You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chris Fors <ch...@hotmail.com> on 2013/03/04 22:47:53 UTC
Tomcat Built-in WinAuth - NEW THREAD
-----Original Message-----
From: Mark Thomas
Sent: Monday, March 04, 2013 8:59 PM
To: Tomcat Users List
Subject: Re: Tomcat Built-in WinAuth
On 04/03/2013 20:44, Chris Fors wrote:
> I've yet to see success with SPNEGO Windows Authentication. I've
> followed the documentation as close as possible, although it is incomplete.
>
> After creating the SpnegoAuthenticator valve in the conf context.xml,
> should that enable SPNEGO for all web sessions? If not what must be
> specified in the Web.xml to initiate the SPNEGO process and what is the
> syntax? A short example would be useful as the documentation is not
> clear in this area. (Given that there are correctly formed krb5.ini,
> jaas.conf, and tomcat.keytab files properly formed in the conf directory
> on the Windows box.
Please do not hijack threads.
If you want to start a new thread send a new message. Better still - in
your case - continue the thread you have already started. For that
thread to progress you'll need to respond to - rather than ignore - the
point about security constraints.
Mark
I apologize for the thread hijcaking I did not observe/read thread IDs in the hidden message header.
Could you please expand on what constraints you were referring to and how they are best implemented, where, and in what syntax e.g. if implemented in web.xml what are the correct tags.
If implemented in web.xml what are the correct tags. I have not found this clarified anywhere, yet.
Thanks,
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Built-in WinAuth - NEW THREAD
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
Your message appears quite garbled in my email client.
Some notes in the text below, which I have reformated somewhat.
Chris Fors wrote:
> I have added in a <security-constraint> to the sample application web.xml (shown below)
and modified the hello.jsp to show a request.getRemoteUser().
This has shown to successfully invoke an authentication process.
Now when browsing to the http: //server/sample I receive a Windows prompt for user logon.
That, in my view, is a sign that something is not as it should.
If a real Windows Integrated Authentication (WIA) was taking place, you should not see a
login dialog.
The browser instead should negociate this directly with the server, using your Windows
login credentials, and nothing should be visible to the user.
If a login dialog appears, I believe that it is because the browser is falling back to
attempting a HTTP Basic Authentication. Which may work or not, depending on whether your
Windows Domain policies (and your server) allow it or not.
This is with IE9 and the browser is configured for autologon for the Intranet zone
The "autologon" is obviously not working, if you see a login dialog.
and the server is in the Intranet zone.
And there are 401 errors in the localhost_access.log: 10.208.101.129 - -
[05/Mar/2013:16:25:21 +0000] "GET /sample/ HTTP/1.1" 401 951
401 responses are not "errors", they are a normal part of the exchange.
(It means kind of "show me some id, buster")
Roughly, it works as follows :
1) the browser tries to get a protected resource, which is marked (on the server) as
requiring authentication. But the browser at first doesn't know that, so it sends a first
request without any form of authentication.
2) the server sees that the resource needs authentication, and that the request does not
contain an authentication. So it sends back a 401 response.
This is to indicate to the browser that an authentication is required.
If you examine the headers that the server is sending back, you will see that it even
indicates to the browser which form(s) of authentication is required/accepted.
3) the browser sees the 401 response, and start an authentication cycle.
There are variations of this at this point.
If the browser decides to use WIA (what you call autologon I guess),
3a) it will first re-send the request along with a token;
3b) the server will respond with a new 401 including a token of its own
3c) the browser will then re-send the request again, with a final token
(Yes, it takes 3 such steps to do a WIA authentication, not counting the server's own
conversation with a Domain Controller)
3d) if the server determines that the provided credentials fit, the server returns the
requested resource in a 200 OK response. Otherwise it returns a 403 Forbidden.
If the browser instead decides to do a Basic Authentication,
3a) the browser will popup a login dialog to the user, asking for id/pw
3b) the browser will then re-submit the original request along with a "Authorization:
Basic" header, including the id/pw encoded.
3c) if the server determines that the credentials match, it will return the requested
resource in a 200 OK response. Otherwise it returns a 403 Forbidden.
In any case, 401 responses from the server are a normal part of the processes above.
It's only 403 Forbidden that you should worry about.
And the fact that apparently it is not really doing "autologon".
(But maybe this is a feature of the Tomcat SPNEGO authentication, I don't know it really)
Note : to really see what is going on, I highly recommend that you install some software
like "Fiddler2" on your workstation, to show the headers of the HTTP requests and responses.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Built-in WinAuth - NEW THREAD
Posted by Mark Thomas <ma...@apache.org>.
On 05/03/2013 16:31, Chris Fors wrote:
> I wish to allow any authenticated domain user
There is pure web.xml (until Tomcat 8 and Servlet 3.1) way of doing
this. (Aside. Once this has been implemented, we should look at
back-porting the new ** feature to earlier versions).
