RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Andre - thanks for the reply. From: André Warnier [...@ice-sa.com] Sent: Tuesday, June 08, 2010 16:37 To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Savoy, Melinda wrote: > Andre, > > Without going into a lot of detail I was finally able to, via the help of an > IIS engineer at Microsoft via our TAM, force NTLM authentication via IIS. What I learned is that by default IIS is NOT setup to accept NTLM authentication but only Kerberos. Consequently, I went thru some different commands with the MS IIS engineer to get NTLM on IIS to authenticate and now I am getting in the request, per the ISAPI log, the user info I was looking for (see below). Eureka!! > So all this time, the problem was between the browser and IIS, and nothing to do with isapi_redirector or Tomcat. That is basically what Rainer and I have been telling you since a long time. As for the rest : - the fact that you are getting something like TEXAS\user-id is normal. The first part is the (short) domain name. That is because your LAN could consist of several domains, and a user-id might be repeated in different domains (like TEXAS\jsmith and INDIANA\jsmith, being different users). Specialised Tomcat-level authentication modules like Jespa (and I suppose Waffle) have parameters allowing you to have the domain part stripped automatically if you so wish. But since you are not using these modules, you'll have to do that yourself. But beware of what I say above : really find out with your network admins if you do indeed have a single domain where a domain-stripped user-id is really unique; or if your network has different "trusting" domains inside of which domain-stripped user-id's may not be unique. - reduce the log level of isapi_redirector now, please. It is no fun scanning through hundreds of log lines to find the significant bit. The (only) significant bit in this case was the very first response, which indicates a "server error 500" return code. The rest is all retrieval of error page and links therein (images, css, etc). - you should temporarily replace your entire webapp (including the legacy filter) with a very simple one, which does /only/ a getRemoteUser() and displays it as a response. Then you will see if the fact that you do not get the user in your webapp is an issue of your webapp, or maybe of your legacy filter interfering. Then re-insert the legacy filter and try again. It is possible that the legacy filter simply resets the user-id to null when /it/ cannot authenticate the user (and that it never checks if the request is already authenticated to begin with). The easiest way to disable your legacy filter is probably to temporarily set its (in web.xml) to something that never matches. Here follows a very simple servlet which just echoes back the userid. I do not know anything about JSP, but I suspect that doing this with a JSP page is much simpler. Christopher or someone ? package scimisdev; import java.io.IOException; import java.io.PrintWriter; import java.security.Principal; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public final class DumpUser extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String userName = request.getRemoteUser(); if (userName == null) { userName = "*null*"; } response.setContentType("text/plain"); PrintWriter writer = response.getWriter(); writer.println(userName); } } /* In your web.xml, include the following: DumpUser scimisdev.DumpUser DumpUser *.dumpuser */ and call it as http://servername/scimisdev/xxx.dumpuser - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Savoy, Melinda wrote: Andre, Without going into a lot of detail I was finally able to, via the help of an IIS engineer at Microsoft via our TAM, force NTLM authentication via IIS. What I learned is that by default IIS is NOT setup to accept NTLM authentication but only Kerberos. Consequently, I went thru some different commands with the MS IIS engineer to get NTLM on IIS to authenticate and now I am getting in the request, per the ISAPI log, the user info I was looking for (see below). Eureka!! So all this time, the problem was between the browser and IIS, and nothing to do with isapi_redirector or Tomcat. That is basically what Rainer and I have been telling you since a long time. As for the rest : - the fact that you are getting something like TEXAS\user-id is normal. The first part is the (short) domain name. That is because your LAN could consist of several domains, and a user-id might be repeated in different domains (like TEXAS\jsmith and INDIANA\jsmith, being different users). Specialised Tomcat-level authentication modules like Jespa (and I suppose Waffle) have parameters allowing you to have the domain part stripped automatically if you so wish. But since you are not using these modules, you'll have to do that yourself. But beware of what I say above : really find out with your network admins if you do indeed have a single domain where a domain-stripped user-id is really unique; or if your network has different "trusting" domains inside of which domain-stripped user-id's may not be unique. - reduce the log level of isapi_redirector now, please. It is no fun scanning through hundreds of log lines to find the significant bit. The (only) significant bit in this case was the very first response, which indicates a "server error 500" return code. The rest is all retrieval of error page and links therein (images, css, etc). - you should temporarily replace your entire webapp (including the legacy filter) with a very simple one, which does /only/ a getRemoteUser() and displays it as a response. Then you will see if the fact that you do not get the user in your webapp is an issue of your webapp, or maybe of your legacy filter interfering. Then re-insert the legacy filter and try again. It is possible that the legacy filter simply resets the user-id to null when /it/ cannot authenticate the user (and that it never checks if the request is already authenticated to begin with). The easiest way to disable your legacy filter is probably to temporarily set its (in web.xml) to something that never matches. Here follows a very simple servlet which just echoes back the userid. I do not know anything about JSP, but I suspect that doing this with a JSP page is much simpler. Christopher or someone ? package scimisdev; import java.io.IOException; import java.io.PrintWriter; import java.security.Principal; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public final class DumpUser extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String userName = request.getRemoteUser(); if (userName == null) { userName = "*null*"; } response.setContentType("text/plain"); PrintWriter writer = response.getWriter(); writer.println(userName); } } /* In your web.xml, include the following: DumpUser scimisdev.DumpUser DumpUser *.dumpuser */ and call it as http://servername/scimisdev/xxx.dumpuser - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Savoy, Melinda wrote: dB, I did as you suggested and create another virtual directory on IIS with the same security setup and was able to get to the .HTM page in IIS without issue. Here is what Fiddler had to show on that: URL entered:http://servername/test Ok, very good. Now, without changing anything else, do the following : - reduce the log level of the isapi_redirector to "info" instead of debug - stop IIS - delete the existing isapi_redirector logfiles - restart IIS enter the URL http://servername/scimisdev/test (I know that does not exist) and do not click on anything else. Then post here : - the response from IIS (as per Fiddler2) - the isapi_redirector logfile contents - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
dB, I did as you suggested and create another virtual directory on IIS with the same security setup and was able to get to the .HTM page in IIS without issue. Here is what Fiddler had to show on that: URL entered:http://servername/test Raw Headers tab: HTTP/1.1 200 OK Content-Length: 1433 Content-Type: text/html Content-Location: http://servername/test/iisstart.htm Last-Modified: Fri, 21 Feb 2003 23:48:30 GMT Accept-Ranges: bytes ETag: "09b60bc3dac21:64b" Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWpeCqC92NbalsW+HmZt04XMZFMzqSW/yMDEJ+HNZ7N3W3s7GUz5v+k2PTk6u36M6i6MRFuI9tJl13sEoVfrMImMEZkq3AYMYIjW6aifTlIB/IfQQyvrrOWYJHg== Date: Mon, 07 Jun 2010 11:23:39 GMT Auth tab: No Proxy-Authenticate Header is present. WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply: A1 81 A0 30 81 9D A0 03 0A 01 00 A1 0B 06 09 2A ¡ 0 ¡...* 86 48 82 F7 12 01 02 02 A2 81 88 04 81 85 60 81 ?H'÷¢^....` 82 06 09 2A 86 48 86 F7 12 01 02 02 02 00 6F 73 '..*?H?÷..os 30 71 A0 03 02 01 05 A1 03 02 01 0F A2 65 30 63 0q ¡¢e0c A0 03 02 01 17 A2 5C 04 5A 97 82 A8 2F 76 35 B6 ¢\.Z-'¨/v5¶ A5 B1 6F 87 99 9B 74 E1 73 19 14 CC EA 49 6F F2 ¥±o?(tm)>tás..ÌêIoò 30 31 09 F8 73 59 EC DD D6 DE CE C6 53 3E 6F FA 01.øsYìÝÖÞÎÆS>oú 4D 8F 4E 4E AE DF A3 3A 8B A3 11 16 E2 3D B4 99 MNN®ß£:<£..â=´(tm) 75 DE C1 28 55 FA CC 22 63 04 66 4A B7 01 83 18 uÞÁ(UúÌ"c.fJ·.f. 22 35 BA 6A 27 D3 94 80 7F 21 F4 10 CA FA EB 39 "5ºj'Ó"EUR!ô.Êúë9 66 09 1E f.. Thanks for your reply. Regards. