You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Roberto Barale <ro...@gmail.com> on 2013/03/22 00:39:40 UTC

I need help in configuring windows authentication in tomcat 7.0

I want to setup "windows authentication" in my tomcat 7.0.37
I read the user guide
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html and I
follow all the step in Domain Controller and Tomcat Instance

Then I write the $CATALINA_BASE\webapps\myappl\WEB-INF\web.xml
and the $CATALINA_BASE\webapps\myappl\META-INF\context.xml
as below

The question is:
How can I remove connectionName and connectionPassword from the
context.xml file?
Without the 2 element authentication doesn't work but in a production
environment I cannot put password in clear text

---------------- 1st file web.xml -----------------
<web-app>
  <display-name>Test Appl</display-name>
  <description>Written by Bob</description>
  <security-constraint>
    <display-name>Bob Appl Security Constraint</display-name>
    <web-resource-collection>
<web-resource-name>Private Zone</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>role1</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>SPNEGO</auth-method>
  </login-config>
  <security-role>
      <role-name>role1</role-name>
      <role-name>role2</role-name>
      <role-name>role3</role-name>
  </security-role>
</web-app>

---------------- 2nd file context.xml -----------------

<Context>
<Realm    className="org.apache.catalina.realm.JNDIRealm"
      adCompat="true"
       allRolesMode="authOnly"
      referrals="follow"
     connectionURL="ldap://dc01.mydom.local:389"
    connectionName="mydom\tcuser"
connectionPassword="Pa55w0rd"
          userBase="dc=mydom,dc=local"
       userSubtree="true"
        userSearch="(sAMAccountName={0})"
          roleBase="ou=groups,ou=myappl,dc=mydom,dc=local"
          roleName="cn"
        roleSearch="(member={0})"
       roleSubtree="true"
/>
</Context>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: I need help in configuring windows authentication in tomcat 7.0

Posted by Mark Thomas <ma...@apache.org>.

On 21/03/2013 23:49, chris derham wrote:
>> <Context>
>> <Realm    className="org.apache.catalina.realm.JNDIRealm"
>>       adCompat="true"
>>        allRolesMode="authOnly"
>>       referrals="follow"
>>      connectionURL="ldap://dc01.mydom.local:389"
>>     connectionName="mydom\tcuser"
>> connectionPassword="Pa55w0rd"
>>           userBase="dc=mydom,dc=local"
>>        userSubtree="true"
>>         userSearch="(sAMAccountName={0})"
>>           roleBase="ou=groups,ou=myappl,dc=mydom,dc=local"
>>           roleName="cn"
>>         roleSearch="(member={0})"
>>        roleSubtree="true"
>> />
>> </Context>
> 
> This has come up multiple times on the mailing list - essentially it
> can not/should not be done. Please see
> http://wiki.apache.org/tomcat/FAQ/Password for details

While generally that is correct, JNDIRealm plus Windows authentication
is a special case.

It should be possible to remove the connectionName and
connectionPassword attributes from the above configuration. See the JNDI
docs and the useDelegatedCredential attribute in particular.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: I need help in configuring windows authentication in tomcat 7.0

Posted by chris derham <ch...@derham.me.uk>.

> <Context>
> <Realm    className="org.apache.catalina.realm.JNDIRealm"
>       adCompat="true"
>        allRolesMode="authOnly"
>       referrals="follow"
>      connectionURL="ldap://dc01.mydom.local:389"
>     connectionName="mydom\tcuser"
> connectionPassword="Pa55w0rd"
>           userBase="dc=mydom,dc=local"
>        userSubtree="true"
>         userSearch="(sAMAccountName={0})"
>           roleBase="ou=groups,ou=myappl,dc=mydom,dc=local"
>           roleName="cn"
>         roleSearch="(member={0})"
>        roleSubtree="true"
> />
> </Context>

This has come up multiple times on the mailing list - essentially it
can not/should not be done. Please see
http://wiki.apache.org/tomcat/FAQ/Password for details

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org