Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
From: "Luca Ventura" <ventluca@tiscali.it>
To: "tomcat-dev" <tomcat-dev@jakarta.apache.org>,
	"tomcat-user" <tomcat-user@jakarta.apache.org>
Cc: <asafb@mercury.co.il>,
	<BBui@sjm.com>,
	<A.Dellarmi@ELIS.ORG>
Subject: BASIC authentication in Tomcat+IIS (PROBLEM SOLVED: ERRATA
 CORRIGE!!!)
Date: Tue, 5 Nov 2002 09:35:14 +0100
Message-ID: <LKEKJLCGDHAFAGMLJJEBKEMCDBAA.ventluca@tiscali.it>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Importance: Normal

Hello everybody!

I wrote to notify you that some days ago I have posted a wrong solution
to the problem of the basic authentication of Tomcat with IIS
(below you can find my old post). In fact I believed that the reason why
basic authentication of Tomcat didn't work was due to compatibility problems
between tha jar files "ajp.jar" and "tomcat-util.jar" contained in
"tc4ntiis.zip" and Tomcat 4.x. Anyway after some tests I discovered that
this WAS NOT the cause of the problem: the REAL cause of the problem  was
that I had installed
in Tomcat 4.x the jar files of "tc4ntiis.zip" but not the isapi filter
"isapi_redirect.dll"
provided with the same .zip package. The version of the ISAPI filter I had
installed was
that one you can find in the Jakarta web site (isapi_redirector.dll) that IS
NOT FULLY
compatible with the jar files "ajp.jar" and "tomcat-util.jar" of
"tc4ntiis.zip".
All works correctly if you install with "ajp.jar" and "tomcat-util.jar" also
the "isapi_redirect.dll" present in "tc4ntiis.zip", or if you install
ONLY the "isapi_redirector.dll" of Jakarta web site.

I hope this can help someone else.

Thanks everybody for the patience!

                                        Luca

-----Messaggio originale-----
Da: Luca Ventura [mailto:ventluca@tiscali.it]
Inviato: gioved� 31 ottobre 2002 15.17
A: tomcat-dev; tomcat-user
Oggetto: BASIC authentication in Tomcat+IIS (PROBLEM SOLVED!!!)


Hello everybody!

I would like to notify you that I have solved the problem described
below after many days of hard work on it....

The solution is simple: to install Tomcat 4.x (I have installed
Tomcat 4.0.4-b2) as plug-in of IIS
to support JSP/Servlet you must download and install the package
"tc4ntiis.zip" that you can find at URL:

http://members.ozemail.com.au/~lampante/howto/tomcat/iisnt/#6


It contains the isapi filter "isapi_redirect.dll" that let IIS
to redirect JSP/Servlets requests to Tomcat 4.x.

Well...the package contains also two jar files: "ajp.jar" and
"tomcat-util.jar"
in the server\lib folder. If you install them in the same folder
of Tomcat the basic authentication  will not work any more
when you use Tomcat with the ISAPI filter (not in standalone mode).

In fact the original distribution of Tomcat 4.x contains two jar
files, "tomcat-util.jar" and "tomcat-ajp.jar", that performs
the same operations of the two files described above but have different
sizes and
use different classes. These two files are built to work correctly with
the version of Tomcat they are bundled with: so they MUST NOT
REPLACED!!! Given that "ajp.jar" and "tomcat-ajp.jar" have different
names you also must  worry not to install both of them in the server\lib
folder
of Tomcat: because it can happen that the classes of the first file will
be used from Tomcat instead of those of the second one.

THIS MEANS THAT YOU HAVE TO IGNORE THE FILES  "ajp.jar" and
"tomcat-util.jar"
OF THE PACKAGE "tc4ntiis.zip" and USE ONLY THE ISAPI FILTER.

Maybe when the author of the zip file generated the jar files
he didn't worry to test them with Tomcat 4.x: this means that he couldn't
note that they have some compatibility problem with
this version of Tomcat.

In attach you can find the original jar files of Tomcat 4.0.4b2 that I have
used
and that work correctly: you can use them to restore the correct
libs of Tomcat.

I hope this solution can help all of you too! :-)

Best regards,

                         Luca

-----Messaggio originale-----
Da: Luca Ventura [mailto:ventluca@tiscali.it]
Inviato: gioved� 31 ottobre 2002 12.32
A: tomcat-user
Oggetto: BASIC authentication in Tomcat+IIS (second useful information)


Hello!

I have another useful information about this problem...

The version of Tomcat I have is 4.0.4b3: is it possible
that this beta release contains some bug that doesn't
let Tomcat to support correctly BASIC authentication
(when it is used as Servlet Container and not in standalone mode)??

