2013/1/30 Vlaeminck, Dries <dries.vlaemi...@delawareconsulting.com>: > Hello all, > > I am currently working for a client on a problem concerning authentication on > a Tomcat server, by first logging in on a remote ISA-server.
1. What is your exact version of Tomcat, x.y.z? > The problem is as follows (usernames, passwords and domains are replaced by > dummies or blancs, for obvious security concerns :) ): > > On the Tomcat server, there is an application of OpenText. For this > application, we defined the login-config as: > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>test.dmz</realm-name> 2. Is it written as above, or you have extra new lines in the "realm-name" value above? > </login-config> > > In the configuration of Tomcat, in the server.xml file, we defined the realm > as follows: > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionURL="..." > alternateURL="..." > connectionName="...<mailto:svc_opentext_p...@isoext.dmz>" 3. The above is strange. XML does not allow to use "<", ">" (or at least one of those two) in an attribute value. > connectionPassword="..." > referrals="follow" > userBase="DC=test,DC=dmz" > userSearch="(sAMAccountName={0})" > userSubtree="true" > roleBase="DC=test,DC=dmz" > roleName="cn" > roleSearch="(member={0})" > roleSubtree="false" > \> > > The problem with this, is that the query for the sAMAccountName on the > LDAP-server doesn't return a valid user. > > In the header of the request, the credentials of the user are specified as: > "test.dmz\aelz:123Test" > After debugging and packet analysis, we found out that the query was checking > if there was a sAMAccountName which equals "test.dmz lz". > > The problem is that the token {0}, which is filled in automatically by Tomcat > using the credentials from the HTTPS-header, contains a backslash after the > domain. 4. You mean an HTTP header. Why such a value? The BASIC authentication is a well-known protocol. What is your browser? > However, we cannot change the ISA-server settings to prevent this, as other > servers depend on this manner of identification. > > My question now is: > Does anybody know if we can "intercept" the token and escape the backslash or > even better substring the username from that token? 5. If you wouldn't find a better way, a Valve can do it. > Or are there alternatives to this "{0}" token? > > Any help would be greatly appreciated! > Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
