Hello all,
I am currently working for a client on a problem concerning authentication on a
Tomcat server, by first logging in on a remote ISA-server.
The problem is as follows (usernames, passwords and domains are replaced by
dummies or blancs, for obvious security concerns :) ):
On the Tomcat server, there is an application of OpenText. For this
application, we defined the login-config as:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>test.dmz</realm-name>
</login-config>
In the configuration of Tomcat, in the server.xml file, we defined the realm as
follows:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="..."
alternateURL="..."
connectionName="...<mailto:svc_opentext_p...@isoext.dmz>"
connectionPassword="..."
referrals="follow"
userBase="DC=test,DC=dmz"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="DC=test,DC=dmz"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="false"
\>
The problem with this, is that the query for the sAMAccountName on the
LDAP-server doesn't return a valid user.
In the header of the request, the credentials of the user are specified as:
"test.dmz\aelz:123Test"
After debugging and packet analysis, we found out that the query was checking
if there was a sAMAccountName which equals "test.dmz lz".
The problem is that the token {0}, which is filled in automatically by Tomcat
using the credentials from the HTTPS-header, contains a backslash after the
domain.
However, we cannot change the ISA-server settings to prevent this, as other
servers depend on this manner of identification.
My question now is:
Does anybody know if we can "intercept" the token and escape the backslash or
even better substring the username from that token?
Or are there alternatives to this "{0}" token?
Any help would be greatly appreciated!
With kind regards,
Dries
