Authentication and IIS seems to be a bit of a joke.
One of the sites I develop needed to use NTLM for an intranet application. After some
trials with IIS we ended up with Apache and
mod_ntlm. It works like a charm. If you try to write your own realm you may want to
check the code for that.
OTOH you should be able to use that with Apache and use <Location> tags in the .conf
file to achieve your aims. Restricted users can
be shut out and req.getRemoteUser() can be used to see who has been authenticated.
(note username will be "domain\user")
HTH
Brett Knights
> -----Original Message-----
> From: Randy Layman [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 28, 2001 4:32 AM
> To: [EMAIL PROTECTED]
> Subject: RE: TomCat - IIS - Security
>
>
>
> To secure things in Tomcat you need to use realms. To
> use NTLM you
> will need to write your own realm, which will require writing
> C/C++ code
> since NT doesn't play nice with Java. Perhaps someone has
> already written
> this and will publish it when they see this message.
>
> How does this solve your problem of protecting various
> resources?
> You will use security-constraint tags in the web.xml file.
>
> Randy
>
> -----Original Message-----
> From: Christian Schulz [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 27, 2001 5:37 PM
> To: '[EMAIL PROTECTED]'
> Subject: AW: TomCat - IIS - Security
> Importance: High
>
>
> Hello Randy,
> how can we tell TomCat to perfom user authentication using NT mechnism
> (NTLM) ? And, if we want to protect
> "ourserver/secretfolder" with permissions for user "foo" and
> user "bar",
> but
> "ourserver/secretfolder/moresecret" with permissions for user
> "bar", how
> could that be possible ?
> Bye
> Christian
> -----Ursprüngliche Nachricht-----
> Von: Randy Layman [mailto:[EMAIL PROTECTED]]
> Gesendet: Dienstag, 27. Februar 2001 13:57
> An: [EMAIL PROTECTED]
> Betreff: RE: TomCat - IIS - Security
>
>
>
> This seems perfectly reasonable to me - you told IIS
> to protect
> everything it serves our of outserver/secrectfolder and have
> apparently not
> told Tomcat to protect this webapp. If you want to protect
> all JSPs then
> you can protect the /jakarta directory, or you could
> configure Tomcat to
> perform user authentication.
> Randy
> -----Original Message-----
> From: Christian Schulz [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 27, 2001 8:17 AM
> To: '[EMAIL PROTECTED]'
> Cc: Thomas Dingel
> Subject: TomCat - IIS - Security
> Importance: High
>
>
> Hello,
> when using Tomcat with IIS, we have a security hole.
> We installed Tomcat as descriped at the documentation.
> The following scenario will show our problem:
> We have a folder named reachable as
> http://outserver/secretfolder/ with NT
> Security permissions set.
> The folder "secretfolder" can only be read by the system and
> by a user named
>
> "foo". Now, without tomcat, the user "foo" can access the
> contents of the
> folder "secretfolder", all other users will get "access
> denied". We use NTLM
>
> for authentification (so the browser [IE 5.x] automatically
> send the current
>
> NT user's account to the webserver).
> Now, we put a file named "testme.jsp" to "secretfolder" and
> try to open it
> from an NT User's account named "bar". The IIS now redirects
> to TomCat
> without checking any permissions and tomcat returns the result of
> "testme.jsp". But, in our opinion, this should not happen !!!
> The user "bar" also has to get an error "access denied" ! So, TomCat
> bypasses NT Security !
> Does anybody have a solution for that ?
> Bye bye
> Christian Schulz
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
