Re: Still having problem retrieving user value from ISAPI Filter for authentication
Savoy, Melinda wrote: Let me ask another question if I might in addition to the one below: In my ISAPI log it shows: [Wed Jun 23 09:50:59.568 2010] [5024:6028] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/index.jsp The value of 80 is shown, my question is does this line in my ISAPI log show the request as to where it is coming from, meaning IIS since IIS is on port 80? My tomcat app is running on port 9080. Just curious. I think, I am going on to try Waffle, instead of trying to pursue this any further. dB has been kind enough to offer his help in getting me setup. I just thought I'd ask this one last question. Thanks for all the time and help. Melinda, you are doing something somewhere which you are not telling us. Otherwise what you say you are doing should be working. If the userid shows up in the isapi redirector log, then Tomcat is getting it, and you should see it with getRemoteUser(). If you are not seeing it, then there is something else, not originally belonging to the isapi redirector or Tomcat, which is overwriting it with a null. If so, you will have the same issue with any authentication method. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Actually, I was able, with dB's help, to implement the Waffle product that he has suggested to me and others who have posted on this list and it worked very easily. I would HIGHLY recommend Waffle for anyone who is using Tomcat and is looking for an Open Source solution for authentication. I appreciate all the time and help of those on this list over the last 2 months. However, getting Waffle implemented was a much simpler process that using the Tomcat Connector. Andre - I would have to take issue with your comment below about me not telling you everything that I did to make the ISAPI filter work. Regards. From: André Warnier [...@ice-sa.com] Sent: Sunday, June 27, 2010 15:55 To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication Savoy, Melinda wrote: Let me ask another question if I might in addition to the one below: In my ISAPI log it shows: [Wed Jun 23 09:50:59.568 2010] [5024:6028] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/index.jsp The value of 80 is shown, my question is does this line in my ISAPI log show the request as to where it is coming from, meaning IIS since IIS is on port 80? My tomcat app is running on port 9080. Just curious. I think, I am going on to try Waffle, instead of trying to pursue this any further. dB has been kind enough to offer his help in getting me setup. I just thought I'd ask this one last question. Thanks for all the time and help. Melinda, you are doing something somewhere which you are not telling us. Otherwise what you say you are doing should be working. If the userid shows up in the isapi redirector log, then Tomcat is getting it, and you should see it with getRemoteUser(). If you are not seeing it, then there is something else, not originally belonging to the isapi redirector or Tomcat, which is overwriting it with a null. If so, you will have the same issue with any authentication method. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23 Jun 2010, at 02:40, Rainer Jung rainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? p Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23.06.2010 09:51, Pid wrote: On 23 Jun 2010, at 02:40, Rainer Jungrainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? No, it gets send as an AJP specific request attribute that the AJP connectors know about. It's not an HTTP header. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication
Thanks Leo. I've got the same setup in IIS regarding integrated windows security. However, IIS is on port 80 and Tomcat is on 9080 so as not to conflict. IIS is giving the ISAPI filter the user info that I'm looking for as indicated in the ISAPI log. Thanks for trying. It's appreciated. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Tuesday, June 22, 2010 6:13 PM To: 'Tomcat Users List' Subject: RE: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication Doesn't the url mapping in the uriworkermap.properties file interrupt IIS from passing authentication to Tomcat? If you restrict access to a virtual directory in IIS, mapped to a servlet or webapp in Tomcat, and there is a URL for that servlet/webapp in uriworkermap.properties, wouldn't Tomcat allow access even though IIS attempts to say no? I still have a server with IIS and the isapi_redirect.dll Jakarta filter running internally. I created a new website in IIS, called test, using IIS port 8088, mapped to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still 8080) I added the Jakarta virtual directory to test. I removed anonymous access and checked integrated windows security for test. http://localhost:8088 supply credentials of user not allowed to this directory - yields no access. http://localhost:8088/examples I get right through, no challenge from IIS. http://localhost:8088 supply credentials of user allowed, snoop JSP works, but Remote User is null. Everything else in snoop output had a value. I stand corrected, as usual. Snoop JSP does display my login info. However, my browser is now set to supply credentials for internal sites. Automatic login only in Intranet zone. IE 7 Internet Options Security Custom Level Scroll all the way down to User Authentication. isapi_redirect.dll version 1.2.27 IIS 6.0 Windows Server 2003 http://localhost:8088/examples/jsp/snp/snoop.jsp Request Information JSP Request Method: GET Request URI: /examples/jsp/snp/snoop.jsp Request Protocol: HTTP/1.1 Servlet path: /jsp/snp/snoop.jsp Path info: null Query string: null Content length: 0 Content type: null Server name: server name Server port: 8088 Remote user: PLANDEV\donahuel Remote address: my ip Remote host: my ip Authorization scheme: Negotiate Locale: en_US - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23/06/2010 10:45, Rainer Jung wrote: On 23.06.2010 09:51, Pid wrote: On 23 Jun 2010, at 02:40, Rainer Jungrainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? No, it gets send as an AJP specific request attribute that the AJP connectors know about. It's not an HTTP header. OK, and I'm guessing that if there was a way to get the AJP connector to dump those attributes you'd have said so by now. p Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 Thank you. