Hi Joerg.
The following remarks are more a question from me, than an answer to
you. I am interested also in a real answer from someone who really knows..
Buchner, Joerg [T0I] (VW Sachsen) wrote:
Hi,
i've got a Microsoft IIS 6.0 Webservice.
Behind the IIS is an Apache Tomcat 5.5.26 (connected via ISAPI and
AJP/1.3) protocoll.
In the IIS "Integrated Windows Authentication" is enabled.
Ok, so IIS authenticates the user's browser session, and gets a Windows
Domain user-id.
Then the AJP protocol passes this user-id to Tomcat (presumably as a
request attribute).
On server.xml tomcatauthentication is set to false.
Allright, so Tomcat "believes" the user-id as it is given by AJP, and
sets this in its own internal UserPrincipal structure.
Also o've configured a JNDI REALM:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://********:389/";
connectionName="*************"
connectionPassword="*********"
userBase="OU=******,OU=********,OU=******,DC=******,DC=********"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userRoleName="memberOf"
roleBase="OU=******,OU=******,OU=******,OU=******,OU=*********,DC=*****,
DC=*****"
roleName="name"
roleSubtree="true"
roleSearch="(cn={0})"
/>
Does the above not *interfere* with what you are trying to do, more than
it helps ?
I mean, you already have an authenticated user-id, of which you are sure
that it is in the AD directory. All that is needed now, is to get from
AD, whatever fields that contain the "role-name"(s) which we are looking
for, and compare with what we want to allow for this webapp.
Do the "roles" or "groups", as understood by AD, match the "roles" as
understood by Tomcat ?
in the web.xml of Tomcat (/conf/web.xml) i've configured an
security-constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>Test</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>some_ad_role_name</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>Only 'tomcat' role is allowed to access this web
application</description>
<role-name>some_ad_role_name</role-name>
</security-role>
As far as I understand, with the above, Tomcat is going to issue a
HttpServletRequest.isUserInRole("some_ad_role_name") call, and only
allow access if the response is true.
Is that going to work in this case ?
It is not very clear (to me at least), what this isUserInRole() is going
to refer to.
Now,
i'ld like to realize, that Tomcat give access only to users,
which are in one Active Directory Group detected on IIS.
Since you already receive an authenticated user-id from IIS (but only a
user-id), I would do the rest with a servlet filter wrapping your
application (and allowing access or not depending on what it finds in AD
for this user), rather than with the standard Tomcat declarative
security model.
But maybe that's only my own ignorance speaking.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
