You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rudy Gireyev <rg...@gmail.com> on 2011/09/14 00:35:01 UTC
Tomcat and MS LDAP Configuration Problem
I've run into a problem that I can't seem to resolve. :( I have to
configure Tomcat to work with Microsoft LDAP. I'm using Tomcat 7, and
both servers are running on Windows 2003. I managed to configure a
JNDI Realm in server.xml and it seems to be able to connect to LDAP
and authenticate the user without any apparent problems. (Listing
below) However, the Deplyment Descriptor (WEB.XML) is giving me fits.
When the url-pattern for security-constraint is /jsp/* then the user
is validated only once and then never again, as if their credentials
had been cached, but the main problem is that request.getRemoteUser()
is never set (i.e. it is always null) same with Principal.
If I change the url-pattern to /* then the user is authenticated each
and every time the application is accessed and the
request.getRemoteUser() is then set to that user name. But then I
cannot store anything in the session of the application. When I do
request.getSession(false).setAttribute("oy", vey); the session is not
updated and doing the request.getSession(false).getAttribute("oy")
returns null.
I tried this having index.jsp in the main application directory,
meaning at the same level as WEB-INF and the jsp directory, and then
redirecting the user to a servlet. I also tried it by going directly
into the jsp directory upon the very first request. In essence moving
the index.jsp into the jsp directory. Both methods exhibit the same
behavior. :(
What on earth is going on? I've plowed through the Tomcat log files
hoping for any morsel of a clue as to what's happening, but to no
avail. I'm officially and completely lost and confused.
List 1. Server.xml (The ip, name, pw and DC=compname have been changed
to protect the guilty :))
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="supersecretname"
connectionPassword="supersecretpw"
connectionURL="ldap://255.255.255.255:389"
debug="99"
referrals="follow"
roleBase="OU=DOMAIN_OBJECTS,DC=compname,DC=local"
roleName="CN"
roleSearch="(member={0})"
roleSubtree="true"
userBase="OU=DOMAIN_OBJECTS,DC=compname,DC=local"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userRoleName="memberOf" />
Listing 2 (Web.xml) Deployment Descriptor
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
version="3.0">
<display-name>MyApp</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>MyApp</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Role1</role-name>
<role-name>Role2</role-name>
<role-name>Role3</role-name>
<role-name>Role4</role-name>
<role-name>Role5</role-name>
<role-name>Role6</role-name>
<role-name>Role7</role-name>
<role-name>Role8</role-name>
<role-name>Role9</role-name>
<role-name>P010</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyApp</realm-name>
</login-config>
<security-role>
<description>Role1</description>
<role-name>Role1</role-name>
</security-role>
<security-role>
<description>Role2</description>
<role-name>Role2</role-name>
</security-role>
<security-role>
<description>Role3</description>
<role-name>Role3</role-name>
</security-role>
<security-role>
<description>Role4</description>
<role-name>Role4</role-name>
</security-role>
<security-role>
<description>Role5</description>
<role-name>Role5</role-name>
</security-role>
<security-role>
<description>Role6</description>
<role-name>Role6</role-name>
</security-role>
<security-role>
<description>Role7</description>
<role-name>Role7</role-name>
</security-role>
<security-role>
<description>Role8</description>
<role-name>Role8</role-name>
</security-role>
<security-role>
<description>Role9</description>
<role-name>Role9</role-name>
</security-role>
<security-role>
<description>P010</description>
<role-name>P010</role-name>
</security-role>
</web-app>
Thanks to all in advance.
Rudy
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and MS LDAP Configuration Problem
Posted by Rudy Gireyev <rg...@gmail.com>.
Thank you for your reply Konstantin.
> In short:
> 1. When session cookie is created in recent versions of Tomcat, the
> Path parameter in it is set to webappName + "/".
>
> 2. Requests to "webappName" are usually automatically redirected to
> "webappName + /" (Tomcat sends response code 302),
>
> but in some rare configurations this redirect does not happen.
> I do not remember what exactly are the circumstances, but I think that
> this involved a servlet that is mapped to "/*", and maybe absence of a
> welcome page.
Sorry I'm a little lost here, but is there anything I can do to avoid
having to force Tomcat to do this redirect? I tried this in three
different ways with the same result.