Anyway in this case I don't understand why in the test
environment the basic authentication of Tomcat works well....
in fact the problem is present only in production
environment using Server 1!

If someone has some idea or suggestion to solve this problem
I pray him to let me know (I am spending many work-days to solve it
without success)!

Thanks.

               Luca

-----Messaggio originale-----
Da: Luca Ventura [mailto:ventluca@tiscali.it]
Inviato: gioved� 31 ottobre 2002 11.12
A: tomcat-dev
Oggetto: BASIC authentication in Tomcat+IIS (one useful information)


Hello!

I have another useful information about the problem described below that I
have
posted some day ago wihout receiving no solution for it :(((

If I use Tomcat 4.x as Web Server (standalone mode), instead of
IIS, the BASIC Authentication works well also on Server 1!

This means there must be some strange setting in IIS or in Windows 2000
Advanced Server that forces the Tomcat's ISAPI filter (that is to say
when Tomcat is used only as Servlet Container) not to ask for login
and password to the user but to get their values directly from the system.

I hope someone can help me.

Best regards,

                      Luca

-----Messaggio originale-----
Da: Luca Ventura [mailto:ventluca@tiscali.it]
Inviato: marted� 29 ottobre 2002 12.12
A: tomcat-dev
Oggetto: BASIC authentication in Tomcat+IIS


Hello everybody!

I have the following GREAT problem with basic authentication in Tomcat....

I have two servers configured as follows:

Server 1:

Operating system: Windows 2000 Advanced Server
Web Server: IIS 5.0
Servlet Container: Tomcat 4.x

Server 2: Windows XP Professional
Web Server: IIS 5.0
Servlet Container: Tomcat 4.x

Server 2 is not connected to the Internet but it is used to test web
applications before passing them in the production environment deployed in
Server 1. In fact Server 1 is connected to the Internet
and contains all the final versions of Web Applications.

So I connect to Server 1 using a real domain name (for example:
www.mydomain.com) while I connect to Server 2  using "localhost".

In both Servers I use Tomcat 4.x as Servlet Container and Micrososft IIS 5
as Web Server. I installed the ISAPI filter to redirect to Tomcat all the
requests to Servlet/JSP pages or to web sites based on such
java-technologies.

I have tried to protect some Servlet/jsp-pages  using basic authentication
of Tomcat. So I configured the following tomcat files in such way:

server.xml:

...

<!-- Define an AJP 1.3 Connector on port 8009 -->

    <Connector className="org.apache.ajp.tomcat4.Ajp13Connector"
               port="8009" minProcessors="5" maxProcessors="75"
               acceptCount="10" debug="0"/>

....

  <Realm className="org.apache.catalina.realm.MemoryRealm" />

...


tomcat-users.xml:

<tomcat-users>
  <user name="admin" password="tomcat" roles="adminrole" />
 </tomcat-users>

web.xml:

<security-constraint>
      <display-name>Autenticazione Tomcat</display-name>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
	 <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/MyServlet</url-pattern>
	      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>adminrole</role-name>
      </auth-constraint>
    </security-constraint>

    <!-- Default login configuration uses form-based authentication -->
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Autenticazione Tomcat</realm-name>
    </login-config>


Server.xml and tomcat-users.xml are present in /conf folder of Tomcat, while
web.xml in the WEB-INF folder
of the web application that contains the resource (in this case the servlet
"MyServlet") that I want to protect.


All works fine in Server 2 (localhost): in fact when I connect to the
protected resource (servlet "MyServlet")Tomcat asks me in a window the login
and the password to access to the resource. The problem appears after moving
my application in Server 2 (production environment) because when I try to
connect to the protected servlet I receive from Tomcat the following error
page:

Apache Tomcat/4.0.4-b3 - HTTPS Status 403 - Access to the requested resource
has been denied

type: Status report
message: Access to the requested resource has been denied
description: Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.

The strange thing is that Tomcat, before showing the error page, doesn't ask
to me for the login and the password to access the resource (as in the first
case). It seems that IIS
passes automatically an internal login and password to Tomcat to access to
the protected resource: given that they are not correct I receive an error
message
from Tomcat. Anyway I am not sure of this but I suspect that the problem
is in Windows 2000 Advanced Server because when I try to access to Server 2,
where there is Windows XP installed , all works fine.

I have heard that this problem could occur in Windows 2000 only when realm
authentication is not set in IIS,
but i am not sure and in any case I have no idea how to set realm
authentication  in IIS.

I hope someone can help me to solve this problem.

Thanks a lot in advance!

                             Luca


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>