On 27.04.2016 13:57, Stéphane Thibaudeau wrote:
Hi.
On this list, it is preferred if you respond *below* the previous part.
It just makes it easier to follow the conversation later, for people who
search the archives.
See : http://tomcat.apache.org/lists.html -> tomcat users -> important
See below.
My bad. I'll be careful about that now :)
You are not the only one.
Welcome to the delights of Windows Domain authentication.
I do not know how Waffle works, but I would guess that the problemn is
that now Waffle tries to use your new Tomcat user-id, as the user-id under
which it "logs in" to the Domain, to authenticate /other/ web users.
And that user-id (the one which it now uses), does not have the correct
privileges to do this, /as a server/.
Maybe you should consult the Waffle FAQ, to see if that kind of issue is
not already solved :
http://waffle.codeplex.com/wikipage?title=Frequently%20Asked%20Questions&referringTitle=Documentation
I think that before that, you also have to decide between conflicting
scenarios :
- your webapp should authenticate to the external server with the same
user-id as the current authenticated webapp user
- your webapp should authenticate to the external server under the user-id
under which Tomcat runs as a Service
- your webapp should authenticate to the external server under some
arbitrary and fixed user-id from some configuration file (or web.xml of
your webapp).
One last tip : generally-speaking, in any kind of Windows-Domain-based
authentication scenario, when a browser login dialog appears, it means that
the authentication has reverted to HTTP Basic authentication, and that is
usually a sign that something is not working as it should.
I'll follow your suggestions and look at the Waffle FAQ. I have already
read it to get Waffle working, but was'nt yet aware that it would prevent
me from connecting to the external server.
Between the conflicting scenarios, my choice would go to the third one
(configuration file) or the first one if it's not possible.
I will say this very tentatively and carefully, because I am after all not a java
programmer nor a real Tomcat expert, but
what I suspect, is that when you
"created a class extending java.net.Authenticator. This class overrides
getPasswordAuthentication() to return the domain, user and password to be
used to call the web services. This class is registered using
Authenticator.setDefault(). "
you also somehow override what Waffle is using at the global Tomcat level.
Maybe (and that is where my own competence reaches its limit) that is because of where you
put the jar which contains your overriding class ?
So, there are several issues which may interact in some complicated way :
- the user-id under which Tomcat is running (which may need to be a valid Domain id, to
allow Waffle to work properly, or which may need to be a Domain "service account" for the
same reason) (I don't know really what Waffle needs, and you should consult their
documentation for that; I was unable to find it so far)
- the fact that you are overriding a global Authenticator class by your own, instead of
doing that only for this specific webapp
- whether or not the Domain in which this is all supposed to run, allows Basic
authentication or not (it may on this one, but if you intend to install this same webapp
in other networks, don't count on that being true always)
There is a last thing which puzzles me a bit. Earlier you said :
"At last, when I try to access the url from my browser I get the same
conversation as with Tomcat, but I can provide my credentials through the
prompt dialog and then access my WSDL. "
Is this external WSDL server located in the same Windows Domain as your
workstation/browser ?
Because :
- if it is, and that server also requires a Windows Domain authentication, then something
is not working at that level, because you see a login dialog (which you should never see
if the WIA authentication is working as it should)
- if it is not, then your browser would not even normally try NTLMSSP authentication,
because by default (for security) this is only allowed for servers that are within the
same Domain (unless you have specifically added it as a "trusted server" in your IE settings)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