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Friday, June 04, 2010 1:58 PM To: Tomcat Users List Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Request: GET / HTTP/1.1 Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== >>> The browser is trying to get a page, and it sends a Negotiate token (it's >>> short, so looks like NTLM). Response: HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM This already says that the token sent was invalid. The next conversation is just a repeat of that. It's invalid because the browser is not in the domain or because the user logged in doesn't have access to the server. It's possible that the Windows event viewer on the server has an actual error in the Security event log. I would create a dummy website in IIS that has the same authentication mode (Windows Auth, Anonymous disabled) and make sure I can browse successfully to that page, first. Melinda, I think you should hire some external help to fix this problem for you. There're a lot of moving parts. Maybe someone on this list could offer you to resolve this problem for a consulting fee. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Friday, June 04, 2010 8:36 AM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Thanks Andre. Appreciate the explanation. I downloaded Fiddler as you suggested, and meant to send this in the earlier post. In the RAW HEADER I get the following when I enter this URL in my IE browser: http://scmisdev GET / HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: scmisdev Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== In the AUTH window I see the following: No Proxy-Authenticate Header is present. WWW-Authenticate Header is present: Negotiate WWW-Authenticate Header is present: NTLM In the RAW window I see the following: HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Date: Fri, 04 Jun 2010 12:30:03 GMT Proxy-Support: Session-Based-Authentication http://www.w3.org/TR/html4/strict.dtd";> You are not authorized to view this page BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
dB. wrote: Yep. Let's see (using Waffle code - http://waffle.codeplex.com). String message = "TlRMTVNTUAABB4IIogAFASgKDw=="; byte[] messageBytes = Base64.decode(message); System.out.println(new String(messageBytes)); System.out.println(NtlmMessage.getMessageType(messageBytes)); NTLMSSP ... (this is an NTLM message) 1 (type 1) Thanks. One more little bit of the mystery of NTLM/SPNEGO/SSPI/web authentication/Kerberos/AD/.. uncovered. One learns every day. I guess I should have a look at Waffle. Specially since I'm a belgian native too. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Yep. Let's see (using Waffle code - http://waffle.codeplex.com). String message = "TlRMTVNTUAABB4IIogAFASgKDw=="; byte[] messageBytes = Base64.decode(message); System.out.println(new String(messageBytes)); System.out.println(NtlmMessage.getMessageType(messageBytes)); NTLMSSP ... (this is an NTLM message) 1 (type 1) dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, June 04, 2010 3:07 PM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? dB. wrote: > Request: > > GET / HTTP/1.1 > Authorization: Negotiate > TlRMTVNTUAABB4IIogAFASgKDw== >>>> The browser is trying to get a page, and it sends a Negotiate token (it's >>>> short, so looks like NTLM). Do you mean that the encoded portion of the header actually "contains" an NTLM Type-1 message ? (I browsed through the relevant RFCs, but they are a bit cryptic to get a quick clear idea of what happens here.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
dB. wrote: Request: GET / HTTP/1.1 Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== The browser is trying to get a page, and it sends a Negotiate token (it's short, so looks like NTLM). Do you mean that the encoded portion of the header actually "contains" an NTLM Type-1 message ? (I browsed through the relevant RFCs, but they are a bit cryptic to get a quick clear idea of what happens here.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Request: GET / HTTP/1.1 Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== >>> The browser is trying to get a page, and it sends a Negotiate token (it's >>> short, so looks like NTLM). Response: HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM This already says that the token sent was invalid. The next conversation is just a repeat of that. It's invalid because the browser is not in the domain or because the user logged in doesn't have access to the server. It's possible that the Windows event viewer on the server has an actual error in the Security event log. I would create a dummy website in IIS that has the same authentication mode (Windows Auth, Anonymous disabled) and make sure I can browse successfully to that page, first. Melinda, I think you should hire some external help to fix this problem for you. There're a lot of moving parts. Maybe someone on this list could offer you to resolve this problem for a consulting fee. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Friday, June 04, 2010 8:36 AM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Thanks Andre. Appreciate the explanation. I downloaded Fiddler as you suggested, and meant to send this in the earlier post. In the RAW HEADER I get the following when I enter this URL in my IE browser: http://scmisdev GET / HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: scmisdev Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== In the AUTH window I see the following: No Proxy-Authenticate Header is present. WWW-Authenticate Header is present: Negotiate WWW-Authenticate Header is present: NTLM In the RAW window I see the following: HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Date: Fri, 04 Jun 2010 12:30:03 GMT Proxy-Support: Session-Based-Authentication http://www.w3.org/TR/html4/strict.dtd";> You are not authorized to view this page BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.Internet Information Services (IIS) Technical Information (for support personnel) Go to http://go.microsoft.com/fwlink/?linkid=8180";>Microsoft Product Support Services and perform a title search for the words HTTP and 401. Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Authentication, and About Custom Error Messages. Do you see anything here? I was about to call the engineer on our network staff that might be able to help me but what to ask this last question before I did that. Thanks again for all your help!!! -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, June 04, 2010 7:26 AM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Savoy, Melinda wrote: > 2 - questions (just because I'm not knowledgeable about IP address or TCP/IP > ports etc or networking functionality). > > 1. Before moving to IIS, the Tomcat server was setup on port 80 but because > IIS uses port 80 the Tomcat server in the server.xml was changed to 8080. > Could this be the problem on why I'm getting the HTTP Error 401.2 - > Unauthorized: Access is denied due to server configuration. Internet > Information Services (
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Hi. Unfortunately again, in this case we are operating at the limits of my own knowledge. So your idea of calling in a real Windows authentication specialist may be your best bet. See below for more details. Savoy, Melinda wrote: Thanks Andre. Appreciate the explanation. I downloaded Fiddler as you suggested, and meant to send this in the earlier post. Good. In the RAW HEADER I get the following when I enter this URL in my IE browser: http://scmisdev GET / HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: scmisdev Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== In the AUTH window I see the following: No Proxy-Authenticate Header is present. WWW-Authenticate Header is present: Negotiate WWW-Authenticate Header is present: NTLM This last puzzles me, because it does not match what you indicate just above : there does not appear to be an "Authorization: NTLM .." HTTP header in the request, but Fiddler2 seems to say there is. I do not know the explanation of that. In the RAW window I see the following: HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Here is a puzzle too (for me) : I do not understand why there are two distinct WWW-Authenticate headers. Unfortunately, I don't have an IIS server handy to compare. Date: Fri, 04 Jun 2010 12:30:03 GMT Proxy-Support: Session-Based-Authentication ... You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. This on the other hand seems clear : the IIS server is set up (for this "directory") to accept one mode of authentication (probably NTLM, only), and it gets mad because the browser is trying to authenticate using another method (probably this "Negotiate" method mentioned earlier). And, it is still clear that this is an issue between the browser and the IIS server. Tomcat is not yet involved here, and neither is the isapi redirector. One important question : when you are trying this, is your (presumably) Windows workstation logged into the same Windows domain as the one the server belongs to ? (I mean, you are they both local in the same LAN, or are you accessing the server from home via some VPN or so ?) Finally, by searching Google for Authorization: Negotiate I found the following, which seems to provide the beginning of an explanation : http://www.rfc-archive.org/getrfc.php?rfc=4559 At least it provides a clue as to why this HTTP header is present in the exchanges. The article also provides references to further reading. I have no idea at the moment if this is part of the problem you are having, but it triggers another question : is your organisation using Kerberos-type authentication for its Windows domain ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Thanks Andre. Appreciate the explanation. I downloaded Fiddler as you suggested, and meant to send this in the earlier post. In the RAW HEADER I get the following when I enter this URL in my IE browser: http://scmisdev GET / HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: scmisdev Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== In the AUTH window I see the following: No Proxy-Authenticate Header is present. WWW-Authenticate Header is present: Negotiate WWW-Authenticate Header is present: NTLM In the RAW window I see the following: HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Date: Fri, 04 Jun 2010 12:30:03 GMT Proxy-Support: Session-Based-Authentication http://www.w3.org/TR/html4/strict.dtd";> You are not authorized to view this page BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.Internet Information Services (IIS) Technical Information (for support personnel) Go to http://go.microsoft.com/fwlink/?linkid=8180";>Microsoft Product Support Services and perform a title search for the words HTTP and 401. Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Authentication, and About Custom Error Messages. Do you see anything here? I was about to call the engineer on our network staff that might be able to help me but what to ask this last question before I did that. Thanks again for all your help!!! -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, June 04, 2010 7:26 AM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Savoy, Melinda wrote: > 2 - questions (just because I'm not knowledgeable about IP address or TCP/IP > ports etc or networking functionality). > > 1. Before moving to IIS, the Tomcat server was setup on port 80 but because > IIS uses port 80 the Tomcat server in the server.xml was changed to 8080. > Could this be the problem on why I'm getting the HTTP Error 401.2 - > Unauthorized: Access is denied due to server configuration. Internet > Information Services (IIS)? Ok, let's still try to process this one little bit at a time. Your Tomcat /can/ receive requests on two different ports, each of these ports being indicated and configured by a element in server.xml. You have : - one Connector listening on port 8080. That Connector expects requests formatted as per the HTTP protocol. - one connector listening on port 8009. That Connector expects requests formatted as per the AJP protocol (as used by the Apache mod_jk module, or the IIS isapi_redirector module. It does not matter through which Connector a particular request comes in. The Connector will receive the request, and "translate" it into a common internal Tomcat format before passing it on to the rest of Tomcat. In other words, if you send the request from the browser to http://hostname:8080/request_url or you send the request to IIS on port 80, like http://hostname[:80]/request_url and IIS passes it to the isapi-redirector, which passes it to the AJP connector of Tomcat on port 8009, the final result is essentially the same, except for some details, and Tomcat will process the request the saqme way in both cases. BUT, the request which provokes the error message which you are mentioning above does not seem to even reach Tomcat : it looks like the error is generated by IIS, before it even thinks about forwarding this request (maybe) to Tomcat. So there seems to be something wrong at the level between the browser and IIS, or in the IIS authentication/authorisation level. > > 2.
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Savoy, Melinda wrote: 2 - questions (just because I'm not knowledgeable about IP address or TCP/IP ports etc or networking functionality). 1. Before moving to IIS, the Tomcat server was setup on port 80 but because IIS uses port 80 the Tomcat server in the server.xml was changed to 8080. Could this be the problem on why I'm getting the HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS)? Ok, let's still try to process this one little bit at a time. Your Tomcat /can/ receive requests on two different ports, each of these ports being indicated and configured by a element in server.xml. You have : - one Connector listening on port 8080. That Connector expects requests formatted as per the HTTP protocol. - one connector listening on port 8009. That Connector expects requests formatted as per the AJP protocol (as used by the Apache mod_jk module, or the IIS isapi_redirector module. It does not matter through which Connector a particular request comes in. The Connector will receive the request, and "translate" it into a common internal Tomcat format before passing it on to the rest of Tomcat. In other words, if you send the request from the browser to http://hostname:8080/request_url or you send the request to IIS on port 80, like http://hostname[:80]/request_url and IIS passes it to the isapi-redirector, which passes it to the AJP connector of Tomcat on port 8009, the final result is essentially the same, except for some details, and Tomcat will process the request the saqme way in both cases. BUT, the request which provokes the error message which you are mentioning above does not seem to even reach Tomcat : it looks like the error is generated by IIS, before it even thinks about forwarding this request (maybe) to Tomcat. So there seems to be something wrong at the level between the browser and IIS, or in the IIS authentication/authorisation level. 2. Per Andre, " So now the isapi redirector module knows that in order to reach this Tomcat and pass the browser request to it, it need to establish a TCP/IP connection to localhost on port 8009, and format the request according to the specicifications of the AJP/1.3 protocol. This protocol is a bit different from HTTP, so the /format/ in which the isapi redirector passes the request to the Tomcat server is different from the original HTTP request, but the /content/ of the request is the same." If the network I'm on does NOT recognize this port 8009 would that be contributing to the HTTP Error 401.2? No. It would give another error. Thanks. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, June 03, 2010 4:22 PM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Hi. Now we're cooking ! But by the way, now this is also OT for this list, because your problem now seems to be between the browser and the webserver. First, please do the following : using Google, find the the IE plugin named "Fiddler 2" and install it in your IE browser. That is a plugin which will allow you to view all the exchanges between the browser and the server (headers, errors, contents etc..). Second, check in the IE options that it is really allowed to use "Integrated Windows Authentication". That is somewhere in the long list of extended options. If you receive a login dialog when you try to access a resource under IIS, it is because either one of these conditions : - the IIS server requests the browser to authenticate using a specific method (e.g. NTLM), but the browser is not set up to do this and is trying a Basic authentication. - the version of NTLM required by the server and the one supported by the workstation are not compatible - your workstation is not logged into the same domain as the server - your workstation does not recognise the server as a "trusted" server Basically, if Integrated Windows Authentication was working, you should never see this login popup. It should all happen automatically behind the scenes. Savoy, Melinda wrote: I think I was finally able to TEST that my tomcat connector and its respective config files have been setup correctly. I think I have narrowed my problem to an IIS Directory Security ISSUE on jakarta. If anyone has run into this issue can you please respond to the following problem: In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view th
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
2 - questions (just because I'm not knowledgeable about IP address or TCP/IP ports etc or networking functionality). 1. Before moving to IIS, the Tomcat server was setup on port 80 but because IIS uses port 80 the Tomcat server in the server.xml was changed to 8080. Could this be the problem on why I'm getting the HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS)? 2. Per Andre, " So now the isapi redirector module knows that in order to reach this Tomcat and pass the browser request to it, it need to establish a TCP/IP connection to localhost on port 8009, and format the request according to the specicifications of the AJP/1.3 protocol. This protocol is a bit different from HTTP, so the /format/ in which the isapi redirector passes the request to the Tomcat server is different from the original HTTP request, but the /content/ of the request is the same." If the network I'm on does NOT recognize this port 8009 would that be contributing to the HTTP Error 401.2? Thanks. