I use this often. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Question-on-workers.properties-file-tp28599711p28620588.html
Re: Question on workers.properties file
Hi André, Melinda and everyone else, On 20.05.2010 14:31, André Warnier wrote: savoym wrote: I Rainer Jung is around, he may tell us if my assumptions are correct, that IIS+redirector also sends the IIS user-id to Tomcat, if there is any. If not, then tonight I might be able to send you a servlet filter to dump the HTTP headers of the requests sent by IIS to Tomcat, to see if there is a user-id in there somewhere. Unless you have already checked that ? I checked before my original reply and it seems the IIS variable AUTH_USER is automatically forwarded by the isapi plugin. When setting tomcatAuthentication=false on the AJP connector (!), the value can be retrieved by the getRemoteUser() method. I would set the log level of the redirector to trace on an idle test environment and then do a single request there that is expected to be authenticated. The log lines in the redirector log should tell us, what is actually being forwarded (lots of log lines, but lots of info too). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
Ranier, Thank you so much for your response. I will am out of town until Monday but I will try it then. Again, many thanks. Regards. From: Rainer Jung [rainer.j...@kippdata.de] Sent: Thursday, May 20, 2010 15:55 To: Tomcat Users List Subject: Re: Question on workers.properties file Hi André, Melinda and everyone else, On 20.05.2010 14:31, André Warnier wrote: savoym wrote: I Rainer Jung is around, he may tell us if my assumptions are correct, that IIS+redirector also sends the IIS user-id to Tomcat, if there is any. If not, then tonight I might be able to send you a servlet filter to dump the HTTP headers of the requests sent by IIS to Tomcat, to see if there is a user-id in there somewhere. Unless you have already checked that ? I checked before my original reply and it seems the IIS variable AUTH_USER is automatically forwarded by the isapi plugin. When setting tomcatAuthentication=false on the AJP connector (!), the value can be retrieved by the getRemoteUser() method. I would set the log level of the redirector to trace on an idle test environment and then do a single request there that is expected to be authenticated. The log lines in the redirector log should tell us, what is actually being forwarded (lots of log lines, but lots of info too). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
Ranier - Thanks for the reply. I have some questions on your response. The INT value that your get_server_value method returns how do I determine from that what the userid is and more importantly, what calls this method and populates the values for this method to run? Sorry for the ignorance. Thanks again. Rainer Jung-3 wrote: static int get_server_value(LPEXTENSION_CONTROL_BLOCK lpEcb, char *name, char *buf, DWORD bufsz) { DWORD sz = bufsz; buf[0] = '\0'; if (!lpEcb-GetServerVariable(lpEcb-ConnID, name, buf, (LPDWORD) sz)) return JK_FALSE; On 18.05.2010 22:27, savoym wrote: I just got IIS to forward my request to Tomcat using the Apache Tomcat-Connectors doc. I am trying to authenticate the user login/id that executes the request to my web app to be able to grab the user login and use in my java app. Has anyone on this list setup a server environment variable in the workers.properties file that would equal the REQUEST.SERVERVARIABLE(AUTH_USER) in IIS? Can I get the same thing from the HttpServletRequest object by using the getRemoteUser method when the request is made from IIS? Any help here would be appreciated. The source says: we forward GetServerVariable of REMOTE_USER to Tomcat. in order to let Tomcat trust the forwarded auth data, you have to set tomcatAuthentication=false as an attribute on the connector element in server.xml. Microsoft docs say: AUTH_USER: The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. This variable is no different from REMOTE_USER. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Question-on-workers.properties-file-tp28599711p28610057.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
On 19.05.2010 17:37, savoym wrote: Ranier - Thanks for the reply. I have some questions on your response. The INT value that your get_server_value method returns how do I determine from that what the userid is and more importantly, what calls this method and populates the values for this method to run? Sorry for the ignorance. Sorry the code snippet wasn' actually meant to be included. i tried to answer your question below the original post. The function is used internally, and the int value is only a return code (success or not). The function returns a string the the provided buffer buf, but that's all opaque to you. Check again for what I wrote below your original post. Regards, Rainer Thanks again. Rainer Jung-3 wrote: static int get_server_value(LPEXTENSION_CONTROL_BLOCK lpEcb, char *name, char *buf, DWORD bufsz) { DWORD sz = bufsz; buf[0] = '\0'; if (!lpEcb-GetServerVariable(lpEcb-ConnID, name, buf, (LPDWORD)sz)) return JK_FALSE; On 18.05.2010 22:27, savoym wrote: I just got IIS to forward my request to Tomcat using the Apache Tomcat-Connectors doc. I am trying to authenticate the user login/id that executes the request to my web app to be able to grab the user login and use in my java app. Has anyone on this list setup a server environment variable in the workers.properties file that would equal the REQUEST.SERVERVARIABLE(AUTH_USER) in IIS? Can I get the same thing from the HttpServletRequest object by using the getRemoteUser method when the request is made from IIS? Any help here would be appreciated. The source says: we forward GetServerVariable of REMOTE_USER to Tomcat. in order to let Tomcat trust the forwarded auth data, you have to set tomcatAuthentication=false as an attribute on the connector element in server.xml. Microsoft docs say: AUTH_USER: The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. This variable is no different from REMOTE_USER. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