1. I tried placing a welcome page at the webappName level.
2. I also tried placing a welcome page inside the jsp folder
3. Lastly I tried calling a Servlet directly bypassing any jsp page first.
When the url-pattern is /jsp/* - then request.getRemoteUser() is null,
but I'm able to use the session normally. Inspecting
request.getRemoteUser() in the welcome page shows that it is in fact
set, but apparently for that page only.
When the url-pattern is /* - then request.getRemoteUser() is set
notmallyl, but I'm unable to use the session.
>
>
> If your servlet reacts to request to "webappName", then the
> sessionCookie with Path of "webappName + "/"" woundn't be sent by
> browser when it repeats the request.
Sorry I didn't understand what this meant. :(
>
> It should be possible to explicitly configure the Path attribute of
> the session cookie using cookie-config element in web.xml. See
> cookie-configType in
> http://java.sun.com/xml/ns/javaee/web-common_3_0.xsd
I looked through the document and found the cookie-config spec, but am
not sure which parameter you are suggesting that I set and to which
value. Sorry about that.
When my welcome page is inside the jsp folder it has the following syntax:
response.sendRedirect("/webappName/myServletName"); %>
However when it is in the webappName directory I simply do
response.sendRedirect("myServletName"); %>
Lastly I upgraded from Tomcat 7.0.19 to 7.0.21 thinking maybe that
would fix it. :)
Thank you very much.
Rudy
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and MS LDAP Configuration Problem
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/9/14 Rudy Gireyev <rg...@gmail.com>:
> Thank you P for the response. I admit I don't 100% understand what you mean by
> "Sounds like the session isn't being maintained in between requests."
> Is this something that I'm doing wrong? Or is this something outside
> of my control?
>
> The strange thing is that this very same code works just fine and is
> able to interact with the session just fine when the url-pattern is
> /jsp/*. However as soon as the pattern is changed to /* the session
> becomes unusable.
In short:
1. When session cookie is created in recent versions of Tomcat, the
Path parameter in it is set to webappName + "/".
2. Requests to "webappName" are usually automatically redirected to
"webappName + /" (Tomcat sends response code 302),
but in some rare configurations this redirect does not happen.
I do not remember what exactly are the circumstances, but I think that
this involved a servlet that is mapped to "/*", and maybe absence of a
welcome page.
If your servlet reacts to request to "webappName", then the
sessionCookie with Path of "webappName + "/"" woundn't be sent by
browser when it repeats the request.
The reason for appending "/" to the session cookie path is that
otherwise some web browsers do send cookies set by "foo" webapp when
client requests "foobar", and that is insecure.
It should be possible to explicitly configure the Path attribute of
the session cookie using cookie-config element in web.xml. See
cookie-configType in
http://java.sun.com/xml/ns/javaee/web-common_3_0.xsd
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and MS LDAP Configuration Problem
Posted by Rudy Gireyev <rg...@gmail.com>.
Thank you P for the response. I admit I don't 100% understand what you mean by
"Sounds like the session isn't being maintained in between requests."
Is this something that I'm doing wrong? Or is this something outside
of my control?
The strange thing is that this very same code works just fine and is
able to interact with the session just fine when the url-pattern is
/jsp/*. However as soon as the pattern is changed to /* the session
becomes unusable.
Rudy
On Wed, Sep 14, 2011 at 1:43 AM, Pid <pi...@pidster.com> wrote:
> On 13/09/2011 23:35, Rudy Gireyev wrote:
>> If I change the url-pattern to /* then the user is authenticated each
>> and every time the application is accessed and the
>> request.getRemoteUser() is then set to that user name. But then I
>> cannot store anything in the session of the application. When I do
>> request.getSession(false).setAttribute("oy", vey); the session is not
>> updated and doing the request.getSession(false).getAttribute("oy")
>> returns null.
>
> Sounds like the session isn't being maintained in between requests.
>
>
> p
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and MS LDAP Configuration Problem
Posted by Pid <pi...@pidster.com>.
On 13/09/2011 23:35, Rudy Gireyev wrote:
> If I change the url-pattern to /* then the user is authenticated each
> and every time the application is accessed and the
> request.getRemoteUser() is then set to that user name. But then I
> cannot store anything in the session of the application. When I do
> request.getSession(false).setAttribute("oy", vey); the session is not
> updated and doing the request.getSession(false).getAttribute("oy")
> returns null.
Sounds like the session isn't being maintained in between requests.
p