Question regarding IIS Windows Authentication using Tomcat Connector
I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system.
RE: Question regarding IIS Windows Authentication using Tomcat Connector
I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question regarding IIS Windows Authentication using Tomcat Connector
I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional
RE: Question regarding IIS Windows Authentication using Tomcat Connector
FQN = fully qualified name (it's unambiguous, usually machine-name\username or domain-name\username). It's there and returned by the Waffle tomcat authenticator. But names may change (people get married, groups renamed), so Windows has a concept of SID, it's a binary identifier (S-xyz), that never changes and is unique. So permissions are typically done with that rather than with fully qualified names. There's a bit of work left in Waffle to expose SIDs in the principal object(s). I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat seems like a suboptimal way to go, to say the least. Waffle theoretically should resolve this, but your specific application is what really matters. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 9:16 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original
RE: Question regarding IIS Windows Authentication using Tomcat Connector
Thanks for the reply. 2 more questions if you don't mind: 1. Just wanted to confirm that Waffle does support NTLMv2? We do not use Kerberos on our network. 2. Are the web.xml settings required? Again, we have our own custom security package and it is defined in the web.xml file. As stated previously, I do not have time to rewrite the security code in order to accommodate a product that requires that we use their setting in web.xml. Just an FYI, in JCIFS, we are able to acquire the domain and user from the Type3Message class. JCIFS uses the challenge-response paradigm. Thanks for the work that you're doing. More and more java web teams will need something like this as their companies move over to products like Windows 7 where NTLMv1 is no longer acceptable. Regards. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 9:10 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector FQN = fully qualified name (it's unambiguous, usually machine-name\username or domain-name\username). It's there and returned by the Waffle tomcat authenticator. But names may change (people get married, groups renamed), so Windows has a concept of SID, it's a binary identifier (S-xyz), that never changes and is unique. So permissions are typically done with that rather than with fully qualified names. There's a bit of work left in Waffle to expose SIDs in the principal object(s). I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat seems like a suboptimal way to go, to say the least. Waffle theoretically should resolve this, but your specific application is what really matters. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 9:16 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response
RE: Question regarding IIS Windows Authentication using Tomcat Connector
1. Yes. It will support whatever your Windows box supports since it calls the native Windows API. Smartcards, retinal scans, etc. 2. They are not, your code should be fine. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 10:34 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector Thanks for the reply. 2 more questions if you don't mind: 1. Just wanted to confirm that Waffle does support NTLMv2? We do not use Kerberos on our network. 2. Are the web.xml settings required? Again, we have our own custom security package and it is defined in the web.xml file. As stated previously, I do not have time to rewrite the security code in order to accommodate a product that requires that we use their setting in web.xml. Just an FYI, in JCIFS, we are able to acquire the domain and user from the Type3Message class. JCIFS uses the challenge-response paradigm. Thanks for the work that you're doing. More and more java web teams will need something like this as their companies move over to products like Windows 7 where NTLMv1 is no longer acceptable. Regards. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 9:10 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector FQN = fully qualified name (it's unambiguous, usually machine-name\username or domain-name\username). It's there and returned by the Waffle tomcat authenticator. But names may change (people get married, groups renamed), so Windows has a concept of SID, it's a binary identifier (S-xyz), that never changes and is unique. So permissions are typically done with that rather than with fully qualified names. There's a bit of work left in Waffle to expose SIDs in the principal object(s). I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat seems like a suboptimal way to go, to say the least. Waffle theoretically should resolve this, but your specific application is what really matters. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 9:16 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does
