tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luca Ventura" <ventl...@tiscali.it>
Subject BASIC authentication in Tomcat+IIS (one useful information)
Date Thu, 31 Oct 2002 10:11:51 GMT

Hello!

I have another useful information about the problem described below that I
have
posted some day ago wihout receiving no solution for it :(((

If I use Tomcat 4.x as Web Server (standalone mode), instead of
IIS, the BASIC Authentication works well also on Server 1!

This means there must be some strange setting in IIS or in Windows 2000
Advanced Server that forces the Tomcat's ISAPI filter (that is to say
when Tomcat is used only as Servlet Container) not to ask for login
and password to the user but to get their values directly from the system.

I hope someone can help me.

Best regards,

                      Luca

-----Messaggio originale-----
Da: Luca Ventura [mailto:ventluca@tiscali.it]
Inviato: martedì 29 ottobre 2002 12.12
A: tomcat-dev
Oggetto: BASIC authentication in Tomcat+IIS


Hello everybody!

I have the following GREAT problem with basic authentication in Tomcat....

I have two servers configured as follows:

Server 1:

Operating system: Windows 2000 Advanced Server
Web Server: IIS 5.0
Servlet Container: Tomcat 4.x

Server 2: Windows XP Professional
Web Server: IIS 5.0
Servlet Container: Tomcat 4.x

Server 2 is not connected to the Internet but it is used to test web
applications before passing them in the production environment deployed in
Server 1. In fact Server 1 is connected to the Internet
and contains all the final versions of Web Applications.

So I connect to Server 1 using a real domain name (for example:
www.mydomain.com) while I connect to Server 2  using "localhost".

In both Servers I use Tomcat 4.x as Servlet Container and Micrososft IIS 5
as Web Server. I installed the ISAPI filter to redirect to Tomcat all the
requests to Servlet/JSP pages or to web sites based on such
java-technologies.

I have tried to protect some Servlet/jsp-pages  using basic authentication
of Tomcat. So I configured the following tomcat files in such way:

server.xml:

...

<!-- Define an AJP 1.3 Connector on port 8009 -->

    <Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
               port="8009" minProcessors="5" maxProcessors="75"
               acceptCount="10" debug="0"/>

....

  <Realm className="org.apache.catalina.realm.MemoryRealm" />

...


tomcat-users.xml:

<tomcat-users>
  <user name="admin" password="tomcat" roles="adminrole" />
 </tomcat-users>

web.xml:

<security-constraint>
      <display-name>Autenticazione Tomcat</display-name>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
	 <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/MyServlet</url-pattern>
	      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>adminrole</role-name>
      </auth-constraint>
    </security-constraint>

    <!-- Default login configuration uses form-based authentication -->
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Autenticazione Tomcat</realm-name>
    </login-config>


Server.xml and tomcat-users.xml are present in /conf folder of Tomcat, while
web.xml in the WEB-INF folder
of the web application that contains the resource (in this case the servlet
"MyServlet") that I want to protect.


All works fine in Server 2 (localhost): in fact when I connect to the
protected resource (servlet "MyServlet")Tomcat asks me in a window the login
and the password to access to the resource. The problem appears after moving
my application in Server 2 (production environment) because when I try to
connect to the protected servlet I receive from Tomcat the following error
page:

Apache Tomcat/4.0.4-b3 - HTTPS Status 403 - Access to the requested resource
has been denied

type: Status report
message: Access to the requested resource has been denied
description: Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.

The strange thing is that Tomcat, before showing the error page, doesn't ask
to me for the login and the password to access the resource (as in the first
case). It seems that IIS
passes automatically an internal login and password to Tomcat to access to
the protected resource: given that they are not correct I receive an error
message
from Tomcat. Anyway I am not sure of this but I suspect that the problem
is in Windows 2000 Advanced Server because when I try to access to Server 2,
where there is Windows XP installed , all works fine.

I have heard that this problem could occur in Windows 2000 only when realm
authentication is not set in IIS,
but i am not sure and in any case I have no idea how to set realm
authentication  in IIS.

I hope someone can help me to solve this problem.

Thanks a lot in advance!

                             Luca


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message