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, June 03, 2010 4:22 PM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Hi. Now we're cooking ! But by the way, now this is also OT for this list, because your problem now seems to be between the browser and the webserver. First, please do the following : using Google, find the the IE plugin named "Fiddler 2" and install it in your IE browser. That is a plugin which will allow you to view all the exchanges between the browser and the server (headers, errors, contents etc..). Second, check in the IE options that it is really allowed to use "Integrated Windows Authentication". That is somewhere in the long list of extended options. If you receive a login dialog when you try to access a resource under IIS, it is because either one of these conditions : - the IIS server requests the browser to authenticate using a specific method (e.g. NTLM), but the browser is not set up to do this and is trying a Basic authentication. - the version of NTLM required by the server and the one supported by the workstation are not compatible - your workstation is not logged into the same domain as the server - your workstation does not recognise the server as a "trusted" server Basically, if Integrated Windows Authentication was working, you should never see this login popup. It should all happen automatically behind the scenes. Savoy, Melinda wrote: > I think I was finally able to TEST that my tomcat connector and its > respective config files have been setup correctly. > > I think I have narrowed my problem to an IIS Directory Security ISSUE on > jakarta. If anyone has run into this issue can you please respond to the > following problem: > > In IIS I have the Default Web Site setup with: > > ISAPI Filters: jakarta and it points to C:\Server\Tomcat > 6.0\bin\isapi_redirect.dll > And the Directory Security is: Enable anonymous access (checked only) > > In IIS I have the jakarta virtual directory setup with: > > Where the local path is: C:\Server\Tomcat 6.0\bin > And the Directory Security is: Integrated Windows authentication (checked > only) > > The result I get in my IE browser is: > > You are not authorized to view this page > You do not have permission to view this directory or page using the > credentials that you supplied because your Web browser is sending a > WWW-Authenticate header field that the Web server is not configured to accept. > > > Please try the following: > > Contact the Web site administrator if you believe you should be able to view > this directory or page. > Click the Refresh button to try again with different credentials. > HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. > Internet Information Services (IIS) > > But when I change the jakarta Directory Security to the following I am able > to get to the ERROR.jsp page in my application on Tomcat: > > Directory Security changed to Anonymous access (checked only) > > The ERROR.jsp page comes up because I do not have a USER value in the > request. It is empty as depicted from the isapi log: > > [Thu Jun 03 15:27:24.665 2010] [948:3148] [debug] jk_isapi_plugin.c (3108): > Service protocol=HTTP/1.1 method=GET host=167.99.60.10 addr=167.99.60.10 > name=scmisdev port=80 auth= user= uri=/pics/plus.jpg > > Any suggestions or direction on how I can remedy this issue would be > appreciated. > > Thank you. > > > -Original Message- > From: Savoy, Melinda > Sent: Thursday, June 03, 2010
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Thanks Leo. I do have the Web Service Extension created. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Thursday, June 03, 2010 4:34 PM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? I can't remember if anyone has already mentioned this. If so, my apologies. In IIS, do you have a "Web Service Extension" that is mapped to the isapi_redirect.dll, and that is set to "allowed"? -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, June 03, 2010 1:53 PM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? I think I was finally able to TEST that my tomcat connector and its respective config files have been setup correctly. I think I have narrowed my problem to an IIS Directory Security ISSUE on jakarta. If anyone has run into this issue can you please respond to the following problem: In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS) But when I change the jakarta Directory Security to the following I am able to get to the ERROR.jsp page in my application on Tomcat: Directory Security changed to Anonymous access (checked only) The ERROR.jsp page comes up because I do not have a USER value in the request. It is empty as depicted from the isapi log: [Thu Jun 03 15:27:24.665 2010] [948:3148] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=167.99.60.10 addr=167.99.60.10 name=scmisdev port=80 auth= user= uri=/pics/plus.jpg Any suggestions or direction on how I can remedy this issue would be appreciated. Thank you. -Original Message- From: Savoy, Melinda Sent: Thursday, June 03, 2010 12:53 PM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Let me try to answer Andre's questions below as well as communicate the results I got given the settings I have in the Windows 2003 server and ANY HELP or DIRECTION would be GREATLY APPRECIATED : I spoke to the guy who had setup our Tomcat server and he said that the SECOND HOST in our server.xml file was there to define the virtual host that is in our enterprise DNS (see settings below). The baseapp="scmisapp" which is a directory in our tomcat server: C:\Server\Tomcat 6.0\scmisapp I removed the SECOND virtual directory as you instructed and now I'm getting Windows login dialog boxes when trying to go the URL: http://scmisdev. If we could start from the following settings and if someone could let me know what I'm doing wrong to get the error (see below) I'm getting it would be greatly appreciated: Workers.properties file: worker.scmisWorker.type=ajp13 worker.scmisWorker.host=localhost (I'm not sure if this should match the host name="scmis" in my server.xml file or not) worker.scmisWorker.port=8009 uriworkermap.properties file: /scmisdev/*=scmisWorker (this matches the virtual host that we have defined in the enterprise DNS and what we use to get to this server via the URL in our browsers (IE) http://scmisdev ). Server.xml: scmisdev scmisdev.texashealth.org In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view this page You do not have permission to view this directory or page using the credentials that y
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Thank you, Chris. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, June 03, 2010 4:14 PM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Melinda, On 6/3/2010 11:48 AM, Savoy, Melinda wrote: > Does the host in the workers.properties file need to match the HOST > name in the server.xml file (see below): > > worker.scmisWorker.type=ajp13 > worker.scmisWorker.host=scmis > worker.scmisWorker.port=8009 No, the 'host' for the worker is the host where Tomcat is running. It has nothing to do with the "Host" header coming from the client in an HTTP header. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwIGwIACgkQ9CaO5/Lv0PCmPgCdHPQ8sQQYP+LNREqm10WWvq1j p30AnjFQgh11z/0edNuk3kcwU47hDFGu =Duc8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system.
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
I can't remember if anyone has already mentioned this. If so, my apologies. In IIS, do you have a "Web Service Extension" that is mapped to the isapi_redirect.dll, and that is set to "allowed"? -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, June 03, 2010 1:53 PM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? I think I was finally able to TEST that my tomcat connector and its respective config files have been setup correctly. I think I have narrowed my problem to an IIS Directory Security ISSUE on jakarta. If anyone has run into this issue can you please respond to the following problem: In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS) But when I change the jakarta Directory Security to the following I am able to get to the ERROR.jsp page in my application on Tomcat: Directory Security changed to Anonymous access (checked only) The ERROR.jsp page comes up because I do not have a USER value in the request. It is empty as depicted from the isapi log: [Thu Jun 03 15:27:24.665 2010] [948:3148] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=167.99.60.10 addr=167.99.60.10 name=scmisdev port=80 auth= user= uri=/pics/plus.jpg Any suggestions or direction on how I can remedy this issue would be appreciated. Thank you. -Original Message- From: Savoy, Melinda Sent: Thursday, June 03, 2010 12:53 PM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Let me try to answer Andre's questions below as well as communicate the results I got given the settings I have in the Windows 2003 server and ANY HELP or DIRECTION would be GREATLY APPRECIATED : I spoke to the guy who had setup our Tomcat server and he said that the SECOND HOST in our server.xml file was there to define the virtual host that is in our enterprise DNS (see settings below). The baseapp="scmisapp" which is a directory in our tomcat server: C:\Server\Tomcat 6.0\scmisapp I removed the SECOND virtual directory as you instructed and now I'm getting Windows login dialog boxes when trying to go the URL: http://scmisdev. If we could start from the following settings and if someone could let me know what I'm doing wrong to get the error (see below) I'm getting it would be greatly appreciated: Workers.properties file: worker.scmisWorker.type=ajp13 worker.scmisWorker.host=localhost (I'm not sure if this should match the host name="scmis" in my server.xml file or not) worker.scmisWorker.port=8009 uriworkermap.properties file: /scmisdev/*=scmisWorker (this matches the virtual host that we have defined in the enterprise DNS and what we use to get to this server via the URL in our browsers (IE) http://scmisdev ). Server.xml: scmisdev