I'm mystified as to how the isapi_redirect filter treats interacts with the NTFS permissions set on the physical dll file.
My intent is to restrict access to my Tomcat application to a users in a particular Active Directory group.
I've tried to do this by setting the NTFS permissions on isapi_redirect.dll to allow access by those users, and also by SYSTEM.
This shouldn't work according to Q158229, since according to that, "ISAPI Filter DLLs, .. run in the original context of the IIS service. All services run by default under the Local System account of the machine on which they are installed."
But, on one Windows 2000 server, it works fine, provided the first user to attempt to access the Tomcat context has the appropriate NTFS permissions. If that is the case, it seems that IIS correctly passes users through (if they are in the Active Directory group) or gives them a 403 (if they aren't). On this machine things work with Windows Integrated Authentication, or with Basic Authentication.
On another Windows 2000 server, everyone who can login to windows (its using Windows integrated authentication), is passed through to tomcat by the isapi_redirect filter (as you'd expect if Q158229 is correct and the code in jakarta-tomcat-connectors/jk/native/iis/ isn't doing anything tricky to impersonate the user or test whether the user can read isapi_redirect.dll).
I'm not sure whether the code does anything which would explain what is happening? I had a quick look at r1.22 of jk_isapi_plugin.c but couldn't see anything obvious.
I guess i could patch the code to at least test whether the user can read the file, but it might be easier to use apache and something like mod_ntlm or mod_sspi, or something else.
cheers,
Jason
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]