Ranier, Thank you for the clarification. As far as your instruction, let me ask the following if you don't mind: What source are you referring to? Do you have a URL for this source? Also, I've been trying to pickup this AUTH_USER from the HttpServletRequest. Is that not where I can pick it up from? I thought I could access it from the client request via the tomcat connector but I did not know how to do that. That is what I'm trying to get at to pass into my authentication method. Again, any help/direction would be greatly appreciated. Thanks again so much. Rainer Jung-3 wrote: On 19.05.2010 17:37, savoym wrote: Ranier - Thanks for the reply. I have some questions on your response. The INT value that your get_server_value method returns how do I determine from that what the userid is and more importantly, what calls this method and populates the values for this method to run? Sorry for the ignorance. Sorry the code snippet wasn' actually meant to be included. i tried to answer your question below the original post. The function is used internally, and the int value is only a return code (success or not). The function returns a string the the provided buffer buf, but that's all opaque to you. Check again for what I wrote below your original post. Regards, Rainer Thanks again. Rainer Jung-3 wrote: static int get_server_value(LPEXTENSION_CONTROL_BLOCK lpEcb, char *name, char *buf, DWORD bufsz) { DWORD sz = bufsz; buf[0] = '\0'; if (!lpEcb-GetServerVariable(lpEcb-ConnID, name, buf, (LPDWORD)sz)) return JK_FALSE; On 18.05.2010 22:27, savoym wrote: I just got IIS to forward my request to Tomcat using the Apache Tomcat-Connectors doc. I am trying to authenticate the user login/id that executes the request to my web app to be able to grab the user login and use in my java app. Has anyone on this list setup a server environment variable in the workers.properties file that would equal the REQUEST.SERVERVARIABLE(AUTH_USER) in IIS? Can I get the same thing from the HttpServletRequest object by using the getRemoteUser method when the request is made from IIS? Any help here would be appreciated. The source says: we forward GetServerVariable of REMOTE_USER to Tomcat. in order to let Tomcat trust the forwarded auth data, you have to set tomcatAuthentication=false as an attribute on the connector element in server.xml. Microsoft docs say: AUTH_USER: The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. This variable is no different from REMOTE_USER. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Question-on-workers.properties-file-tp28599711p28612937.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
savoym wrote: I just got IIS to forward my request to Tomcat using the Apache Tomcat-Connectors doc. I am trying to authenticate the user login/id that executes the request to my web app to be able to grab the user login and use in my java app. Can you explain a little bit more in detail, or maybe just in another way, what you are trying to achieve ? Are users already authenticated by IIS (as per their Windows Domain user-id), before IIS forwards the request to Tomcat ? And do you want to retrieve this user-id in Tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
Yes. The users are already being authenticated by IIS before IIS forwards the request to Tomcat. And yes, I am wanting to retrieve in my java app this userid from what I thought would be through the HttpServletRequest class. However, that is not working. I tried to retrieve it using this class on the header Authorization but I am still getting a NULL value. I understood, that maybe through the workers.properties file I could SET a server environment variable using the Request.ServerVariable(AUTH_USER) method but I'm not sure how to accomplish that if that is a possibility. I guess I'm just not sure how to get at the USERID that IIS should already have in some form or fashion. I hope that is more clear. I appreciate very much the question and reply. Regards. awarnier wrote: savoym wrote: I just got IIS to forward my request to Tomcat using the Apache Tomcat-Connectors doc. I am trying to authenticate the user login/id that executes the request to my web app to be able to grab the user login and use in my java app. Can you explain a little bit more in detail, or maybe just in another way, what you are trying to achieve ? Are users already authenticated by IIS (as per their Windows Domain user-id), before IIS forwards the request to Tomcat ? And do you want to retrieve this user-id in Tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Question-on-workers.properties-file-tp28599711p28615200.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on workers.properties file
static int get_server_value(LPEXTENSION_CONTROL_BLOCK lpEcb, char *name, char *buf, DWORD bufsz) { DWORD sz = bufsz; buf[0] = '\0'; if (!lpEcb-GetServerVariable(lpEcb-ConnID, name, buf, (LPDWORD) sz)) return JK_FALSE; On 18.05.2010 22:27, savoym wrote: I just got IIS to forward my request to Tomcat using the Apache Tomcat-Connectors doc. I am trying to authenticate the user login/id that executes the request to my web app to be able to grab the user login and use in my java app. Has anyone on this list setup a server environment variable in the workers.properties file that would equal the REQUEST.SERVERVARIABLE(AUTH_USER) in IIS? Can I get the same thing from the HttpServletRequest object by using the getRemoteUser method when the request is made from IIS? Any help here would be appreciated. The source says: we forward GetServerVariable of REMOTE_USER to Tomcat. in order to let Tomcat trust the forwarded auth data, you have to set tomcatAuthentication=false as an attribute on the connector element in server.xml. Microsoft docs say: AUTH_USER: The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. This variable is no different from REMOTE_USER. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org