You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Luca Ventura <ve...@tiscali.it> on 2002/10/31 11:11:51 UTC
BASIC authentication in Tomcat+IIS (one useful information)
Hello!
I have another useful information about the problem described below that I
have
posted some day ago wihout receiving no solution for it :(((
If I use Tomcat 4.x as Web Server (standalone mode), instead of
IIS, the BASIC Authentication works well also on Server 1!
This means there must be some strange setting in IIS or in Windows 2000
Advanced Server that forces the Tomcat's ISAPI filter (that is to say
when Tomcat is used only as Servlet Container) not to ask for login
and password to the user but to get their values directly from the system.
I hope someone can help me.
Best regards,
Luca
-----Messaggio originale-----
Da: Luca Ventura [mailto:ventluca@tiscali.it]
Inviato: martedì 29 ottobre 2002 12.12
A: tomcat-dev
Oggetto: BASIC authentication in Tomcat+IIS
Hello everybody!
I have the following GREAT problem with basic authentication in Tomcat....
I have two servers configured as follows:
Server 1:
Operating system: Windows 2000 Advanced Server
Web Server: IIS 5.0
Servlet Container: Tomcat 4.x
Server 2: Windows XP Professional
Web Server: IIS 5.0
Servlet Container: Tomcat 4.x
Server 2 is not connected to the Internet but it is used to test web
applications before passing them in the production environment deployed in
Server 1. In fact Server 1 is connected to the Internet
and contains all the final versions of Web Applications.
So I connect to Server 1 using a real domain name (for example:
www.mydomain.com) while I connect to Server 2 using "localhost".
In both Servers I use Tomcat 4.x as Servlet Container and Micrososft IIS 5
as Web Server. I installed the ISAPI filter to redirect to Tomcat all the
requests to Servlet/JSP pages or to web sites based on such
java-technologies.
I have tried to protect some Servlet/jsp-pages using basic authentication
of Tomcat. So I configured the following tomcat files in such way:
server.xml:
...
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
port="8009" minProcessors="5" maxProcessors="75"
acceptCount="10" debug="0"/>
....
<Realm className="org.apache.catalina.realm.MemoryRealm" />
...
tomcat-users.xml:
<tomcat-users>
<user name="admin" password="tomcat" roles="adminrole" />
</tomcat-users>
web.xml:
<security-constraint>
<display-name>Autenticazione Tomcat</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/MyServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>adminrole</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Autenticazione Tomcat</realm-name>
</login-config>
Server.xml and tomcat-users.xml are present in /conf folder of Tomcat, while
web.xml in the WEB-INF folder
of the web application that contains the resource (in this case the servlet
"MyServlet") that I want to protect.
All works fine in Server 2 (localhost): in fact when I connect to the
protected resource (servlet "MyServlet")Tomcat asks me in a window the login
and the password to access to the resource. The problem appears after moving
my application in Server 2 (production environment) because when I try to
connect to the protected servlet I receive from Tomcat the following error
page:
Apache Tomcat/4.0.4-b3 - HTTPS Status 403 - Access to the requested resource
has been denied
type: Status report
message: Access to the requested resource has been denied
description: Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.
The strange thing is that Tomcat, before showing the error page, doesn't ask
to me for the login and the password to access the resource (as in the first
case). It seems that IIS
passes automatically an internal login and password to Tomcat to access to
the protected resource: given that they are not correct I receive an error
message
from Tomcat. Anyway I am not sure of this but I suspect that the problem
is in Windows 2000 Advanced Server because when I try to access to Server 2,
where there is Windows XP installed , all works fine.
I have heard that this problem could occur in Windows 2000 only when realm
authentication is not set in IIS,
but i am not sure and in any case I have no idea how to set realm
authentication in IIS.
I hope someone can help me to solve this problem.
Thanks a lot in advance!
Luca
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: BASIC authentication in Tomcat+IIS (one useful information)
Posted by Ronald Klop <ro...@not4mail.cs.vu.nl>.
Hello,
I investigated the same problem (the 403 error) yesterday.
Tomcat authentication worked after I configured IIS to not use NT
authentication, but only anonymous access. IIS will ignore any
authentication headers and pass them to Tomcat then.
In IIS manager rightclick on the host and edit the 'directory security' tab.
I was using tomcat 4.1.12 with AJP1.3 and the JK (version 1) connector.
