Hi.
On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote:
Hi Team,
We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache
to host
javacontainer for Rest calls for our Siebel application. The javacontainer is
listening
to Port 9001 as below-
<Connector port="9001" redirectPort="8443" connectionTimeout="20000"
protocol="HTTP/1.1"/>
We are trying to setup Windows Authentication in Apache by using Reverse Proxy
with IIS,
and have followed the below steps as per the Apache documentation.
---Steps followed :
There are three steps to configuring IIS to provide Windows authentication.
They are:
1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To).
---- This is done and working as expected
There is a bit of confusing information in the page
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
in that it talks (in the title and elsewhere) of the "ISAPI redirector", but
then later it
mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat
containers". In fact, "mod_jk" and "ISAPI redirector" are functionaly the same
thing (and
probably much the same code), but
- mod_jk is the plugin proxy module to use with an Apache httpd webserver
front-end (under
Linux and/or Windows)
- isapi_redirector is the plugin proxy module to use with an IIS webserver
front-end
(Windows only)
But /both/ use the same protocol to talk with the back-end Tomcat, and that
protocol is
AJP, not HTTP.
So in both cases, what they are "talking to" is the AJP Connector in Tomcat,
and not the
HTTP Connector.
The AJP protocol is somewhat different from HTTP :
- both essentially carry the same information (requests and responses)
but
- HTTP carries all its information back and forth in a text form as per HTTP RFC
- AJP encodes some of this information in a binary form (a bit more efficient)
- one of the "binary" parameters which the AJP protocol does transmit from the
front-end
to the back-end, is the authenticated user-id on the front-end, if any.
(HTTP does not normally do this in any standard way).
At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication"
(true/false)
serves to tell Tomcat to either "believe" (false) the user-id that it receives
from the
front-end through AJP, or to ignore it (true) and do its own authentication
anyway.
At the Tomcat level, this "tomcatAuthentication" attribute only makes sense
with the AJP
Connector (and protocol).
See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes
(tomcatAuthentication AND tomcatAuthorization)
while here :
http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes
this attribute is not mentioned (so if you add it, it will simply be ignored).
2. Configure IIS to use Windows authentication
---- This is done and working as expected
3. Configure Tomcat to use the authentication user information from IIS by
setting the
tomcatAuthentication attribute on the AJP connector to false. Alternatively,
set the
tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat
performs the authorization.
Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?)
Q1 ---- We were able to configure the reverse proxy with Anon user but the
Windows
authentication is failing at Apache level with below error :-
Thread[http-nio-9001-exec-15,5,main] [2017-12-27 13:17:12.637] [null] Error
while
login : The username cannot be empty. Please select a username.
Your problem may be there, with this "anonymous" authentication at the IIS
level. Maybe
the isapi_redirector interprets this as "no user", and transmits an empty
user-id to
Tomcat. Have you tried with a real Windows-level user-id ?
Q2 ---- Our configuration is using "HTTP" protocol, do we need to change the
server.xml
entry for 9001 to use AJP protocol and then add entry "
tomcatAuthentication=False"
Yes, probably.
Q3 ---- Do we need to install AJP connector on top of Tomcat or its installed by
default, or we do not need it for Windows Authentication.
You do need it.
It is provided by default, but you may need to uncomment the corresponding
lines in the
server.xml file.
Considering your previous statements above, make sure that the HTTP Connector
(if any) and
the AJP Connector (if any) use different ports.
And on the IIS/ISAPI redirector side, make sure that the settings specify the
correct
(AJP) port.
This is all quite logical, but a bit convoluted, due to the many ways in which
you can use
a front-end with Tomcat, and the many ways in which one can do
authentication/authorization in the WWW.
I have found that it often helps to draw a schema in advance, such as
browser <--(1)--> front-end (2) <-----(4)---> tomcat (5)
+ proxy module (3) + Connector(6)
where :
(1) is the protocol used between the browser and the front-end http server
(HTTP or HTTPS)
(2) is the front-end webserver (Apache httpd or IIS (or others)), which can be
doing its
own authentication/authorization or not
(3) is the proxy module add-on to (2). There are a number of possibilities
here,
depending on (2) and (4)
(4) is the protocol used between the front-end webserver and Tomcat (HTTP,
HTTPS or AJP)
(5) is Tomcat, which can be doing its own authentication/authorization or not
(6) is the Tomcat Connector, which depends on (3) and (4)
Depending on the circumstances and on what you want to achieve in the end, the
variable
elements above allow for a lot of combinations. And that of course makes it
rather
difficult to provide a fully comprehensive, all-in-one-place documentation.
Thanks & Regards,
Suraj Agrawal
-----Original Message-----
From: users-h...@tomcat.apache.org [mailto:users-h...@tomcat.apache.org]
Sent: Wednesday, January 3, 2018 12:03 PM
To: Agrawal, Suraj (CORP) <suraj.agra...@adp.com>
Subject: WELCOME to users@tomcat.apache.org
Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing
list.
I'm working for my owner, who can be reached at users-ow...@tomcat.apache.org.
Acknowledgment: I have added the address
suraj.agra...@adp.com
to the users mailing list.
Welcome to users@tomcat.apache.org!
Please save this message so that you know the address you are subscribed under,
in case
you later want to unsubscribe or change your subscription address.