scmisdev.texashealth.org In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Hi. Now we're cooking ! But by the way, now this is also OT for this list, because your problem now seems to be between the browser and the webserver. First, please do the following : using Google, find the the IE plugin named "Fiddler 2" and install it in your IE browser. That is a plugin which will allow you to view all the exchanges between the browser and the server (headers, errors, contents etc..). Second, check in the IE options that it is really allowed to use "Integrated Windows Authentication". That is somewhere in the long list of extended options. If you receive a login dialog when you try to access a resource under IIS, it is because either one of these conditions : - the IIS server requests the browser to authenticate using a specific method (e.g. NTLM), but the browser is not set up to do this and is trying a Basic authentication. - the version of NTLM required by the server and the one supported by the workstation are not compatible - your workstation is not logged into the same domain as the server - your workstation does not recognise the server as a "trusted" server Basically, if Integrated Windows Authentication was working, you should never see this login popup. It should all happen automatically behind the scenes. Savoy, Melinda wrote: I think I was finally able to TEST that my tomcat connector and its respective config files have been setup correctly. I think I have narrowed my problem to an IIS Directory Security ISSUE on jakarta. If anyone has run into this issue can you please respond to the following problem: In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS) But when I change the jakarta Directory Security to the following I am able to get to the ERROR.jsp page in my application on Tomcat: Directory Security changed to Anonymous access (checked only) The ERROR.jsp page comes up because I do not have a USER value in the request. It is empty as depicted from the isapi log: [Thu Jun 03 15:27:24.665 2010] [948:3148] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=167.99.60.10 addr=167.99.60.10 name=scmisdev port=80 auth= user= uri=/pics/plus.jpg Any suggestions or direction on how I can remedy this issue would be appreciated. Thank you. -Original Message- From: Savoy, Melinda Sent: Thursday, June 03, 2010 12:53 PM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Let me try to answer Andre's questions below as well as communicate the results I got given the settings I have in the Windows 2003 server and ANY HELP or DIRECTION would be GREATLY APPRECIATED : I spoke to the guy who had setup our Tomcat server and he said that the SECOND HOST in our server.xml file was there to define the virtual host that is in our enterprise DNS (see settings below). The baseapp="scmisapp" which is a directory in our tomcat server: C:\Server\Tomcat 6.0\scmisapp I removed the SECOND virtual directory as you instructed and now I'm getting Windows login dialog boxes when trying to go the URL: http://scmisdev. If we could start from the following settings and if someone could let me know what I'm doing wrong to get the error (see below) I'm getting it would be greatly appreciated: Workers.properties file: worker.scmisWorker.type=ajp13 worker.scmisWorker.host=localhost (I'm not sure if this should match the host name="scmis" in my server.xml file or not) worker.scmisWorker.port=8009 uriworkermap.properties file: /scmisdev/*=scmisWorker (this matches the virtual host that we have defined in the enterprise DNS and what we use to get to this server via the URL in our browsers (IE) http://scmisdev ). Server.xml: scmisdev scmisdev.texashealth.org In IIS I have t
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Melinda, On 6/3/2010 1:52 PM, Savoy, Melinda wrote: > I spoke to the guy who had setup our Tomcat server and he said that > the SECOND HOST in our server.xml file was there to define the virtual > host that is in our enterprise DNS (see settings below). The > baseapp="scmisapp" which is a directory in our tomcat server: > C:\Server\Tomcat 6.0\scmisapp A second host is not necessary: any incoming requests for a host that isn't explicitly defined will go to the "default" host. Unless you need a complicated configuration, stick to a single that is the default, and don't even worry about giving it a special name. We've run with a single in production for years. > I removed the SECOND virtual directory as you instructed and now I'm > getting Windows login dialog boxes when trying to go the URL: > http://scmisdev. Is that not the expected behavior? > Workers.properties file: > > worker.scmisWorker.type=ajp13 > worker.scmisWorker.host=localhost (I'm not sure if this should match the host > name="scmis" in my server.xml file or not) If Tomcat is running on localhost (with respect to IIS, of course), then you do, in fact, want "localhost". > worker.scmisWorker.port=8009 > > uriworkermap.properties file: > > /scmisdev/*=scmisWorker (this matches the virtual host that we have defined > in the enterprise DNS and what we use to get to this server via the URL in > our browsers (IE) http://scmisdev ). No. http://scmisdev is a URL with only the hostname. If you want to map /scmisdev/* to your worker, the URL should be http://scmisdev/scmisdev If you want the URL http://scmisdev to work, you're going to have to name your web application's deployment WAR file ROOT.war (or exploded-WAR directory called ROOT) (capitals are required, even on Microsoft Windows). > unpackWARs="false" autoDeploy="false" > xmlValidation="false" xmlNamespaceAware="false"> > [...] >unpackWARs="true" autoDeploy="false" > xmlValidation="false" xmlNamespaceAware="false"> > > scmisdev > scmisdev.texashealth.org > See above for my comments on dual-Host configurations. > The result I get in my IE browser is: > > You are not authorized to view this page > You do not have permission to view this directory or page using the > credentials that you supplied because your Web browser is sending a > WWW-Authenticate header field that the Web server is not configured to > accept. What URL are you trying to access? http://scmisdev? If that's it, then your web server isn't configured to display any (accessible) content when you make the following request: GET / HTTP1.1 Host scmisdev Try again with http://scmisdev/scmisdev/index.jsp (or whatever resource should be available in your webapp) and let us know how it goes. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwIHKQACgkQ9CaO5/Lv0PApDgCghrf6F/mCTUmdBrzRW4FerFrj zfIAoJh3Cmo2x16Sp+KBhw5xrxIyHe+s =EEjg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Melinda, On 6/3/2010 11:48 AM, Savoy, Melinda wrote: > Does the host in the workers.properties file need to match the HOST > name in the server.xml file (see below): > > worker.scmisWorker.type=ajp13 > worker.scmisWorker.host=scmis > worker.scmisWorker.port=8009 No, the 'host' for the worker is the host where Tomcat is running. It has nothing to do with the "Host" header coming from the client in an HTTP header. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwIGwIACgkQ9CaO5/Lv0PCmPgCdHPQ8sQQYP+LNREqm10WWvq1j p30AnjFQgh11z/0edNuk3kcwU47hDFGu =Duc8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
I think I was finally able to TEST that my tomcat connector and its respective config files have been setup correctly. I think I have narrowed my problem to an IIS Directory Security ISSUE on jakarta. If anyone has run into this issue can you please respond to the following problem: In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS) But when I change the jakarta Directory Security to the following I am able to get to the ERROR.jsp page in my application on Tomcat: Directory Security changed to Anonymous access (checked only) The ERROR.jsp page comes up because I do not have a USER value in the request. It is empty as depicted from the isapi log: [Thu Jun 03 15:27:24.665 2010] [948:3148] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=167.99.60.10 addr=167.99.60.10 name=scmisdev port=80 auth= user= uri=/pics/plus.jpg Any suggestions or direction on how I can remedy this issue would be appreciated. Thank you. -Original Message- From: Savoy, Melinda Sent: Thursday, June 03, 2010 12:53 PM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Let me try to answer Andre's questions below as well as communicate the results I got given the settings I have in the Windows 2003 server and ANY HELP or DIRECTION would be GREATLY APPRECIATED : I spoke to the guy who had setup our Tomcat server and he said that the SECOND HOST in our server.xml file was there to define the virtual host that is in our enterprise DNS (see settings below). The baseapp="scmisapp" which is a directory in our tomcat server: C:\Server\Tomcat 6.0\scmisapp I removed the SECOND virtual directory as you instructed and now I'm getting Windows login dialog boxes when trying to go the URL: http://scmisdev. If we could start from the following settings and if someone could let me know what I'm doing wrong to get the error (see below) I'm getting it would be greatly appreciated: Workers.properties file: worker.scmisWorker.type=ajp13 worker.scmisWorker.host=localhost (I'm not sure if this should match the host name="scmis" in my server.xml file or not) worker.scmisWorker.port=8009 uriworkermap.properties file: /scmisdev/*=scmisWorker (this matches the virtual host that we have defined in the enterprise DNS and what we use to get to this server via the URL in our browsers (IE) http://scmisdev ). Server.xml: scmisdev scmisdev.texashealth.org In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS) Technical Information (for support personnel) Go to Microsoft Product Support Services and perform a title search for the words HTTP and 401. Open IIS Help, which is accessible in IIS Manager