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 6:52 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 23/06/2010 10:45, Rainer Jung wrote: On 23.06.2010 09:51, Pid wrote: On 23 Jun 2010, at 02:40, Rainer Jungrainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? No, it gets send as an AJP specific request attribute that the AJP connectors know about. It's not an HTTP header. OK, and I'm guessing that if there was a way to get the AJP connector to dump those attributes you'd have said so by now. p Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On Wed, Jun 23, 2010 at 8:49 AM, Savoy, Melinda melindasa...@texashealth.org wrote: Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: What about the attributes? request.getAttribute() This is different then a header Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
I just tried the request.getAttributeNames() and I got nulls for all the elements in this enumeration. Thanks. -Original Message- From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Sent: Wednesday, June 23, 2010 8:03 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On Wed, Jun 23, 2010 at 8:49 AM, Savoy, Melinda melindasa...@texashealth.org wrote: Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: What about the attributes? request.getAttribute() This is different then a header Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
I also tried request.getAttribute(user) but I got a null value as well. -Original Message- From: Savoy, Melinda Sent: Wednesday, June 23, 2010 8:09 AM To: 'Tomcat Users List' Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication I just tried the request.getAttributeNames() and I got nulls for all the elements in this enumeration. Thanks. -Original Message- From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Sent: Wednesday, June 23, 2010 8:03 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On Wed, Jun 23, 2010 at 8:49 AM, Savoy, Melinda melindasa...@texashealth.org wrote: Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: What about the attributes? request.getAttribute() This is different then a header Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Let me ask another question if I might in addition to the one below: In my ISAPI log it shows: [Wed Jun 23 09:50:59.568 2010] [5024:6028] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/index.jsp The value of 80 is shown, my question is does this line in my ISAPI log show the request as to where it is coming from, meaning IIS since IIS is on port 80? My tomcat app is running on port 9080. Just curious. I think, I am going on to try Waffle, instead of trying to pursue this any further. dB has been kind enough to offer his help in getting me setup. I just thought I'd ask this one last question. Thanks for all the time and help. Regards. -Original Message- From: Savoy, Melinda Sent: Wednesday, June 23, 2010 7:50 AM To: 'Tomcat Users List'; 'p...@pidster.com' Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Let me ask, what maybe a stupid question now, but when I print out the enumeration value of the request header names, see below, using request.getHeaderNames() should the user be listed as one of the headers which is passed on from the ISAPI filter: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 Thank you. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, June 23, 2010 6:52 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 23/06/2010 10:45, Rainer Jung wrote: On 23.06.2010 09:51, Pid wrote: On 23 Jun 2010, at 02:40, Rainer Jungrainer.j...@kippdata.de wrote: On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Would you expect the user value normally to be set as another (REMOTE_USER type) header by ISAPI? No, it gets send as an AJP specific request attribute that the AJP connectors know about. It's not an HTTP header. OK, and I'm guessing that if there was a way to get the AJP connector to dump those attributes you'd have said so by now. p Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 23.06.2010 16:58, Savoy, Melinda wrote: In my ISAPI log it shows: [Wed Jun 23 09:50:59.568 2010] [5024:6028] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/index.jsp The value of 80 is shown, my question is does this line in my ISAPI log show the request as to where it is coming from, meaning IIS since IIS is on port 80? Yes. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
My apologies. Let me try to ask my question in a more specific manner to see if I can get a response from someone on this list. Per the ISAPI log, I am getting to my index.jsp page successfully and I also am able to see the request info that is sent to the ISAPI filter from IIS. But when I try to use the getRemoteUser() in my index.jsp page to retrieve the info from the ISAPI filter, I am getting a NULL value. It would appear that the getRemoteUser() is not the method to retrieve the user value that is displayed below. I've also tried getUserPrincipal().getName() as well but that does not work either. There is a line below in the ISAPI log towards the bottom, right before the index.jsp page and the response is started that is displayed that states, NOT USING KEEP-ALIVE, is this preventing the user value in the request from being transferred to the page? : [Tue Jun 22 06:25:55.697 2010] [1572:4000] [debug] jk_isapi_plugin.c (947): Starting response for URI '/index.jsp' (protocol HTTP/1.1) [Tue Jun 22 06:25:55.697 2010] [1572:4000] [debug] jk_isapi_plugin.c (1047): Not using Keep-Alive [Tue Jun 22 06:25:55.697 2010] [1572:4000] [debug] jk_ajp_common.c (1336): received from ajp13 pos=0 len=75 max=8192 Maybe there is something in my configuration files somewhere that is preventing this page from getting at the user value that I need from below. I am just not sure and ANY help would be appreciated. ISAPI LOG: [Tue Jun 22 06:25:55.541 2010] [1572:4000] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=127.0.0.1 addr=127.0.0.1 name=localhost