You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov> on 2010/06/23 00:01:14 UTC
OT RE: Still having problem retrieving user value from ISAPI Filter
for authentication
>From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
>Subject: Re: Still having problem retrieving user value from ISAPI
>Filter for authentication
>
>>
>> Unless you are going to authenticate via one of Tomcat's
>authentication methods; BASIC, FORM, etc, then getRemoteUser() is going
>to return null.
>>
>> You'll need to add a security constraint, login-config and security-
>role to your web.xml to test getRemoteUser(); in just Tomcat.
>>
>
>This shouldn't be the case since she put tomcatAuthentication="false"
>tomcat should be taking the username from the JK_REMOTE_USER
>attribute.
>
>Marc
Doesn't the url mapping in the uriworkermap.properties file interrupt IIS from passing authentication to Tomcat?
If you restrict access to a virtual directory in IIS, mapped to a servlet or webapp in Tomcat, and there is a URL for that servlet/webapp in uriworkermap.properties, wouldn't Tomcat allow access even though IIS attempts to say no?
I still have a server with IIS and the isapi_redirect.dll "Jakarta filter" running internally.
I created a new website in IIS, called test, using IIS port 8088, mapped to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still 8080)
I added the "Jakarta" virtual directory to test.
I removed anonymous access and checked integrated windows security for test.
http://localhost:8088 supply credentials of user not allowed to this directory - yields no access.
http://localhost:8088/examples I get right through, no challenge from IIS.
http://localhost:8088 supply credentials of user allowed, snoop JSP works, but Remote User is null. Everything else in snoop output had a value.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: OT RE: Still having problem retrieving user value from ISAPI
Filter for authentication
Posted by "Savoy, Melinda" <Me...@texashealth.org>.
Thanks Leo. I've got the same setup in IIS regarding integrated windows security. However, IIS is on port 80 and Tomcat is on 9080 so as not to conflict.
IIS is giving the ISAPI filter the user info that I'm looking for as indicated in the ISAPI log.
Thanks for trying. It's appreciated.
-----Original Message-----
From: Leo Donahue - PLANDEVX [mailto:LeoDonahue@mail.maricopa.gov]
Sent: Tuesday, June 22, 2010 6:13 PM
To: 'Tomcat Users List'
Subject: RE: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication
>From: Leo Donahue - PLANDEVX [mailto:LeoDonahue@mail.maricopa.gov]
>Subject: OT RE: Still having problem retrieving user value from ISAPI
>Filter for authentication
>>
>Doesn't the url mapping in the uriworkermap.properties file interrupt
>IIS from passing authentication to Tomcat?
>
>If you restrict access to a virtual directory in IIS, mapped to a
>servlet or webapp in Tomcat, and there is a URL for that servlet/webapp
>in uriworkermap.properties, wouldn't Tomcat allow access even though IIS
>attempts to say no?
>
>I still have a server with IIS and the isapi_redirect.dll "Jakarta
>filter" running internally.
>
>I created a new website in IIS, called test, using IIS port 8088, mapped
>to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still
>8080)
>I added the "Jakarta" virtual directory to test.
>I removed anonymous access and checked integrated windows security for
>test.
>
>http://localhost:8088 supply credentials of user not allowed to this
>directory - yields no access.
>http://localhost:8088/examples I get right through, no challenge from
>IIS.
>
>http://localhost:8088 supply credentials of user allowed, snoop JSP
>works, but Remote User is null. Everything else in snoop output had a
>value.
>
I stand corrected, as usual. Snoop JSP does display my login info. However, my browser is now set to supply credentials for internal sites. "Automatic login only in Intranet zone".
IE 7
Internet Options
Security
Custom Level
Scroll all the way down to User Authentication.
isapi_redirect.dll version 1.2.27
IIS 6.0
Windows Server 2003
http://localhost:8088/examples/jsp/snp/snoop.jsp
Request Information
JSP Request Method: GET
Request URI: /examples/jsp/snp/snoop.jsp
Request Protocol: HTTP/1.1
Servlet path: /jsp/snp/snoop.jsp
Path info: null
Query string: null
Content length: 0
Content type: null
Server name: server name
Server port: 8088
Remote user: PLANDEV\donahuel
Remote address: my ip
Remote host: my ip
Authorization scheme: Negotiate
Locale: en_US
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: OT RE: Still having problem retrieving user value from ISAPI
Filter for authentication
Posted by Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>.
>From: Leo Donahue - PLANDEVX [mailto:LeoDonahue@mail.maricopa.gov]
>Subject: OT RE: Still having problem retrieving user value from ISAPI
>Filter for authentication
>>
>Doesn't the url mapping in the uriworkermap.properties file interrupt
>IIS from passing authentication to Tomcat?
>
>If you restrict access to a virtual directory in IIS, mapped to a
>servlet or webapp in Tomcat, and there is a URL for that servlet/webapp
>in uriworkermap.properties, wouldn't Tomcat allow access even though IIS
>attempts to say no?
>
>I still have a server with IIS and the isapi_redirect.dll "Jakarta
>filter" running internally.
>
>I created a new website in IIS, called test, using IIS port 8088, mapped
>to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still
>8080)
>I added the "Jakarta" virtual directory to test.
>I removed anonymous access and checked integrated windows security for
>test.
>
>http://localhost:8088 supply credentials of user not allowed to this
>directory - yields no access.
>http://localhost:8088/examples I get right through, no challenge from
>IIS.
>
>http://localhost:8088 supply credentials of user allowed, snoop JSP
>works, but Remote User is null. Everything else in snoop output had a
>value.
>
I stand corrected, as usual. Snoop JSP does display my login info. However, my browser is now set to supply credentials for internal sites. "Automatic login only in Intranet zone".
IE 7
Internet Options
Security
Custom Level
Scroll all the way down to User Authentication.
isapi_redirect.dll version 1.2.27
IIS 6.0
Windows Server 2003
http://localhost:8088/examples/jsp/snp/snoop.jsp
Request Information
JSP Request Method: GET
Request URI: /examples/jsp/snp/snoop.jsp
Request Protocol: HTTP/1.1
Servlet path: /jsp/snp/snoop.jsp
Path info: null
Query string: null
Content length: 0
Content type: null
Server name: server name
Server port: 8088
Remote user: PLANDEV\donahuel
Remote address: my ip
Remote host: my ip
Authorization scheme: Negotiate
Locale: en_US
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org