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Let me try to answer Andre's questions below as well as communicate the results I got given the settings I have in the Windows 2003 server and ANY HELP or DIRECTION would be GREATLY APPRECIATED : I spoke to the guy who had setup our Tomcat server and he said that the SECOND HOST in our server.xml file was there to define the virtual host that is in our enterprise DNS (see settings below). The baseapp="scmisapp" which is a directory in our tomcat server: C:\Server\Tomcat 6.0\scmisapp I removed the SECOND virtual directory as you instructed and now I'm getting Windows login dialog boxes when trying to go the URL: http://scmisdev. If we could start from the following settings and if someone could let me know what I'm doing wrong to get the error (see below) I'm getting it would be greatly appreciated: Workers.properties file: worker.scmisWorker.type=ajp13 worker.scmisWorker.host=localhost (I'm not sure if this should match the host name="scmis" in my server.xml file or not) worker.scmisWorker.port=8009 uriworkermap.properties file: /scmisdev/*=scmisWorker (this matches the virtual host that we have defined in the enterprise DNS and what we use to get to this server via the URL in our browsers (IE) http://scmisdev ). Server.xml: scmisdev scmisdev.texashealth.org In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS) Technical Information (for support personnel) Go to Microsoft Product Support Services and perform a title search for the words HTTP and 401. Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Authentication, and About Custom Error Messages. -Original Message- From: Savoy, Melinda Sent: Wednesday, June 02, 2010 5:12 PM To: Tomcat Users List; Tomcat Users List Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Andre, First my apologies for forgetting my earlier setup within my Windows XP box and therefore as you say not learning what I had done previously. Second - this Windows 2003 server was already setup and the second host was created in order that the user could enter a URL of http://scmisdev and then get to the application which is how it has been working. In your comment: "It seems that you have not learned a lot, or forgotten what you previously learned. Why do you need this last "virtual directory" in IIS ? The "jakarta" virtual directory will already re-direct (or rather "proxy") all the calls to "/scmisdev/*" to Tomcat. You do not want IIS to go directly put its nose in the Tomcat directories. You want it to go through the isapi redirector for that, which you already do with the jakarta virtual directory setup." What do I put in the uriworkermap.properties file that redirects to where the JSP's are? The directory path in Tomcat as to where the app is located is: C:\Server\Tomcat 6.0\scmisapp\ROOT\WEB-INF You are correct that I'm probably mixing up 2 things but I'm trying retain all the info that you and Ranier have each given but sometimes it would appear to me to be confusing. Lastly, let me state again my apologies. It is NOT my intent to waste the time of you or anyone else on this list just trying to get some help. I will try again in the morning. Regards. ____ From: André Warnier [...@ice-sa.com] Sent: Wednesday, June 02, 2010 16:29 To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Savoy, Melinda wrote: > I finally got my Windows 2003 development box setup with the Tomcat Connector > and IIS 6.0. The following is my setup: > > In th
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Question. Does the host in the workers.properties file need to match the HOST name in the server.xml file (see below): worker.scmisWorker.type=ajp13 worker.scmisWorker.host=scmis worker.scmisWorker.port=8009 scmisdev scmisdev.texashealth.org Thank you. -Original Message- From: Savoy, Melinda Sent: Wednesday, June 02, 2010 5:12 PM To: Tomcat Users List; Tomcat Users List Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Andre, First my apologies for forgetting my earlier setup within my Windows XP box and therefore as you say not learning what I had done previously. Second - this Windows 2003 server was already setup and the second host was created in order that the user could enter a URL of http://scmisdev and then get to the application which is how it has been working. In your comment: "It seems that you have not learned a lot, or forgotten what you previously learned. Why do you need this last "virtual directory" in IIS ? The "jakarta" virtual directory will already re-direct (or rather "proxy") all the calls to "/scmisdev/*" to Tomcat. You do not want IIS to go directly put its nose in the Tomcat directories. You want it to go through the isapi redirector for that, which you already do with the jakarta virtual directory setup." What do I put in the uriworkermap.properties file that redirects to where the JSP's are? The directory path in Tomcat as to where the app is located is: C:\Server\Tomcat 6.0\scmisapp\ROOT\WEB-INF You are correct that I'm probably mixing up 2 things but I'm trying retain all the info that you and Ranier have each given but sometimes it would appear to me to be confusing. Lastly, let me state again my apologies. It is NOT my intent to waste the time of you or anyone else on this list just trying to get some help. I will try again in the morning. Regards. From: André Warnier [...@ice-sa.com] Sent: Wednesday, June 02, 2010 16:29 To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Savoy, Melinda wrote: > I finally got my Windows 2003 development box setup with the Tomcat Connector > and IIS 6.0. The following is my setup: > > In the server.xml file I have the following in the HOST element: > > >unpackWARs="false" autoDeploy="false" > xmlValidation="false" xmlNamespaceAware="false"> > > > > > > > > > > unpackWARs="true" autoDeploy="false" > xmlValidation="false" xmlNamespaceAware="false"> > > scmisdev not necessary, since this is already the hostname > scmisdev.texashealth.org > Why this second Host anyway ? > > In my uriworkermap.properties file: > > /scmisdev/*=scmisWorker > /scmisdev/*.jsp=scmisWorker > /scmisdev/servlet/*=scmisWorker the first one covers the other 2, so why have them ? > > In my workers.properties file: > > # workers.properties from = > http://onjava.com/pub/a/onjava/2002/12/18/tomcat.html > # > # This file provides minimal jk configuration properties needed to > # connect to Tomcat. > # > # The workers that jk should create and work with > > worker.list=scmisWorker > > # > # Defining a worker named ajp13w and of type ajp13 > # Note that the name and the type do not have to match. > # > worker.scmisWorker.port=8009 > worker.scmisWorker.host=localhost > worker.scmisWorker.type=ajp13 > > In IIS I have the Default Web Site setup with: > > ISAPI Filters: jakarta and it points to C:\Server\Tomcat > 6.0\bin\isapi_redirect.dll > And the Directory Security is: Enable anonymous access (checked only) > > In IIS I have the jakarta virtual directory setup with: > > Where the local path is: C:\Server\Tomcat 6.0\bin > And the Directory Security is: Integrated Windows authentication (checked > only) > > In IIS I have the scmisdev virtual directory setup with: > > Where the local path is: C:\Server\Tomcat 6.0\scmisapp\ROOT\WEB-INF (points > to WEB-INF directory) > And the Directory Security is: Integrated Windows authentication (checked > only) It seems that you have not learned a lot, or forgotten what you previously learned. Why do you need this last "virtual directory" in IIS ? The "jakarta" virtual directory will already re-direct (or rather "proxy") all the calls to "/scmisdev/*" to Tomcat. You do not want IIS to go directly put its nose in the Tomcat directories. You want it to go through th