port=80 auth=NTLM user=TEXAS\SavoyM uri=/index.jsp [Tue Jun 22 06:25:55.541 2010] [1572:4000] [debug] jk_isapi_plugin.c (3120): Service request headers=8 attributes=0 chunked=no content-length=0 available=0 [Tue Jun 22 06:25:55.541 2010] [1572:4000] [debug] jk_worker.c (116): found a worker scmisWorker [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_isapi_plugin.c (2162): got a worker for name scmisWorker [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (3093): acquired connection pool slot=0 after 0 retries [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (605): ajp marshaling done [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (2376): processing scmisWorker with 2 retries [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): sending to ajp13 pos=4 len=518 max=8192 [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 12 34 02 02 02 02 00 08 48 54 54 50 2F 31 2E 31 - .4..HTTP/1.1 [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0010 00 00 0A 2F 69 6E 64 65 78 2E 6A 73 70 00 00 09 - .../index.jsp... [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0020 31 32 37 2E 30 2E 30 2E 31 00 00 09 31 32 37 2E - 127.0.0.1...127. [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0030 30 2E 30 2E 31 00 00 09 6C 6F 63 61 6C 68 6F 73 - 0.0.1...localhos [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0040 74 00 00 50 00 00 08 A0 01 00 03 2A 2F 2A 00 00 - t..P...*/*.. [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0050 0F 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 - .accept-language [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0060 00 00 05 65 6E 2D 75 73 00 A0 06 00 0A 4B 65 65 - ...en-us.Kee [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0070 70 2D 41 6C 69 76 65 00 A0 0B 00 09 6C 6F 63 61 - p-Alive.loca [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0080 6C 68 6F 73 74 00 A0 0E 00 D0 4D 6F 7A 69 6C 6C - lhost.Mozill [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0090 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C - a/4.0.(compatibl [Tue Jun 22 06:25:55.557 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00a0 65 3B 20 4D 53 49 45 20 38 2E 30 3B 20 57 69 6E - e;.MSIE.8.0;.Win [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00b0 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 54 72 69 - dows.NT.5.1;.Tri [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00c0 64 65 6E 74 2F 34 2E 30 3B 20 2E 4E 45 54 20 43 - dent/4.0;..NET.C [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00d0 4C 52 20 31 2E 31 2E 34 33 32 32 3B 20 2E 4E 45 - LR.1.1.4322;..NE [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00e0 54 20 43 4C 52 20 32 2E 30 2E 35 30 37 32 37 3B - T.CLR.2.0.50727; [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 00f0 20 2E 4E 45 54 20 43 4C 52 20 33 2E 30 2E 30 34 - ..NET.CLR.3.0.04 [Tue Jun 22 06:25:55.572 2010] [1572:4000] [debug] jk_ajp_common.c (1152): 0100
Re: Still having problem retrieving user value from ISAPI Filter for authentication
I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Thanks Marc. I actually have that setting in my server.xml file as well. Actually I did follow your post last week thinking that would help me but the ISAPI filter is working properly as indicated in my log and IIS has authenticated the info otherwise, at least it is my understanding and my experience for the last month in trying to get the ISAPI config and IIS setup properly, that the request info in the isapi log would NOT be populated at all. But now that it is, it appears that I cannot get to the request info by using the getRemoteUser() method which I understood from Ranier and Andre that I could use to get the user value that I need to complete authentication in my code. It just seems that the ISAPI filter is NOT working properly. Andre or Ranier, if you guys are out there, your response would be appreciated. Thanks again. -Original Message- From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Sent: Tuesday, June 22, 2010 7:06 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On Tue, Jun 22, 2010 at 8:16 AM, Savoy, Melinda melindasa...@texashealth.org wrote: Thanks Marc. I actually have that setting in my server.xml file as well. Hmm, I've only gotten the ISAPI filter working once and not in this context. Unless there are other ways to do this Pid's idea is probably the best. Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP The authorization should be base64, (if memory serves), you could decode it and see what it's passing. Tomcat has some base64 code which you can probably find use to decode it. (At least until someone who knows more about ISAPI turns up.) p accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. signature.asc Description: OpenPGP digital signature
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. signature.asc Description: OpenPGP digital signature
RE: Still having problem retrieving user value from ISAPI Filter for authentication
We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASA BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Question. I never setup a custom Tomcat REALM and wondered if that is required by this ISAPI filter as another user at JavaRanch explained the following to me: You'd have to provide the user principals and roles via a Tomcat Realm in order for getRemoteUser to work. Filters, IIS authenthicators - none of them setup the J2EE security context of which getUserPrincipal and getRemoteUser are parts. How do I do that for this ISAPI filter setup if that is indeed true? Thanks. -Original Message- From: Savoy, Melinda Sent: Tuesday, June 22, 2010 7:59 AM To: 'Tomcat Users List'; 'p...@pidster.com' Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASA BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 14:16, Savoy, Melinda wrote: Thanks Marc. I actually have that setting in my server.xml file as well. Actually I did follow your post last week thinking that would help me but the ISAPI filter is working properly as indicated in my log and IIS has authenticated the info otherwise, at least it is my understanding and my experience for the last month in trying to get the ISAPI config and IIS setup properly, that the request info in the isapi log would NOT be populated at all. But now that it is, it appears that I cannot get to the request info by using the getRemoteUser() method which I understood from Ranier and Andre that I could use to get the user value that I need to complete authentication in my code. It just seems that the ISAPI filter is NOT working properly. Andre or Ranier, if you guys are out there, your response would be appreciated. I thought you already managed to have a situation, where getRemoteUser() returned something meaningful. So what's the difference to the situation now? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASA BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. signature.asc Description: OpenPGP digital signature