--- Administrative commands for the users list ---
I can handle administrative requests automatically. Please do not send them to
the list
address! Instead, send your message to the correct command address:
To subscribe to the list, send a message to:
<users-subscr...@tomcat.apache.org>
To remove your address from the list, send a message to:
<users-unsubscr...@tomcat.apache.org>
Send mail to the following for info and FAQ for this list:
<users-i...@tomcat.apache.org>
<users-...@tomcat.apache.org>
Similar addresses exist for the digest list:
<users-digest-subscr...@tomcat.apache.org>
<users-digest-unsubscr...@tomcat.apache.org>
To get messages 123 through 145 (a maximum of 100 per request), mail:
<users-get.123_...@tomcat.apache.org>
To get an index with subject and author for messages 123-456 , mail:
<users-index.123_...@tomcat.apache.org>
They are always returned as sets of 100, max 2000 per request, so you'll
actually get
100-499.
To receive all messages with the same subject as message 12345, send a short
message to:
<users-thread.12...@tomcat.apache.org>
The messages should contain one line or word of text to avoid being treated as
sp@m, but
I will ignore their content.
Only the ADDRESS you send to is important.
You can start a subscription for an alternate address, for example
"john@host.domain",
just add a hyphen and your address (with '=' instead of '@') after the command
word:
<users-subscribe-john=host.dom...@tomcat.apache.org>
To stop subscription for this address, mail:
<users-unsubscribe-john=host.dom...@tomcat.apache.org>
In both cases, I'll send a confirmation message to that address. When you
receive it,
simply reply to it to complete your subscription.
If despite following these instructions, you do not get the desired results,
please
contact my owner at users-ow...@tomcat.apache.org. Please be patient, my owner
is a lot
slower than I am ;-)
--- Enclosed is a copy of the request I received.
Return-Path: <suraj.agra...@adp.com>
Received: (qmail 46578 invoked by uid 99); 3 Jan 2018 17:02:40 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO
spamd3-us-west.apache.org)
(209.188.14.142)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2018 17:02:40 +0000
Received: from localhost (localhost [127.0.0.1])
by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org)
with
ESMTP id 0FA551805A5
for
<users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp....@tomcat.apache.org>;
Wed, 3 Jan 2018 17:02:40 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -2.311
X-Spam-Level:
X-Spam-Status: No, score=-2.311 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3,
SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
dkim=pass (2048-bit key) header.d=es.adp.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port
10024)
with ESMTP id VFHSDlZ9kk9y
for
<users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp....@tomcat.apache.org>;
Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
Received: from mail4-6.adp.com (mail4-6.adp.com [170.146.221.105])
by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with
ESMTPS id
9A4315FB29
for
<users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp....@tomcat.apache.org>;
Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
Received: from pps.filterd (dc2prppedgevm06.sd.adp.com [127.0.0.1])
by dc2prppedgevm06.sd.adp.com (8.16.0.21/8.16.0.21) with SMTP id
w03GvxXt011778
for
<users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp....@tomcat.apache.org>;
Wed,
3 Jan 2018 11:02:31 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.adp.com; h=from : to
: subject :
date : message-id : references : in-reply-to : content-type :
content-transfer-encoding : mime-version; s=2013-03;
bh=aP5VBhFXgJhRyaRmb2T5ltGt/4Mv6AIvp4DB+4uULA0=;
b=cSpf/vMw+LoBgf6quydKf8gNyybQhXN6Wh7LWaKI3I1FNPFXpgfm3XIoIM3tqGV3BBPZ
n/FajyhvuuVMAjSaLeXMOw8HdOPObRpCPuZj8+HoBLIHCJp/v3yqDHWf+5tgPsaKoixf
xXOMrjbTSofmv26WqLXXet6L1EPvCVgzYbGbkjOCsGsThX1MznHAUPWLArnGZAICScxb
PVLzDGDi81nqGv8gDmhZufpOJL5wOz5OMpetvZRc1rA4P+MiLmCI/2dqdR+cSmnTsHWw
diV5ODor6I7RB9mGAp8VaNrLIgjxUaD4LIOqd8hqTte9HDA0HW6PR8cRlmr6BvkupSTv jQ==
Received: from dc2prmbx02p.es.ad.adp.com ([11.2.5.19])
by dc2prppedgevm06.sd.adp.com with ESMTP id 2f67w8ndn2-4
for
<users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp....@tomcat.apache.org>;
Wed,
03 Jan 2018 11:02:31 -0600
Received: from DC2PRMBX05A.ES.AD.ADP.com ([fe80::1e1:f4e3:4aed:9909]) by
DC2PRMBX02P.ES.AD.ADP.com ([fe80::695f:11b4:5169:ada6%18]) with mapi id
14.03.0352.000;
Wed, 3 Jan 2018 12:02:26 -0500
From: "Agrawal, Suraj (CORP)" <suraj.agra...@adp.com>
To:
"users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp....@tomcat.apache.org"
<users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp....@tomcat.apache.org>
Subject: RE: confirm subscribe to users@tomcat.apache.org
Thread-Topic: confirm subscribe to users@tomcat.apache.org
Thread-Index: AQHThLRUpZwjd7YbAkO+bYwSp9hqOqNiX7Vw
Date: Wed, 3 Jan 2018 17:02:25 +0000
Message-ID: <2805d71e9491ee47a22b0e5af800d128318...@dc2prmbx05a.es.ad.adp.com>
References: <1514998812.39535.ez...@tomcat.apache.org>
In-Reply-To: <1514998812.39535.ez...@tomcat.apache.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [11.10.48.211]
x-originalrecipientaddress:
users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp....@tomcat.apache.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,,
definitions=2018-01-03_12:,,
signatures=0
----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee
and may
contain information that is privileged and confidential. If the reader of the
message is
not the intended recipient or an authorized representative of the intended
recipient,
you are hereby notified that any dissemination of this communication is strictly
prohibited. If you have received this communication in error, notify the sender
immediately by return email and delete the message and any attachments from
your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org