Re: Manager App not working with Windows authentication enabled
Harris Mark R wrote: Sorry, guess I was not clear enough. We are using Microsoft's IIS to front-end Tomcat, not the Apache HTTP server. Apache HTTP server is not an option for our environment. We would prefer to use the Windows authenticated user passed to Tomcat by IIS, but are open to anything that works reliably. It's my turn to apologise. That was clear in your original post, I just misread that. It is the same however with IIS. If the user is authenticated by IIS, and you set tomcatAuthentication=false, then Tomcat will take the user-id from what the IIS/AJP module is passing on from IIS, and it will not redo the user authentication by himself (him being Tomcat). As I said, our custom application is working great in this environment, but the manager app is not. We are having trouble associating the roles that the manager app is expecting with the authenticated user. We have tried altering the tomcat-users file just about every which way we could think of. Essentially we need any way to associate the authenticated user with the manager-gui that the manager app is expecting. Would we need to implement a custom realm to make this work? Yes, I think that you understand the issue correctly. Tomcat's standard user access control to an application is based on the concept of roles. You tell Tomcat that any users who has a role xxx can access that application. So Tomcat needs a way, given the present user-id, to find out if that user-id has this role (isUserInRole() ?). Unfortunately, what AJP passes to Tomcat is only a user-id, not any kind of roles information that this user has. I suppose that Tomcat somehow must use a Realm to get that kind of information, and I do not know if this Realm is capable of providing that information if it has not authenticated this user by itself. Maybe there is a way to tell Tomcat, for the manager application, to just check the user-id, and not the role ? I suppose that the right place to check would be the applicable Servlet Specification, in the web.xml/auth-constraints paragraph. How do you do it for your other application, the one that works ? On a totally different track, if you want to use WIA anyway, you may want to have a look at Jespa, at http://www.ioplex.com. It's a totally different authentication and security approach. based on a servlet filter in Tomcat which authenticates the Windows user directly at the Tomcat level, not on the base of the id that IIS determines (and AJP passes on). Jespa is capable of translating the concept of Windows users groups into Tomcat roles. One advantage of that approach is that you would have the various Tomcat roles managed at the same place as the other user-management functions (on the Windows domain AD server), and not have a different set of user information for Tomcat alone. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Manager App not working with Windows authentication enabled
Harris Mark R wrote: Environment: IIS 7.5 Tomcat 7.037 AJP/1.3 connector (redirector.dll) v 1.2 Java 7 We have a requirement for a new intranet application that it use Windows authentication. We have this working in our new application. We do have IIS, the connector and Tomcat serving up the application with no problems. What did happen is that we discovered that the manager application that comes with Tomcat no longer is accessible. We have some staff that use the manager app routinely. We did try to set up two AJP connectors, one defined in the server.xml with tomcatAuthentication=true and another set to false. In the AJP property files we set the second one to only be mapped to the manager URL. This did not work as we expected. Setting tomcatAuthentication=false in this case means that Tomcat is going to rely on the authenticated user-id sent to it by the front-end, through AJP. So you should authenticate the user at the Apache httpd front-end level. Anyone have any ideas on how to get the manager application working? How would you like the users of the manager application to be authenticated ? also via Windows Integrated Authentication, or at the Apache httpd level, via some other mechanism ? For a simple case, you could for example do this at the Apache httpd level : Location /manager setHandler jakarta-servlet AuthType Basic AuthName tomcat-manager require user x y z ... ... /Location (and set tomcatAuthentication=false) (setHandler jakarta-servlet in that Location section is roughly equivalent to JkMount /manager worker1) This syntax is explained in one of the on-line AJP connector's info pages on the tomcat website, at the very end of the page. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Manager App not working with Windows authentication enabled
Sorry, guess I was not clear enough. We are using Microsoft's IIS to front-end Tomcat, not the Apache HTTP server. Apache HTTP server is not an option for our environment. We would prefer to use the Windows authenticated user passed to Tomcat by IIS, but are open to anything that works reliably. As I said, our custom application is working great in this environment, but the manager app is not. We are having trouble associating the roles that the manager app is expecting with the authenticated user. We have tried altering the tomcat-users file just about every which way we could think of. Essentially we need any way to associate the authenticated user with the manager-gui that the manager app is expecting. Would we need to implement a custom realm to make this work? - Mark Harris - -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, March 19, 2013 3:28 PM To: Tomcat Users List Subject: Re: Manager App not working with Windows authentication enabled Harris Mark R wrote: Environment: IIS 7.5 Tomcat 7.037 AJP/1.3 connector (redirector.dll) v 1.2 Java 7 We have a requirement for a new intranet application that it use Windows authentication. We have this working in our new application. We do have IIS, the connector and Tomcat serving up the application with no problems. What did happen is that we discovered that the manager application that comes with Tomcat no longer is accessible. We have some staff that use the manager app routinely. We did try to set up two AJP connectors, one defined in the server.xml with tomcatAuthentication=true and another set to false. In the AJP property files we set the second one to only be mapped to the manager URL. This did not work as we expected. Setting tomcatAuthentication=false in this case means that Tomcat is going to rely on the authenticated user-id sent to it by the front-end, through AJP. So you should authenticate the user at the Apache httpd front-end level. Anyone have any ideas on how to get the manager application working? How would you like the users of the manager application to be authenticated ? also via Windows Integrated Authentication, or at the Apache httpd level, via some other mechanism ? For a simple case, you could for example do this at the Apache httpd level : Location /manager setHandler jakarta-servlet AuthType Basic AuthName tomcat-manager require user x y z ... ... /Location (and set tomcatAuthentication=false) (setHandler jakarta-servlet in that Location section is roughly equivalent to JkMount /manager worker1) This syntax is explained in one of the on-line AJP connector's info pages on the tomcat website, at the very end of the page. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org