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Actually, what I finally got working was getting IIS to talk to Tomcat and therefore seeing the request get to the ISAPI filter which after working with a MS IIS engineer 2 weeks ago I was able to get up and running. I have not to date been able to get the getRemoteUser() to extract the user value info that ISAPI shows in its log. That is the issue. In the previous posts this morning I showed what the getHeaderNames() provided but it has an encrypted NTLM value. I thought I could get at the user value that ISAPI show by executing the getRemoteUser() but I'm still getting a NULL value. Pid suggested using a Base64Decoder but I thought the ISAPI filter would provide that for me. Thanks. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, June 22, 2010 8:16 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22.06.2010 14:16, Savoy, Melinda wrote: Thanks Marc. I actually have that setting in my server.xml file as well. Actually I did follow your post last week thinking that would help me but the ISAPI filter is working properly as indicated in my log and IIS has authenticated the info otherwise, at least it is my understanding and my experience for the last month in trying to get the ISAPI config and IIS setup properly, that the request info in the isapi log would NOT be populated at all. But now that it is, it appears that I cannot get to the request info by using the getRemoteUser() method which I understood from Ranier and Andre that I could use to get the user value that I need to complete authentication in my code. It just seems that the ISAPI filter is NOT working properly. Andre or Ranier, if you guys are out there, your response would be appreciated. I thought you already managed to have a situation, where getRemoteUser() returned something meaningful. So what's the difference to the situation now? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 14:10, Savoy, Melinda wrote: Question. I never setup a custom Tomcat REALM and wondered if that is required by this ISAPI filter as another user at JavaRanch explained the following to me: You'd have to provide the user principals and roles via a Tomcat Realm in order for getRemoteUser to work. Filters, IIS authenthicators - none of them setup the J2EE security context of which getUserPrincipal and getRemoteUser are parts. Your filter might. I don't know how it works or what it does though. Do you? p How do I do that for this ISAPI filter setup if that is indeed true? Thanks. -Original Message- From: Savoy, Melinda Sent: Tuesday, June 22, 2010 7:59 AM To: 'Tomcat Users List'; 'p...@pidster.com' Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgASA BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments
RE: Still having problem retrieving user value from ISAPI Filter for authentication
We had been working with JCIFS and chose the Tomcat Connector for IIS because we're primarily a MS shop and already had IIS in place here. The team lead who had written this custom code is no longer with the company and I've had to try and figure out what all he did and then try to implement this Tomcat connector. I've been able to talk to this former team lead and he basically told me the following on the filter: The filter basically takes the request/response and does create an auth value using the Base64Decoder and Base64Encoder from Sun and we populate a User object that is then used throughout the session for authentication purposes within the application as well as initially getting to the index.jsp page. I was testing, by commenting out the filter in my web.xml, to see if I could just get to a vanilla index.jsp page that only contained: %=getRemoteUser()% so that I could make certain that I could get that value which I understood I should be able to without setting up REALM's or auth in the config. But after getting IIS to talk to Tomcat last week I've been trying to get this to work and to no avail as of today and therefore the reason for my post this morning. I understood that the ISAPI filter provided the decrypted info that JCIFS had un decrypting and that is why we chose this route. But it seems like it is a lot more involved that what I read about and what I've understood from others on this list - which is fine but it was not as simple as I understood or misunderstood as the case may be. Sorry I cannot be more specific. Hope this helps. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:13 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgAS A BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22/06/2010 14:45, Savoy, Melinda wrote: We had been working with JCIFS and chose the Tomcat Connector for IIS because we're primarily a MS shop and already had IIS in place here. The team lead who had written this custom code is no longer with the company and I've had to try and figure out what all he did and then try to implement this Tomcat connector. I've been able to talk to this former team lead and he basically told me the following on the filter: The filter basically takes the request/response and does create an auth value using the Base64Decoder and Base64Encoder from Sun and we populate a User object that is then used throughout the session for authentication purposes within the application as well as initially getting to the index.jsp page. I was testing, by commenting out the filter in my web.xml, to see if