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Andre, First my apologies for forgetting my earlier setup within my Windows XP box and therefore as you say not learning what I had done previously. Second - this Windows 2003 server was already setup and the second host was created in order that the user could enter a URL of http://scmisdev and then get to the application which is how it has been working. In your comment: "It seems that you have not learned a lot, or forgotten what you previously learned. Why do you need this last "virtual directory" in IIS ? The "jakarta" virtual directory will already re-direct (or rather "proxy") all the calls to "/scmisdev/*" to Tomcat. You do not want IIS to go directly put its nose in the Tomcat directories. You want it to go through the isapi redirector for that, which you already do with the jakarta virtual directory setup." What do I put in the uriworkermap.properties file that redirects to where the JSP's are? The directory path in Tomcat as to where the app is located is: C:\Server\Tomcat 6.0\scmisapp\ROOT\WEB-INF You are correct that I'm probably mixing up 2 things but I'm trying retain all the info that you and Ranier have each given but sometimes it would appear to me to be confusing. Lastly, let me state again my apologies. It is NOT my intent to waste the time of you or anyone else on this list just trying to get some help. I will try again in the morning. Regards. From: André Warnier [...@ice-sa.com] Sent: Wednesday, June 02, 2010 16:29 To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Savoy, Melinda wrote: > I finally got my Windows 2003 development box setup with the Tomcat Connector > and IIS 6.0. The following is my setup: > > In the server.xml file I have the following in the HOST element: > > >unpackWARs="false" autoDeploy="false" > xmlValidation="false" xmlNamespaceAware="false"> > > > > > > > > > > unpackWARs="true" autoDeploy="false" > xmlValidation="false" xmlNamespaceAware="false"> > > scmisdev not necessary, since this is already the hostname > scmisdev.texashealth.org > Why this second Host anyway ? > > In my uriworkermap.properties file: > > /scmisdev/*=scmisWorker > /scmisdev/*.jsp=scmisWorker > /scmisdev/servlet/*=scmisWorker the first one covers the other 2, so why have them ? > > In my workers.properties file: > > # workers.properties from = > http://onjava.com/pub/a/onjava/2002/12/18/tomcat.html > # > # This file provides minimal jk configuration properties needed to > # connect to Tomcat. > # > # The workers that jk should create and work with > > worker.list=scmisWorker > > # > # Defining a worker named ajp13w and of type ajp13 > # Note that the name and the type do not have to match. > # > worker.scmisWorker.port=8009 > worker.scmisWorker.host=localhost > worker.scmisWorker.type=ajp13 > > In IIS I have the Default Web Site setup with: > > ISAPI Filters: jakarta and it points to C:\Server\Tomcat > 6.0\bin\isapi_redirect.dll > And the Directory Security is: Enable anonymous access (checked only) > > In IIS I have the jakarta virtual directory setup with: > > Where the local path is: C:\Server\Tomcat 6.0\bin > And the Directory Security is: Integrated Windows authentication (checked > only) > > In IIS I have the scmisdev virtual directory setup with: > > Where the local path is: C:\Server\Tomcat 6.0\scmisapp\ROOT\WEB-INF (points > to WEB-INF directory) > And the Directory Security is: Integrated Windows authentication (checked > only) It seems that you have not learned a lot, or forgotten what you previously learned. Why do you need this last "virtual directory" in IIS ? The "jakarta" virtual directory will already re-direct (or rather "proxy") all the calls to "/scmisdev/*" to Tomcat. You do not want IIS to go directly put its nose in the Tomcat directories. You want it to go through the isapi redirector for that, which you already do with the jakarta virtual directory setup. > > However my result when going to URL http://localhost/scmisdev is: > > HTTP Status 404 - /scmisdev/ > > Type Status report > > Message /scmisdev/ > > Description The requested resource (/scmisdev/) is not available. > > Any suggestions or direction would be greatly appreciated. Ok, what does this error page look like ? Does it look like a Tomcat error page ? Melinda, it see
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Savoy, Melinda wrote: I finally got my Windows 2003 development box setup with the Tomcat Connector and IIS 6.0. The following is my setup: In the server.xml file I have the following in the HOST element: scmisdev not necessary, since this is already the hostname scmisdev.texashealth.org Why this second Host anyway ? In my uriworkermap.properties file: /scmisdev/*=scmisWorker /scmisdev/*.jsp=scmisWorker /scmisdev/servlet/*=scmisWorker the first one covers the other 2, so why have them ? In my workers.properties file: # workers.properties from = http://onjava.com/pub/a/onjava/2002/12/18/tomcat.html # # This file provides minimal jk configuration properties needed to # connect to Tomcat. # # The workers that jk should create and work with worker.list=scmisWorker # # Defining a worker named ajp13w and of type ajp13 # Note that the name and the type do not have to match. # worker.scmisWorker.port=8009 worker.scmisWorker.host=localhost worker.scmisWorker.type=ajp13 In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) In IIS I have the scmisdev virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\scmisapp\ROOT\WEB-INF (points to WEB-INF directory) And the Directory Security is: Integrated Windows authentication (checked only) It seems that you have not learned a lot, or forgotten what you previously learned. Why do you need this last "virtual directory" in IIS ? The "jakarta" virtual directory will already re-direct (or rather "proxy") all the calls to "/scmisdev/*" to Tomcat. You do not want IIS to go directly put its nose in the Tomcat directories. You want it to go through the isapi redirector for that, which you already do with the jakarta virtual directory setup. However my result when going to URL http://localhost/scmisdev is: HTTP Status 404 - /scmisdev/ Type Status report Message /scmisdev/ Description The requested resource (/scmisdev/) is not available. Any suggestions or direction would be greatly appreciated. Ok, what does this error page look like ? Does it look like a Tomcat error page ? Melinda, it seems that you are mixing two issues (again) : - the first is in the basic setup of IIS+Tomcat, and how to set things up so that the URLs which you are interested in are actually redirected to Tomcat in the proper way. - the second is, once the first one is working properly, to set things up so that IIS authenticates users which request these URLs, and that the isapi redirector forwards this authentication to Tomcat (which it does, by default). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Thanks Terence. Actually I had that in my JSP page (with the "=") but I did not put it below. My apologies. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Friday, May 28, 2010 8:00 AM To: Tomcat Users List Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Hi, Melinda- It may be helpful to try that again with the JSP expression syntax: <%= request.getRemoteUser() %> Notice the '=' after the first '%'. -Terence Bandoian Savoy, Melinda wrote: > Sorry, I had to leave the office yesterday after I answered part of Ranier's > question. > > When I inserted the <%request.getRemoteUser()%> in the index.jsp page where > that is the only thing on my page, I saw in my browser this error: Error The > SCMWeb Inventory/Purchasing web application has encountered the following > error: (did not show an error). > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Hi, Melinda- It may be helpful to try that again with the JSP expression syntax: <%= request.getRemoteUser() %> Notice the '=' after the first '%'. -Terence Bandoian Savoy, Melinda wrote: Sorry, I had to leave the office yesterday after I answered part of Ranier's question. When I inserted the <%request.getRemoteUser()%> in the index.jsp page where that is the only thing on my page, I saw in my browser this error: Error The SCMWeb Inventory/Purchasing web application has encountered the following error: (did not show an error). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
On 28.05.2010 13:43, Savoy, Melinda wrote: Sorry, I had to leave the office yesterday after I answered part of Ranier's question. When I inserted the<%request.getRemoteUser()%> in the index.jsp page where that is the only thing on my page, I saw in my browser this error: Error The SCMWeb Inventory/Purchasing web application has encountered the following error: (did not show an error). Did you realize the typo between your version and what I suggested? Each tiny bit counts ;) Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
One more interesting bit of info is that in my console in Eclipse when debugging my application I saw the following error regarding HTTP: 06:38:31,688 FAIL [HttpFilter] GET /SCMIS/index.jsp HTTP/1.1 accept: */* accept-language: en-us connection: Keep-Alive host: localhost user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8) authorization: Negotiate TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding: gzip, deflate content-length: 0 Any suggestions? It is not very informative as to what caused the failure. Thanks. -Original Message- From: Savoy, Melinda Sent: Friday, May 28, 2010 6:44 AM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Sorry, I had to leave the office yesterday after I answered part of Ranier's question. When I inserted the <%request.getRemoteUser()%> in the index.jsp page where that is the only thing on my page, I saw in my browser this error: Error The SCMWeb Inventory/Purchasing web application has encountered the following error: (did not show an error). I got the following in my isapi.log: [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_isapi_plugin.c (1835): Filter started [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_uri_worker_map.c (1168): File c:\server\Tomcat 6.0\conf\uriworkermap.properties is not modified [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/localhost/SCMIS/index.jsp' from 3 maps [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/SCMIS/*.jsp=scmisWorker' [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_isapi_plugin.c (1916): check if [/SCMIS/index.jsp] points to the web-inf directory [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_isapi_plugin.c (1932): [/SCMIS/index.jsp] is a servlet url - should redirect to scmisWorker [Fri May 28 06:38:22.938 2010] [1584:5036] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/SCMIS/index.jsp] [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_isapi_plugin.c (1835): Filter started [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/localhost/SCMIS/index.jsp' from 3 maps [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/servlet/*=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/SCMIS/*.jsp=scmisWorker' source 'uriworkermap' [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/SCMIS/*.jsp=scmisWorker' [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_isapi_plugin.c (1916): check if [/SCMIS/index.jsp] points to the web-inf directory [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_isapi_plugin.c (1932): [/SCMIS/index.jsp] is a servlet url - should redirect to scmisWorker [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/SCMIS/index.jsp] [Fri May 28 06:38:22.953 2010] [1584:5036] [debug] jk_worker.c (339): Maintaining worker scmisWorker [Fri May 28