Hope this solves your problem too.
Greetings,
Ronald.
Luca Ventura wrote:
> Hello!
>
> I have another useful information about the problem described below that I
> have
> posted some day ago wihout receiving no solution for it :(((
>
> If I use Tomcat 4.x as Web Server (standalone mode), instead of
> IIS, the BASIC Authentication works well also on Server 1!
>
> This means there must be some strange setting in IIS or in Windows 2000
> Advanced Server that forces the Tomcat's ISAPI filter (that is to say
> when Tomcat is used only as Servlet Container) not to ask for login
> and password to the user but to get their values directly from the system.
>
> I hope someone can help me.
>
> Best regards,
>
> Luca
>
> -----Messaggio originale-----
> Da: Luca Ventura [mailto:ventluca@tiscali.it]
> Inviato: martedì 29 ottobre 2002 12.12
> A: tomcat-dev
> Oggetto: BASIC authentication in Tomcat+IIS
>
>
> Hello everybody!
>
> I have the following GREAT problem with basic authentication in Tomcat....
>
> I have two servers configured as follows:
>
> Server 1:
>
> Operating system: Windows 2000 Advanced Server
> Web Server: IIS 5.0
> Servlet Container: Tomcat 4.x
>
> Server 2: Windows XP Professional
> Web Server: IIS 5.0
> Servlet Container: Tomcat 4.x
>
> Server 2 is not connected to the Internet but it is used to test web
> applications before passing them in the production environment deployed in
> Server 1. In fact Server 1 is connected to the Internet
> and contains all the final versions of Web Applications.
>
> So I connect to Server 1 using a real domain name (for example:
> www.mydomain.com) while I connect to Server 2 using "localhost".
>
> In both Servers I use Tomcat 4.x as Servlet Container and Micrososft IIS 5
> as Web Server. I installed the ISAPI filter to redirect to Tomcat all the
> requests to Servlet/JSP pages or to web sites based on such
> java-technologies.
>
> I have tried to protect some Servlet/jsp-pages using basic authentication
> of Tomcat. So I configured the following tomcat files in such way:
>
> server.xml:
>
> ...
>
>
>
>
>
> ....
>
>
>
> ...
>
>
> tomcat-users.xml:
>
>
>
>
>
> web.xml:
>
>
> Autenticazione Tomcat
>
> Protected Area
>
> /MyServlet
>
>
>
> adminrole
>
>
>
>
>
> BASIC
> Autenticazione Tomcat
>
>
>
> Server.xml and tomcat-users.xml are present in /conf folder of Tomcat,
> while
> web.xml in the WEB-INF folder
> of the web application that contains the resource (in this case the
> servlet
> "MyServlet") that I want to protect.
>
>
> All works fine in Server 2 (localhost): in fact when I connect to the
> protected resource (servlet "MyServlet")Tomcat asks me in a window the
> login
> and the password to access to the resource. The problem appears after
> moving
> my application in Server 2 (production environment) because when I try to
> connect to the protected servlet I receive from Tomcat the following error
> page:
>
> Apache Tomcat/4.0.4-b3 - HTTPS Status 403 - Access to the requested
> resource
> has been denied
>
> type: Status report
> message: Access to the requested resource has been denied
> description: Access to the specified resource (Access to the requested
> resource has been denied) has been forbidden.
>
> The strange thing is that Tomcat, before showing the error page,
> doesn't ask
> to me for the login and the password to access the resource (as in the
> first
> case). It seems that IIS
> passes automatically an internal login and password to Tomcat to access to
> the protected resource: given that they are not correct I receive an error
> message
> from Tomcat. Anyway I am not sure of this but I suspect that the problem
> is in Windows 2000 Advanced Server because when I try to access to
> Server 2,
> where there is Windows XP installed , all works fine.
>
> I have heard that this problem could occur in Windows 2000 only when realm
> authentication is not set in IIS,
> but i am not sure and in any case I have no idea how to set realm
> authentication in IIS.
>
> I hope someone can help me to solve this problem.
>
> Thanks a lot in advance!
>
> Luca
>
>
> --
> To unsubscribe, e-mail:
> For additional commands, e-mail:
--
Ronald Klop, Amsterdam, The Netherlands
--> Remove the 'not4mail.' from the e-mail address before replying. <--