I could just get to a vanilla index.jsp page that only contained: %=getRemoteUser()% so that I could make certain that I could get that value which I understood I should be able to without setting up REALM's or auth in the config. But after getting IIS to talk to Tomcat last week I've been trying to get this to work and to no avail as of today and therefore the reason for my post this morning. I understood that the ISAPI filter provided the decrypted info that JCIFS had un decrypting and that is why we chose this route. But it seems like it is a lot more involved that what I read about and what I've understood from others on this list - which is fine but it was not as simple as I understood or misunderstood as the case may be. Sorry I cannot be more specific. Hope this helps. So I'm reading this to mean that the Filter you have commented out is doing the work required to parse the auth header set the relevant object values. One of the things a Servlet Filter can do is wrap the current request/response objects (see Servlet HttpServletRequestWrapper, HttpServletResponseWrapper interfaces), the wrappers provide methods which override certain request/response methods providing alternative return values. So your custom filter could be decoding the header and overriding the getRemoteUser and getUserPrincipal methods; your app accesses the methods and gets values that are not supplied by Tomcat auth/realm support. (Meaning the JavaRanch advice isn't applicable). So you need to look inside the execute(req, res) method you mentioned earlier to find out what it does, and re-enable the filter. p -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:13 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgAS A BIBcKIogUBKAoP accept-encoding = gzip
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Thanks Pid. That is what I'm working on right now. I am in the middle of the Decoder part of the code again. My apologies to this list as I understood I could get that directly from the ISAPI filter as it would decrypt it for me, which it does per the ISAPI log, and then pass it on to me via the HttpServletRequest getRemoteUser() which it does not do. Thanks again, Pid. Your help is much appreciated. Regards. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 9:06 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 14:45, Savoy, Melinda wrote: We had been working with JCIFS and chose the Tomcat Connector for IIS because we're primarily a MS shop and already had IIS in place here. The team lead who had written this custom code is no longer with the company and I've had to try and figure out what all he did and then try to implement this Tomcat connector. I've been able to talk to this former team lead and he basically told me the following on the filter: The filter basically takes the request/response and does create an auth value using the Base64Decoder and Base64Encoder from Sun and we populate a User object that is then used throughout the session for authentication purposes within the application as well as initially getting to the index.jsp page. I was testing, by commenting out the filter in my web.xml, to see if I could just get to a vanilla index.jsp page that only contained: %=getRemoteUser()% so that I could make certain that I could get that value which I understood I should be able to without setting up REALM's or auth in the config. But after getting IIS to talk to Tomcat last week I've been trying to get this to work and to no avail as of today and therefore the reason for my post this morning. I understood that the ISAPI filter provided the decrypted info that JCIFS had un decrypting and that is why we chose this route. But it seems like it is a lot more involved that what I read about and what I've understood from others on this list - which is fine but it was not as simple as I understood or misunderstood as the case may be. Sorry I cannot be more specific. Hope this helps. So I'm reading this to mean that the Filter you have commented out is doing the work required to parse the auth header set the relevant object values. One of the things a Servlet Filter can do is wrap the current request/response objects (see Servlet HttpServletRequestWrapper, HttpServletResponseWrapper interfaces), the wrappers provide methods which override certain request/response methods providing alternative return values. So your custom filter could be decoding the header and overriding the getRemoteUser and getUserPrincipal methods; your app accesses the methods and gets values that are not supplied by Tomcat auth/realm support. (Meaning the JavaRanch advice isn't applicable). So you need to look inside the execute(req, res) method you mentioned earlier to find out what it does, and re-enable the filter. p -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:13 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value
RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: melindasa...@texashealth.org To: users@tomcat.apache.org; p...@pidster.com Date: Tue, 22 Jun 2010 08:45:18 -0500 Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication We had been working with JCIFS and chose the Tomcat Connector for IIS because we're primarily a MS shop and already had IIS in place here. The team lead who had written this custom code is no longer with the company MG read this MGhttp://washingtontechnology.com/Articles/2009/06/08/Insights-Soloway.aspx?Page=1 snip /snip Sorry I cannot be more specific. Hope this helps. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 8:13 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:59, Savoy, Melinda wrote: We have a custom filter that we're using because after we get the request and response info then I need to use the user value info and get the user also authenticated against a legacy system. But right now I have that commented out in my web.xml so that I can go directly to a test index.jsp page and verify that the getRemoteUser() is acquiring the user info from ISAPI but ISAPI is not providing that info to me via this method. I'm not sure, again, why it shows the info in the log but I cannot get to it directly. I'm not sure how Ranier was able to get to it as he stated awhile back. If there's no auth defined in web.xml then Tomcat isn't going to do anything - AFAIK the auth valves don't trigger unless the config puts them in the pipeline. If your auth is performed by a custom filter, that is currently commented out, then you're not going to get very far there either. Do you know exactly what the filter does? Does it decode the header itself and wrap the request/response objects? p Thanks again. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:53 AM To: 'Tomcat Users List' Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:36, Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: === MimeHeaders === accept = */* accept-language = en-us connection = Keep-Alive host = localhost user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = JSESSIONID=969AE176A965514B845A6E3A9E83A21E authorization = NTLM TlRMTVNTUAADAEgASABIAEgAS A BIBcKIogUBKAoP accept-encoding = gzip, deflate content-length = 0 I don't know what I'm doing wrong here. Again, any help is appreciated. What do you have defined in web.xml for security-config etc? p Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=false to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 16:18, Savoy, Melinda wrote: Thanks Pid. That is what I'm working on right now. I am in the middle of the Decoder part of the code again. My apologies to this list as I understood I could get that directly from the ISAPI filter as it would decrypt it for me, which it does per the ISAPI log, and then pass it on to me via the HttpServletRequest getRemoteUser() which it does not do. It does, but I expect something in your application stack to overwrite or delete it again. If you want to find out what happens, you need to get into a more simple test situation, like deploying a trivial app (e.g. the default Tomcat ROOT context), and simply add a JSP or servlet there that shows you the request.getRemoteUser(). I expect that to work. Then the question why it doesn't work in your app is up to your application and framework code. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Hi, Melinda- As Pid suggested, the first part of that string after NTLM in the authorization header decodes in base64 to 'NTLMSSP'. -Terence Bandoian Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: = MimeHeaders === accept =/* accept-language =n-us connection =eep-Alive host =ocalhost user-agent =ozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie =SESSIONID–9AE176A965514B845A6E3A9E83A21E authorization =TLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding =zip, deflate content-length = I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=alse to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Question. As my code is currently blowing up when I setup the Base64Decoder in my constructor I'm getting an error immediately, at any rate I'm working thru that, but will this DECODE method show me the USERID that I'm looking for? That is what I'm needing. Thank you. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Tuesday, June 22, 2010 12:40 PM To: Tomcat Users List Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Hi, Melinda- As Pid suggested, the first part of that string after NTLM in the authorization header decodes in base64 to 'NTLMSSP'. -Terence Bandoian Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: = MimeHeaders === accept =/* accept-language =n-us connection =eep-Alive host =ocalhost user-agent =ozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie =SESSIONID-9AE176A965514B845A6E3A9E83A21E authorization =TLM TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding =zip, deflate content-length = I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=alse to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
): (scmisWorker) resetting endpoint with sd = 2128 [Tue Jun 22 06:15:21.003 2010] [1572:4000] [debug] jk_ajp_common.c (3010): recycling connection pool slot=0 for worker scmisWorker -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, June 22, 2010 12:19 PM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22.06.2010 16:18, Savoy, Melinda wrote: Thanks Pid. That is what I'm working on right now. I am in the middle of the Decoder part of the code again. My apologies to this list as I understood I could get that directly from the ISAPI filter as it would decrypt it for me, which it does per the ISAPI log, and then pass it on to me via the HttpServletRequest getRemoteUser() which it does not do. It does, but I expect something in your application stack to overwrite or delete it again. If you want to find out what happens, you need to get into a more simple test situation, like deploying a trivial app (e.g. the default Tomcat ROOT context), and simply add a JSP or servlet there that shows you the request.getRemoteUser(). I expect that to work. Then the question why it doesn't work in your app is up to your application and framework code. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Hi, Melinda- I'm not sure it's going to be that easy. From what I've read, the NTLM authorization header includes structured data that is encoded using a server nonce and/or the password. However, AUTH_USER, REMOTE_USER and LOGON_USER variables should be available to ISAPI applications with NTLM. I'd be looking on the ISAPI side for a way, maybe a configuration setting, to pass the decoded NTLM credentials to tomcat. -Terence Bandoian Savoy, Melinda wrote: Question. As my code is currently blowing up when I setup the Base64Decoder in my constructor I'm getting an error immediately, at any rate I'm working thru that, but will this DECODE method show me the USERID that I'm looking for? That is what I'm needing. Thank you. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Tuesday, June 22, 2010 12:40 PM To: Tomcat Users List Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Hi, Melinda- As Pid suggested, the first part of that string after NTLM in the authorization header decodes in base64 to 'NTLMSSP'. -Terence Bandoian Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: =imeHeaders === accept = accept-language =us connection îp-Alive host =alhost user-agent =illa/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie =SSIONID-9AE176A965514B845A6E3A9E83A21E authorization =M TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding =p, deflate content-length I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=se to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
