tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Mønster Sørensen <...@rgm.dk>
Subject IIS+authentication on multible locations with different permissions.
Date Mon, 19 Jun 2000 16:16:29 GMT
Hi

I have successfully installed ISAPI redirector as a filter in IIS by
following the instructions in :
http://jakarta.apache.org/cvsweb/index.cgi/jakarta-tomcat/src/doc/tomcat-iis
-howto.html

Then I set up basic authentication on the redirected location (Virtual
Directory) by selecting "properties | Directory Security | Edit (Access
anon...)", and unchecking "Anonymous access" and the special microsoft
"Challenge Response" authentication and then checking the "Basic
authentication", ignoring the warning about sending pasword in clear text
since since this communication in my application is SSL encrypted. The
access rights is then set up, by setting the permissions on the filesystem
folder (has to be NTFS) that you have mapped your virtual directory to
(where the isapi_redirect.dll is at).

And it all works fine both with NT 4.0 Server servicepack 6a IIS 4, and
Windows 2000 Advanced Server:-)

Now, my problem is that I have three locations that need to have different
access-rights/permissions e.g. one for public access, one for some special
users, and one for administrators of the system.

And using the way to get basic auth as described above, I have to create two
additional Virtual directories in my IIS Web site and map them to a new NTFS
folder each, put a isapi_redirect.dll in each, create a ISAPI filter to each
of these, and set the permissions on each folder.

Now the problem is that each of the three copies of the dll is are mapped
(in registry) to the same extension_uri e.g. /pub/isapi_redirect.dll, which
for the two other Virtual Directories will be in conflict with their
physical mapping in the file system where the permissions are set.

The solution/workaround/hack I have used for this problem is to edit the

#define REGISTRY_LOCATION       ("Software\\Apache Software
Foundation\\Jakarta Isapi Redirector\\1.0")

line in the "jk_isapi_plugin.c" , re-compile the dll, and rename it to match
the change for each new Virtual Directory I needed. So I made the two new
dll's, isapi_redirect_user.dll and isapi_redirect_adm.dll by setting the
REGISTRY_LOCATION as follows and re-compiling:

#define REGISTRY_LOCATION       ("Software\\Apache Software
Foundation\\Jakarta Isapi Redirector\\1.0\\user")

#define REGISTRY_LOCATION       ("Software\\Apache Software
Foundation\\Jakarta Isapi Redirector\\1.0\\adm")

And then of course create the new registry keys accordingly, copy the two
new redirector dll's to their respective filesystem folders, and edit the
ISAPI Filter definitions accordingly.

This actually works :-) !!

With the one exception, that if I access a servlet in the /adm/ location and
then with the same browser tries to access another servlet in e.g. the
/user/  location the IIS site in question dies :-| !!!!

If I on the other hand just after startup access a /adm/ servlet once from
one browser instance, and then from another browser instance access a /user/
servlet once, then from then on I have no problems what so ever !!!

I tried to change the
#define VERSION_STRING "Jakarta/ISAPI/1.0b1"
to reflect the different versions as well in case it didn't load it because
a dll of that version was allready known in this process, but it didn't
help.

But anyway this clearly is not a very healty solution to this problem.

So, am I going about this in an intirely wrong way ?
And, are there anybody out there that has a good solution to this problem ?

One way I guess would be to write my own Basic authentication filter, but I
would rather not ;-) So if any one knows about such a filter being available
I would like to hear about that too.

I know that I could get around this by doing form based authentication but
that is not an option in this project, e.g. making the authentication in a
servlet/jsp.

Thanks in advance

/Jens



Mime
View raw message