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
6E 20 69 64 3D 22 6C 6F 67 6F 73 - ....H [Fri May 28 06:38:31.766 2010] [1584:5036] [debug] jk_ajp_common.c (1336): 03d0 65 6C 70 3C 2F 61 3E 20 7C 20 3C 61 20 68 72 65 - elp.|.Contact -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Thursday, May 27, 2010 10:17 AM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? On 27.05.2010 16:42, Savoy, Melinda wrote: > In my isapi.log I am getting the user value (indicated below in BOLD RED > font) from IIS using the Tomcat connector and my understanding from others on > this list is that I should be able to get at that user value by using the > HttpServletRequest getRemoteUser() however, I am getting a NULL value when > doing that. I'm sure I'm doing something stupid but I just can't see it. > > Here is what is in my isapi.log: > > [Thu May 27 09:11:21.706 2010] [4656:4920] [debug] jk_isapi_plugin.c (3108): > Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 > name=localhost port=80 auth=Negotiate user=TEXAS\SavoyM uri=/SCMIS/index.jsp > > Here is the code I'm using in Java to get at the user value above: > > public User authenticate(final HttpServletRequest request, final > HttpServletResponse response) throws IOException { > > // Initialize the User object > User user = null; > > // 1. Initiate the IIS authentication process. > final String auth_user = request.getRemoteUser(); > final String auth_user2 = > request.getUserPrincipal().getName(); > > // 2. Create a User object with the user name > if (auth_user != null) > user = new User(auth_user, ""); > > // 3. Check to see if the user is populated > if (auth_user == null) > throw new UnauthorizedException(response, user); > > // 4. Perform authentication if user not already > authenticated > if (SecurityContext.getUser(request) == null) { > // a. Verify the user credentials > if (!manager.verify(user)) > return null; > > // b. Load the application-managed User object and > save into the context > user = manager.load(user); > SecurityContext.setUser(user, request); > return user; > } > > return SecurityContext.getUser(request); > } > > As you can see I've also tried to get to the user by using the > getUserPrincipal.getName() but that produces a NPE. > > Any help or direction from someone who knows Java would be greatly > appreciated. Please post the complete settings of your AJP Connector element in server.xml. We want to check your "tomcatAuthentication" setting. What happens, if you put <%=request.getremoteUser()%> as the only content into SCMIS/index.jsp and then request the URL http://localhost/SCMIS/index.jsp in the browser? How does the above log line look, and what do you get in the browser window? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
On 27.05.2010 18:49, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Melinda, On 5/27/2010 11:19 AM, Savoy, Melinda wrote: Here is the AJP setting: ... and what about Rainer's other question. Did you give up on the older thread with the same problem? Just wondering why you didn't stick with the existing discussion thread... Because I suggested this to her a couple of posts ago. It looked like we move back into Java world with her problems and the chosen subject seemed to be not appropriate. Well, ... Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Melinda, On 5/27/2010 11:19 AM, Savoy, Melinda wrote: > Here is the AJP setting: > > > tomcatAuthentication="false" /> ... and what about Rainer's other question. Did you give up on the older thread with the same problem? Just wondering why you didn't stick with the existing discussion thread... - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv+oooACgkQ9CaO5/Lv0PCVGQCfZfY9fY5SPnyxIpjjKVWaQkbk XWgAoKabxrdkxZv4bjP6+RpaSXbx2XTS =NZpb -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Here is the AJP setting: -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Thursday, May 27, 2010 10:17 AM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? On 27.05.2010 16:42, Savoy, Melinda wrote: > In my isapi.log I am getting the user value (indicated below in BOLD RED > font) from IIS using the Tomcat connector and my understanding from others on > this list is that I should be able to get at that user value by using the > HttpServletRequest getRemoteUser() however, I am getting a NULL value when > doing that. I'm sure I'm doing something stupid but I just can't see it. > > Here is what is in my isapi.log: > > [Thu May 27 09:11:21.706 2010] [4656:4920] [debug] jk_isapi_plugin.c (3108): > Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 > name=localhost port=80 auth=Negotiate user=TEXAS\SavoyM uri=/SCMIS/index.jsp > > Here is the code I'm using in Java to get at the user value above: > > public User authenticate(final HttpServletRequest request, final > HttpServletResponse response) throws IOException { > > // Initialize the User object > User user = null; > > // 1. Initiate the IIS authentication process. > final String auth_user = request.getRemoteUser(); > final String auth_user2 = > request.getUserPrincipal().getName(); > > // 2. Create a User object with the user name > if (auth_user != null) > user = new User(auth_user, ""); > > // 3. Check to see if the user is populated > if (auth_user == null) > throw new UnauthorizedException(response, user); > > // 4. Perform authentication if user not already > authenticated > if (SecurityContext.getUser(request) == null) { > // a. Verify the user credentials > if (!manager.verify(user)) > return null; > > // b. Load the application-managed User object and > save into the context > user = manager.load(user); > SecurityContext.setUser(user, request); > return user; > } > > return SecurityContext.getUser(request); > } > > As you can see I've also tried to get to the user by using the > getUserPrincipal.getName() but that produces a NPE. > > Any help or direction from someone who knows Java would be greatly > appreciated. Please post the complete settings of your AJP Connector element in server.xml. We want to check your "tomcatAuthentication" setting. What happens, if you put <%=request.getremoteUser()%> as the only content into SCMIS/index.jsp and then request the URL http://localhost/SCMIS/index.jsp in the browser? How does the above log line look, and what do you get in the browser window? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
On 27.05.2010 16:42, Savoy, Melinda wrote: In my isapi.log I am getting the user value (indicated below in BOLD RED font) from IIS using the Tomcat connector and my understanding from others on this list is that I should be able to get at that user value by using the HttpServletRequest getRemoteUser() however, I am getting a NULL value when doing that. I'm sure I'm doing something stupid but I just can't see it. Here is what is in my isapi.log: [Thu May 27 09:11:21.706 2010] [4656:4920] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=Negotiate user=TEXAS\SavoyM uri=/SCMIS/index.jsp Here is the code I'm using in Java to get at the user value above: public User authenticate(final HttpServletRequest request, final HttpServletResponse response) throws IOException { // Initialize the User object User user = null; // 1. Initiate the IIS authentication process. final String auth_user = request.getRemoteUser(); final String auth_user2 = request.getUserPrincipal().getName(); // 2. Create a User object with the user name if (auth_user != null) user = new User(auth_user, ""); // 3. Check to see if the user is populated if (auth_user == null) throw new UnauthorizedException(response, user); // 4. Perform authentication if user not already authenticated if (SecurityContext.getUser(request) == null) { // a. Verify the user credentials if (!manager.verify(user)) return null; // b. Load the application-managed User object and save into the context user = manager.load(user); SecurityContext.setUser(user, request); return user; } return SecurityContext.getUser(request); } As you can see I've also tried to get to the user by using the getUserPrincipal.getName() but that produces a NPE. Any help or direction from someone who knows Java would be greatly appreciated. Please post the complete settings of your AJP Connector element in server.xml. We want to check your "tomcatAuthentication" setting. What happens, if you put <%=request.getremoteUser()%> as the only content into SCMIS/index.jsp and then request the URL http://localhost/SCMIS/index.jsp in the browser? How does the above log line look, and what do you get in the browser window? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org