That is definitely the preferred method and the reason for going to the Tomcat Connector for this authentication process. However, even with the most simple implementation of my index.jsp and web.xml file I cannot get the getRemoteUser() to work. I am hoping that Ranier is able to look at the log that I sent a few minutes ago and perhaps from there be able to determine where I've messed up in the configuration portion of the ISAPI filter or see something in the log that would show him where this is going wrong that perhaps I can fix(?). As far as trying to get these other variables, I'm not sure how to go about getting them from the request but I'll start researching. Thanks for the additional information. It's appreciated. Regards. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Tuesday, June 22, 2010 2:30 PM To: Tomcat Users List Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Hi, Melinda- I'm not sure it's going to be that easy. From what I've read, the NTLM authorization header includes structured data that is encoded using a server nonce and/or the password. However, AUTH_USER, REMOTE_USER and LOGON_USER variables should be available to ISAPI applications with NTLM. I'd be looking on the ISAPI side for a way, maybe a configuration setting, to pass the decoded NTLM credentials to tomcat. -Terence Bandoian Savoy, Melinda wrote: Question. As my code is currently blowing up when I setup the Base64Decoder in my constructor I'm getting an error immediately, at any rate I'm working thru that, but will this DECODE method show me the USERID that I'm looking for? That is what I'm needing. Thank you. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Tuesday, June 22, 2010 12:40 PM To: Tomcat Users List Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication Hi, Melinda- As Pid suggested, the first part of that string after NTLM in the authorization header decodes in base64 to 'NTLMSSP'. -Terence Bandoian Savoy, Melinda wrote: Thanks Pid, I did do that as well, but I did not see the user value there either. Here is what I got when I did issue the getHeaderNames() and as you can see the authorization shows the encrypted NTLM value but it is not decrypted and I cannot get to the info though the ISAPI log shows the decrypted value which I cannot get to: =imeHeaders === accept = accept-language =us connection îp-Alive host =alhost user-agent =illa/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie =SSIONID-9AE176A965514B845A6E3A9E83A21E authorization =M TlRMTVNTUAADAEgASABIAEgASABIBcKIogUBKAoP accept-encoding =p, deflate content-length I don't know what I'm doing wrong here. Again, any help is appreciated. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 7:11 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 13:05, Marc Boorshtein wrote: I haven't tried this with IIS, but we had quite the discussion on this last week with Apache tomcat with JK. In your server.xml file add tomcatAuthentication=se to the AJP connector object. If you look in the archives of this list for JK_REMOTE_USER there is a very interesting discussion on the topic. Also, you could iterate through the headers in request.getHeaderNames() to see what's being passed across to Tomcat. p Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 21:29, Savoy, Melinda wrote: That is definitely the preferred method and the reason for going to the Tomcat Connector for this authentication process. However, even with the most simple implementation of my index.jsp and web.xml file I cannot get the getRemoteUser() to work. I am hoping that Ranier is able to look at the log that I sent a few minutes ago and perhaps from there be able to determine where I've messed up in the configuration portion of the ISAPI filter or see something in the log that would show him where this is going wrong that perhaps I can fix(?). The ISAPI redirector log shows that it's correctly forwarding the data. How do your web.xml and server.xml for this test look like? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / -- !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 tomcatAuthentication=false / !-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html -- !-- You should set jvmRoute to support load-balancing via AJP ie : Engine name=Standalone defaultHost=localhost jvmRoute=jvm1 -- Engine name=Catalina defaultHost=localhost !--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) -- !-- Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster/ -- !-- The request dumper valve dumps useful debugging information about the request and response data received and sent by Tomcat. Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ -- !-- This Realm uses the UserDatabase configured in the global JNDI resources under the key UserDatabase. Any edits that are performed against this UserDatabase are immediately available for use by the Realm. -- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ !-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. -- Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false !-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.authenticator.SingleSignOn / -- !-- Access log processes all example. Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=common resolveHosts=false/ -- /Host /Engine /Service /Server -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, June 22, 2010 2:48 PM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22.06.2010 21:29, Savoy, Melinda wrote: That is definitely the preferred method and the reason for going to the Tomcat Connector for this authentication process. However, even with the most simple implementation of my index.jsp and web.xml file I cannot get the getRemoteUser() to work. I am hoping that Ranier is able to look at the log that I sent a few minutes ago and perhaps from there be able to determine where I've messed up in the configuration portion of the ISAPI filter or see something in the log that would show him where this is going wrong that perhaps I can fix(?). The ISAPI redirector log shows that it's correctly forwarding the data. How do your web.xml and server.xml for this test look like? