Hi André yes, you alright. With the Integrated Windows Authentication Tomcat gets only authenticated AD Users.
But the problem is an other: The SourceCodes (JSP/Servlets) are secured with NTFS rights on filesystem. (Windows Server 2003 x64) I've tried to secure the whole application with NTFS Rights, but the NTFS ACL does not work for JSP Files. That is my problem. I found an article on internet, that this is a feature from the ISAPI Redirector. So, users can call JSP Sites directly without authorisation, but we have not authorisation modules in the application. That is my problem. So, i'll secure the whole tomcat, that tomcat check the permission of the user in an ActiveDirectory Group? Thank you in advise. Joerg -----Ursprüngliche Nachricht----- Von: André Warnier [mailto:a...@ice-sa.com] Gesendet: Dienstag, 29. September 2009 17:45 An: Tomcat Users List Betreff: Re: IIS, Tomcat, JNDI and ActiveDirectory Hi Joerg. The following remarks are more a question from me, than an answer to you. I am interested also in a real answer from someone who really knows.. Buchner, Joerg [T0I] (VW Sachsen) wrote: > Hi, > > i've got a Microsoft IIS 6.0 Webservice. > Behind the IIS is an Apache Tomcat 5.5.26 (connected via ISAPI and > AJP/1.3) protocoll. > > In the IIS "Integrated Windows Authentication" is enabled. Ok, so IIS authenticates the user's browser session, and gets a Windows Domain user-id. Then the AJP protocol passes this user-id to Tomcat (presumably as a request attribute). > > On server.xml tomcatauthentication is set to false. Allright, so Tomcat "believes" the user-id as it is given by AJP, and sets this in its own internal UserPrincipal structure. > Also o've configured a JNDI REALM: > > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionURL="ldap://********:389/"; > connectionName="*************" > connectionPassword="*********" > > userBase="OU=******,OU=********,OU=******,DC=******,DC=********" > userSearch="(sAMAccountName={0})" > userSubtree="true" > userRoleName="memberOf" > > roleBase="OU=******,OU=******,OU=******,OU=******,OU=*********,DC=*****, > DC=*****" > roleName="name" > roleSubtree="true" > roleSearch="(cn={0})" > /> > Does the above not *interfere* with what you are trying to do, more than it helps ? I mean, you already have an authenticated user-id, of which you are sure that it is in the AD directory. All that is needed now, is to get from AD, whatever fields that contain the "role-name"(s) which we are looking for, and compare with what we want to allow for this webapp. Do the "roles" or "groups", as understood by AD, match the "roles" as understood by Tomcat ? > in the web.xml of Tomcat (/conf/web.xml) i've configured an > security-constraint: > > <security-constraint> > <web-resource-collection> > <web-resource-name>Test</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>some_ad_role_name</role-name> > </auth-constraint> > </security-constraint> > > > > <security-role> > <description>Only 'tomcat' role is allowed to access this web > application</description> > <role-name>some_ad_role_name</role-name> > </security-role> > > As far as I understand, with the above, Tomcat is going to issue a HttpServletRequest.isUserInRole("some_ad_role_name") call, and only allow access if the response is true. Is that going to work in this case ? It is not very clear (to me at least), what this isUserInRole() is going to refer to. > Now, > i'ld like to realize, that Tomcat give access only to users, > which are in one Active Directory Group detected on IIS. > Since you already receive an authenticated user-id from IIS (but only a user-id), I would do the rest with a servlet filter wrapping your application (and allowing access or not depending on what it finds in AD for this user), rather than with the standard Tomcat declarative security model. But maybe that's only my own ignorance speaking. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