> role-name>*</role-name>
That doesn't do what you think it does. (As you would know if you had
read the relevant part of the Servlet spec.)
There are a couple of ways around this. I suggest you look at the
allRolesMode attribute of your Realm.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat Built-in WinAuth - NEW THREAD
Posted by Chris Fors <ch...@hotmail.com>.
I have added in a <security-constraint> to the sample application web.xml (shown below) and modified the hello.jsp to show a request.getRemoteUser(). This has shown to successfully invoke an authentication process. Now when browsing to the http: //server/sample I receive a Windows prompt for user logon. This is with IE9 and the browser is configured for autologon for the Intranet zone and the server is in the Intranet zone. And there are 401 errors in the localhost_access.log: 10.208.101.129 - - [05/Mar/2013:16:25:21 +0000] "GET /sample/ HTTP/1.1" 401 951 Perhaps there is something wrong with the security-constraint xml code. I wish to allow any authenticated domain user but not certain as to how to best implement this in the security constraint and role methods to achieve this. <security-constraint>
<web-resource-collection>
<web-resource-name>Hello World App</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
In the Tomcat7-stdout.log i see:2013-03-05 16:24:22 Commons Daemon procrun stdout initialized
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Apache Software Foundation/Tomcat 7.0/conf/krb5.keytab refreshKrb5Config is false principal is svcTomcatDV@ITLAB.INT tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is svcTomcatDV@ITLAB.INT
Will use keytab
Commit Succeeded [Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
Any suggestions? Thanks,
Chris Fors
> Date: Mon, 4 Mar 2013 18:48:24 -0600
> From: chris@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: Tomcat Built-in WinAuth - NEW THREAD
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 3/4/13 4:54 PM, Chris Fors wrote:
> >> Date: Mon, 4 Mar 2013 23:32:34 +0100 From: aw@ice-sa.com To:
> >> users@tomcat.apache.org Subject: Re: Tomcat Built-in WinAuth -
> >> NEW THREAD
> >>
> >> Mark Thomas wrote:
> >>> On 04/03/2013 21:47, Chris Fors wrote:
> >>>> Could you please expand on what constraints you were
> >>>> referring to
> >>>
> >>> Security constraints in web.xml
> >>>
> >>>> and how they are best implemented, where, and in what syntax
> >>>> e.g. if implemented in web.xml what are the correct tags.
> >>>
> >>> All defined in the Servlet spec.
> >>>
> >>>> If implemented in web.xml what are the correct tags. I have
> >>>> not found this clarified anywhere, yet.
> >>>
> >>> Again, see the servlet spec.
> >>
> >> You will find an example in the "manager" webapp that comes with
> >> Tomcat. Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts
> >> like this :
> >>
> >> <security-constraint> <web-resource-collection>
> >> <web-resource-name>HTML Manager interface (for
> >> humans)</web-resource-name> <url-pattern>/html/*</url-pattern>
> >> </web-resource-collection> <auth-constraint>
> >> <role-name>manager-gui</role-name> </auth-constraint>
> >> </security-constraint>
> >>
> >> In not-quite-technical terms :
> >>
> >> The above, present at the level of the webapp, specifies a "role"
> >> which the authenticated user must have, in order to be able to
> >> access this part of the webapp. To determine if the user has that
> >> role, Tomcat must first know the user. This is what "triggers"
> >> the authentication mechanism. If nothing forces Tomcat to
> >> authenticate the user of this webapp, the authentication method
> >> may well be specified, but it will not be invoked.
> >>
> > Was hoping to not have to hunt through the complete JSR 315
> > specification. I will give the constraint model above a shot
> > tomorrow. Thanks, Chris
>
> Honestly, it's like 3 pages of reading, most of which is tables and
> examples. Reading the servlet spec (it's not your average spec: mere
> mortals *can* read and understand it) should be required in order to
> develop web applications.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEAREIAAYFAlE1QNgACgkQ9CaO5/Lv0PC80ACdF7zjHS4wi+fsY42e1bKsFPCJ
> kD4An3cF7A2CFc+1su5M/a9tejx6zlIC
> =QoqH
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Tomcat Built-in WinAuth - NEW THREAD
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 3/4/13 4:54 PM, Chris Fors wrote:
>> Date: Mon, 4 Mar 2013 23:32:34 +0100 From: aw@ice-sa.com To:
>> users@tomcat.apache.org Subject: Re: Tomcat Built-in WinAuth -
>> NEW THREAD
>>
>> Mark Thomas wrote:
>>> On 04/03/2013 21:47, Chris Fors wrote:
>>>> Could you please expand on what constraints you were
>>>> referring to
>>>
>>> Security constraints in web.xml
>>>
>>>> and how they are best implemented, where, and in what syntax
>>>> e.g. if implemented in web.xml what are the correct tags.