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication What I did was comment out the filter from the web.xml and I went straight from the IE browser (http://localhost/index.jsp) to the index.jsp page that was comprised of only the following: %...@page language=java contentType=text/html; charset=ISO- 8859-1 pageEncoding=ISO-8859-1% Here is my USERID using getRemoteUser, %=request.getRemoteUser()% , in my index.jsp page. My browser window then showed: Here is my USERID using getRemoteUser, null, in my index.jsp page. That was it. So I wasn't even going through my application at all but only from the browser to Tomcat and it returned my page without issue but with NO user value as is indicated below in the log. Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. Look at the manager webapp web.xml example: !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameHTMLManger and Manager command/web-resource-name url-pattern/jmxproxy/*/url-pattern url-pattern/html/*/url-pattern url-pattern/list/url-pattern url-pattern/expire/url-pattern url-pattern/sessions/url-pattern url-pattern/start/url-pattern url-pattern/stop/url-pattern url-pattern/install/url-pattern url-pattern/remove/url-pattern url-pattern/deploy/url-pattern url-pattern/undeploy/url-pattern url-pattern/reload/url-pattern url-pattern/save/url-pattern url-pattern/serverinfo/url-pattern url-pattern/status/*/url-pattern url-pattern/roles/url-pattern url-pattern/resources/url-pattern url-pattern/findleaks/url-pattern /web-resource-collection auth-constraint !-- NOTE: This role is not present in the default users file -- role-namemanager/role-name /auth-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameTomcat Manager Application/realm-name /login-config !-- Security roles referenced by this web application -- security-role description The role that is required to log in to the Manager Application /description role-namemanager/role-name /security-role - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Still having problem retrieving user value from ISAPI Filter for authentication
Sorry, Marc. I'm have no idea what a wireshark packet capture is? I've only worked with the Fiddler Http Proxy Debugger tool to view what is coming over on the browser. Thanks. -Original Message- From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Sent: Tuesday, June 22, 2010 3:00 PM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
OT RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security- role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Marc Doesn't the url mapping in the uriworkermap.properties file interrupt IIS from passing authentication to Tomcat? If you restrict access to a virtual directory in IIS, mapped to a servlet or webapp in Tomcat, and there is a URL for that servlet/webapp in uriworkermap.properties, wouldn't Tomcat allow access even though IIS attempts to say no? I still have a server with IIS and the isapi_redirect.dll Jakarta filter running internally. I created a new website in IIS, called test, using IIS port 8088, mapped to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still 8080) I added the Jakarta virtual directory to test. I removed anonymous access and checked integrated windows security for test. http://localhost:8088 supply credentials of user not allowed to this directory - yields no access. http://localhost:8088/examples I get right through, no challenge from IIS. http://localhost:8088 supply credentials of user allowed, snoop JSP works, but Remote User is null. Everything else in snoop output had a value. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication Doesn't the url mapping in the uriworkermap.properties file interrupt IIS from passing authentication to Tomcat? If you restrict access to a virtual directory in IIS, mapped to a servlet or webapp in Tomcat, and there is a URL for that servlet/webapp in uriworkermap.properties, wouldn't Tomcat allow access even though IIS attempts to say no? I still have a server with IIS and the isapi_redirect.dll Jakarta filter running internally. I created a new website in IIS, called test, using IIS port 8088, mapped to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still 8080) I added the Jakarta virtual directory to test. I removed anonymous access and checked integrated windows security for test. http://localhost:8088 supply credentials of user not allowed to this directory - yields no access. http://localhost:8088/examples I get right through, no challenge from IIS. http://localhost:8088 supply credentials of user allowed, snoop JSP works, but Remote User is null. Everything else in snoop output had a value. I stand corrected, as usual. Snoop JSP does display my login info. However, my browser is now set to supply credentials for internal sites. Automatic login only in Intranet zone. IE 7 Internet Options Security Custom Level Scroll all the way down to User Authentication. isapi_redirect.dll version 1.2.27 IIS 6.0 Windows Server 2003 http://localhost:8088/examples/jsp/snp/snoop.jsp Request Information JSP Request Method: GET Request URI: /examples/jsp/snp/snoop.jsp Request Protocol: HTTP/1.1 Servlet path: /jsp/snp/snoop.jsp Path info: null Query string: null Content length: 0 Content type: null Server name: server name Server port: 8088 Remote user: PLANDEV\donahuel Remote address: my ip Remote host: my ip Authorization scheme: Negotiate Locale: en_US - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Still having problem retrieving user value from ISAPI Filter for authentication
On 22.06.2010 21:59, Marc Boorshtein wrote: Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Have you tried a wireshark packet capture? The log file of the ISAPI redirector she presented already contains a dump of the AJP packet the redirector is going to send out. The dump shows the correct user string contained in the packet. I've got no idea what's wrong here. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org