Hi all! I am trying to implement an Intranet/Extranet where menus are created dynamic based on the username. To determine the user, I am using REMOTE_USER and this works fine with active service pages. However, any JSP page does not seem to be able to read this correctly. Because we have to use Tomcat for a specific application, we would like to limit the number of languages we use, so we don't have to use Java plus VBScript.
I set up the perms in IIS for Basic authentication only. When I try to connect to the page, I get the popup and login, then the page is displayed. In the jsp-page I have the following: <% authtype=request.getAuthType(); username = request.getRemoteUser(); host = request.getRemoteHost(); %>Authtype: <%=authtype %><BR> <% %>Username: <%=username %><BR> <% %>Host: <%=host %><BR> <% In the web.xml I have this: <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/sd-sp4-test/Kunde/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>tomcat</role-name> <role-name>role1</role-name> </auth-constraint> </security-constraint> <!-- Default login configuration uses BASIC authentication --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Example Basic Authentication Area</realm-name> </login-config> Whnen I try to access /sd-sp4-test/Kunde/start.jsp, *without* asking me for a username and password, I get the following: Authtype: null Username: null Host: 10.2.28.220 This says the user has not logged in. If I try to load /sd-sp4-test/Kunde/login.html, I get the standard popup and am I can input username/password with no problem. It seems that the JSP redirectory kicks in before the basic authentication. So, maybe I am not clear on the concept. Is the basic authentication from MIIS, or is Tomcat doing on its own? Looking through the mailing list archive, it seems that tomcat is doing this. However, when I turn off basic authentication in MIIS and set it to anonymous, I still have the same problem. The directory /sd-sp4-test is defined as a virtual directory within IIS. I found a reference on jboss.org saying that "the url pattern is relative to your web context", but I am confused as to what the "context" is here. Could the problem be as simple as using the wrong object and method (i.e. something other than request.getRemoteUser(); ). One important aspect is the ability to set permissions at the Win2K level that are respected by the web server, rather than having to do all of the security ourselves. We have several customers with different users and need to keep data from each customer seperate, plus give access to specific areas only to specific users (i.e. only management gets access to the reporting pages). Any and all help would be greatly appreaciated. Regards, Jim Mohr ELAXY Brokerage & Trading GmbH & Co KG _________________________________ James Mohr Help Desk Manager Am Hofbräuhaus 1 96450 Coburg Germany Fon +49 (0) 95 61.55 43.0 Fax +49 (0) 95 61.55 43.302 E-Mail: [EMAIL PROTECTED] --------------------------------------- "Science has promised man power...But, as so often happens when people are seduced by promises of power, the price is servitude and impotence. Power is nothing if it is not the power to choose." Joseph Weizenbaum of MIT said in reference to Computers. --------------------------------------- The Great Linux-NT Debate: <http://www.jimmo.com/Linux-NT_Debate/index.html> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>