tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Harrop <>
Subject isapi_redirect Filter runs as local system account?
Date Fri, 27 Feb 2004 11:09:31 GMT

I'm mystified as to how the isapi_redirect filter treats interacts with
the NTFS permissions set on the physical dll file.

My intent is to restrict access to my Tomcat application to a users in a
particular Active Directory group.

I've tried to do this by setting the NTFS permissions on
isapi_redirect.dll to allow access by those users, and also by SYSTEM.

This shouldn't work according to Q158229, since according to that,
"ISAPI Filter DLLs, .. run in the original context of the IIS service.
All services run by default under the Local System account of the
machine on which they are installed."

But, on one Windows 2000 server, it works fine, provided the first user
to attempt to access the Tomcat context has the appropriate NTFS
permissions.  If that is the case, it seems that IIS correctly passes
users through (if they are in the Active Directory group) or gives them
a 403 (if they aren't).  On this machine things work with Windows
Integrated Authentication, or with Basic Authentication.

On another Windows 2000 server, everyone who can login to windows (its
using Windows integrated authentication), is passed through to tomcat by
the isapi_redirect filter (as you'd expect if Q158229 is correct and the
code in jakarta-tomcat-connectors/jk/native/iis/ isn't doing anything
tricky to impersonate the user or test whether the user can read

I'm not sure whether the code does
anything which would explain what is happening?  I had a quick look at
r1.22 of jk_isapi_plugin.c but couldn't see anything obvious.

I guess i could patch the code to at least test whether the user can
read the file, but it might be easier to use apache and something like
mod_ntlm or mod_sspi, or something else.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message