You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Roberto Barale <ro...@gmail.com> on 2013/03/22 00:39:40 UTC
I need help in configuring windows authentication in tomcat 7.0
I want to setup "windows authentication" in my tomcat 7.0.37
I read the user guide
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html and I
follow all the step in Domain Controller and Tomcat Instance
Then I write the $CATALINA_BASE\webapps\myappl\WEB-INF\web.xml
and the $CATALINA_BASE\webapps\myappl\META-INF\context.xml
as below
The question is:
How can I remove connectionName and connectionPassword from the
context.xml file?
Without the 2 element authentication doesn't work but in a production
environment I cannot put password in clear text
---------------- 1st file web.xml -----------------
<web-app>
<display-name>Test Appl</display-name>
<description>Written by Bob</description>
<security-constraint>
<display-name>Bob Appl Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Private Zone</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<security-role>
<role-name>role1</role-name>
<role-name>role2</role-name>
<role-name>role3</role-name>
</security-role>
</web-app>
---------------- 2nd file context.xml -----------------
<Context>
<Realm className="org.apache.catalina.realm.JNDIRealm"
adCompat="true"
allRolesMode="authOnly"
referrals="follow"
connectionURL="ldap://dc01.mydom.local:389"
connectionName="mydom\tcuser"
connectionPassword="Pa55w0rd"
userBase="dc=mydom,dc=local"
userSubtree="true"
userSearch="(sAMAccountName={0})"
roleBase="ou=groups,ou=myappl,dc=mydom,dc=local"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="true"
/>
</Context>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: I need help in configuring windows authentication in tomcat 7.0
Posted by Mark Thomas <ma...@apache.org>.
On 21/03/2013 23:49, chris derham wrote:
>> <Context>
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>> adCompat="true"
>> allRolesMode="authOnly"
>> referrals="follow"
>> connectionURL="ldap://dc01.mydom.local:389"
>> connectionName="mydom\tcuser"
>> connectionPassword="Pa55w0rd"
>> userBase="dc=mydom,dc=local"
>> userSubtree="true"
>> userSearch="(sAMAccountName={0})"
>> roleBase="ou=groups,ou=myappl,dc=mydom,dc=local"
>> roleName="cn"
>> roleSearch="(member={0})"
>> roleSubtree="true"
>> />
>> </Context>
>
> This has come up multiple times on the mailing list - essentially it
> can not/should not be done. Please see
> http://wiki.apache.org/tomcat/FAQ/Password for details
While generally that is correct, JNDIRealm plus Windows authentication
is a special case.
It should be possible to remove the connectionName and
connectionPassword attributes from the above configuration. See the JNDI
docs and the useDelegatedCredential attribute in particular.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: I need help in configuring windows authentication in tomcat 7.0
Posted by chris derham <ch...@derham.me.uk>.
> <Context>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> adCompat="true"
> allRolesMode="authOnly"
> referrals="follow"
> connectionURL="ldap://dc01.mydom.local:389"
> connectionName="mydom\tcuser"
> connectionPassword="Pa55w0rd"
> userBase="dc=mydom,dc=local"
> userSubtree="true"
> userSearch="(sAMAccountName={0})"
> roleBase="ou=groups,ou=myappl,dc=mydom,dc=local"
> roleName="cn"
> roleSearch="(member={0})"
> roleSubtree="true"
> />
> </Context>
This has come up multiple times on the mailing list - essentially it
can not/should not be done. Please see
http://wiki.apache.org/tomcat/FAQ/Password for details
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org