David kerber wrote:
On 7/14/2011 9:50 AM, André Warnier wrote:
David kerber wrote:
I have a situation where my users will be logging into their pages on
an IIS 5 web server, which authenticates them with their user ID and
password as configured in IIS. This works fine.
Now I need to add some new functionality to the web site that will be
using my tomcat webapp, and I don't want them to have to authenticate
again in my app, so I'm trying to figure out how to pass the user ID
from the web page on IIS, to my webapp. I thought
request.getRemoteUser() would do it, but that's returning null, rather
than the loggged-in user ID.
You need to specify what you use to forward requests from IIS to Tomcat.
If you are using Isapi_Redirect, then set the attribute
"tomcatAuthentication" to false in the Tomcat AJP <Connector> (in
server.xml).
I'm not "forwarding" at all. The call to tomcat from the IIS page is
just the "action" parameter of the form. The only connector is the
standard http 1.1 connector.
Ah, ok, I missed that.
That's another thing altogether.
So what is happening is this :
a) user calls a page from IIS
b) IIS delivers the page to the user's browser. The page contains a <form>.
c) user posts the <form> directly to Tomcat (without going through IIS).
d) Tomcat gets a normal POST request, directly from the user's browser.
So on the last leg (c+d), there is nothing that IIS can do to add the user-id, it is not
in the loop.
So you have to "convice" the user's browser to send the logged-in user-id to
Tomcat.
The only way I can see of doing that in this simplistic scenario is relatively simple, but
*extremely insecure* :
At step (b) above, have the IIS application which generates that html page, insert a form
field like the following in the <form> :
<input type="hidden" name="userid" value="*******">
where ****** is the IIS user-id.
The IIS user-id can be obtained (on the IIS side) by code such as the one
Melinda posted.
Then when the browser posts the form to Tomcat, there will be an additional POST parameter
"userid" containing the user-id.
Now again, the extreme insecurity :
- userA requests the form from IIS
- he gets a <form> with a hidden input containing the value "userA". So far, no
problem.
- he saves this form, edits it, and replaces "userA" by "userB" (his boss'es
userid)
- he posts that form to Tomcat
Result #1 : in your Tomcat app, he is now considered as userB.
Result #2 : if there is ever a security audit, you're dead
-----------------
How it should be done :
There are essentially 2 ways :
1) have the <form> posted back to IIS, and have IIS "proxy" (forward) this call to Tomcat,
with IIS adding the IIS-authenticated user-id on the way
2) install additional logic in Tomcat, to allow Tomcat to authenticate the user
(automatically) with the Windows domain (just like IIS itself does).
That can be done in several ways, all of them requiring some serious
configuration work.
You can use :
- the newly-released "authenticator Valve" (?) available in Tomcat 7
- the Waffle software (look up in Google)
- the commercial Jespa software (www.ioplex.com)
- (there may be others which I do not know)
All of the above suppose that your Tomcat is running on a computer that is itself within
the Windows domain (or can be made part of it). So they will not work if the user
workstations are inside the Windows domain, but the Tomcat server is outside on the
Internet for example.
(But that also can be solved, ask if you need this.)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
