On 7/14/2011 10:31 AM, André Warnier wrote:
David kerber wrote:
On 7/14/2011 9:50 AM, André Warnier wrote:
David kerber wrote:
I have a situation where my users will be logging into their pages on
an IIS 5 web server, which authenticates them with their user ID and
password as configured in IIS. This works fine.
Now I need to add some new functionality to the web site that will be
using my tomcat webapp, and I don't want them to have to authenticate
again in my app, so I'm trying to figure out how to pass the user ID
from the web page on IIS, to my webapp. I thought
request.getRemoteUser() would do it, but that's returning null, rather
than the loggged-in user ID.
You need to specify what you use to forward requests from IIS to Tomcat.
If you are using Isapi_Redirect, then set the attribute
"tomcatAuthentication" to false in the Tomcat AJP <Connector> (in
server.xml).
I'm not "forwarding" at all. The call to tomcat from the IIS page is
just the "action" parameter of the form. The only connector is the
standard http 1.1 connector.
Ah, ok, I missed that.
That's another thing altogether.
So what is happening is this :
a) user calls a page from IIS
b) IIS delivers the page to the user's browser. The page contains a <form>.
c) user posts the <form> directly to Tomcat (without going through IIS).
d) Tomcat gets a normal POST request, directly from the user's browser.
Yes, that's it. The only missing thing is that I thought that since the
user has authenticated through IIS, that his user ID might be carried
along somewhere from the browser side. But that is not happening.
So on the last leg (c+d), there is nothing that IIS can do to add the
user-id, it is not in the loop.
So you have to "convice" the user's browser to send the logged-in
user-id to Tomcat.
The only way I can see of doing that in this simplistic scenario is
relatively simple, but *extremely insecure* :
At step (b) above, have the IIS application which generates that html
page, insert a form field like the following in the <form> :
<input type="hidden" name="userid" value="*******">
where ****** is the IIS user-id.
The IIS user-id can be obtained (on the IIS side) by code such as the
one Melinda posted.
Then when the browser posts the form to Tomcat, there will be an
additional POST parameter "userid" containing the user-id.
Now again, the extreme insecurity :
- userA requests the form from IIS
- he gets a <form> with a hidden input containing the value "userA". So
far, no problem.
- he saves this form, edits it, and replaces "userA" by "userB" (his
boss'es userid)
- he posts that form to Tomcat
Result #1 : in your Tomcat app, he is now considered as userB.
Result #2 : if there is ever a security audit, you're dead
Yes, I had already thought of that method, and am hoping to avoid it.
This data page has extremely low security requirements, but I'd still
like something better if I can figure it out. If nothing else, I'll
then have something in my pocket when an application comes up that needs
better security.
-----------------
How it should be done :
There are essentially 2 ways :
1) have the <form> posted back to IIS, and have IIS "proxy" (forward)
this call to Tomcat, with IIS adding the IIS-authenticated user-id on
the way
This is what I'd like to do, but it's new to me; Up to this point, the
IIS web site and the tomcat applications have been completely unrelated
and unconnected. I'll see what I can google up.
2) install additional logic in Tomcat, to allow Tomcat to authenticate
the user (automatically) with the Windows domain (just like IIS itself
does).
That can be done in several ways, all of them requiring some serious
configuration work.
You can use :
- the newly-released "authenticator Valve" (?) available in Tomcat 7
- the Waffle software (look up in Google)
- the commercial Jespa software (www.ioplex.com)
- (there may be others which I do not know)
All of the above suppose that your Tomcat is running on a computer that
is itself within the Windows domain (or can be made part of it). So they
will not work if the user workstations are inside the Windows domain,
but the Tomcat server is outside on the Internet for example.
(But that also can be solved, ask if you need this.)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