>>>
>>> All defined in the Servlet spec.
>>>
>>>> If implemented in web.xml what are the correct tags. I have
>>>> not found this clarified anywhere, yet.
>>>
>>> Again, see the servlet spec.
>>
>> You will find an example in the "manager" webapp that comes with
>> Tomcat. Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts
>> like this :
>>
>> <security-constraint> <web-resource-collection>
>> <web-resource-name>HTML Manager interface (for
>> humans)</web-resource-name> <url-pattern>/html/*</url-pattern>
>> </web-resource-collection> <auth-constraint>
>> <role-name>manager-gui</role-name> </auth-constraint>
>> </security-constraint>
>>
>> In not-quite-technical terms :
>>
>> The above, present at the level of the webapp, specifies a "role"
>> which the authenticated user must have, in order to be able to
>> access this part of the webapp. To determine if the user has that
>> role, Tomcat must first know the user. This is what "triggers"
>> the authentication mechanism. If nothing forces Tomcat to
>> authenticate the user of this webapp, the authentication method
>> may well be specified, but it will not be invoked.
>>
> Was hoping to not have to hunt through the complete JSR 315
> specification. I will give the constraint model above a shot
> tomorrow. Thanks, Chris
Honestly, it's like 3 pages of reading, most of which is tables and
examples. Reading the servlet spec (it's not your average spec: mere
mortals *can* read and understand it) should be required in order to
develop web applications.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlE1QNgACgkQ9CaO5/Lv0PC80ACdF7zjHS4wi+fsY42e1bKsFPCJ
kD4An3cF7A2CFc+1su5M/a9tejx6zlIC
=QoqH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat Built-in WinAuth - NEW THREAD
Posted by Chris Fors <ch...@hotmail.com>.
> Date: Mon, 4 Mar 2013 23:32:34 +0100
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: Tomcat Built-in WinAuth - NEW THREAD
>
> Mark Thomas wrote:
> > On 04/03/2013 21:47, Chris Fors wrote:
> >> Could you please expand on what constraints you were referring to
> >
> > Security constraints in web.xml
> >
> >> and how they are best implemented, where, and in what syntax e.g. if implemented in web.xml what are the correct tags.
> >
> > All defined in the Servlet spec.
> >
> >> If implemented in web.xml what are the correct tags. I have not found this clarified anywhere, yet.
> >
> > Again, see the servlet spec.
>
> You will find an example in the "manager" webapp that comes with Tomcat.
> Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts like this :
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>HTML Manager interface (for humans)</web-resource-name>
> <url-pattern>/html/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>manager-gui</role-name>
> </auth-constraint>
> </security-constraint>
>
> In not-quite-technical terms :
>
> The above, present at the level of the webapp, specifies a "role" which the authenticated
> user must have, in order to be able to access this part of the webapp.
> To determine if the user has that role, Tomcat must first know the user. This is what
> "triggers" the authentication mechanism.
> If nothing forces Tomcat to authenticate the user of this webapp, the authentication
> method may well be specified, but it will not be invoked.
>
Was hoping to not have to hunt through the complete JSR 315 specification. I will give the constraint model above a shot tomorrow. Thanks, Chris
Re: Tomcat Built-in WinAuth - NEW THREAD
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> On 04/03/2013 21:47, Chris Fors wrote:
>> Could you please expand on what constraints you were referring to
>
> Security constraints in web.xml
>
>> and how they are best implemented, where, and in what syntax e.g. if implemented in web.xml what are the correct tags.
>
> All defined in the Servlet spec.
>
>> If implemented in web.xml what are the correct tags. I have not found this clarified anywhere, yet.
>
> Again, see the servlet spec.
You will find an example in the "manager" webapp that comes with Tomcat.
Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts like this :
<security-constraint>
<web-resource-collection>
<web-resource-name>HTML Manager interface (for humans)</web-resource-name>
<url-pattern>/html/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager-gui</role-name>
</auth-constraint>
</security-constraint>
In not-quite-technical terms :
The above, present at the level of the webapp, specifies a "role" which the authenticated
user must have, in order to be able to access this part of the webapp.
To determine if the user has that role, Tomcat must first know the user. This is what
"triggers" the authentication mechanism.
If nothing forces Tomcat to authenticate the user of this webapp, the authentication
method may well be specified, but it will not be invoked.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Built-in WinAuth - NEW THREAD
Posted by Mark Thomas <ma...@apache.org>.
On 04/03/2013 21:47, Chris Fors wrote:
> Could you please expand on what constraints you were referring to
Security constraints in web.xml
> and how they are best implemented, where, and in what syntax e.g. if implemented in web.xml what are the correct tags.
All defined in the Servlet spec.
> If implemented in web.xml what are the correct tags. I have not found this clarified anywhere, yet.
Again, see the servlet spec.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org