tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joakim Ahlén <joak...@geosition.com>
Subject Tomcat 4.0.1 / 4.0.2b2 + IIS + <security-constraint>
Date Fri, 25 Jan 2002 10:43:35 GMT
Hi,

I've done some extensive testing of the above environment with no
success. The basic idea is to restrict the url
http://localhost:8080/1/admin by a security-constraint (form or basic
auth), and have it forwarded to IIS as the url:
http://localhost/1/admin, preserving tomcat's form or basic
authentication mechanism.

First of all, redirecting of directory without security-constraint works
fine, i.e. http://localhost:8080/1/ gives the same as
http://localhost/1/

When trying this without the isapifilter directly to port 8080,
everything works fine, i get my basic auth dialog and i can login. But
if i try http://localhost/1/admin/ via IIS instead, i immediately get an
error 403 (Forbidden). I've traced this to probably being an AJP13
error. The Ajp13-log during this request shows:

-------------------------------------------------------
[Ajp13] === BaseRequest ===
method          = GET
protocol        = HTTP/1.1
requestURI      = /1/admin/index.jsp

...
------ snip... -------
...

cookies         = === Cookies ===
Cookie JSESSIONID=2862D7C5E9B5B05452C9BA4F8BBF9D6B ; 0 null null

jvmRoute        = null
=== AjpRequest ===
jvmRoute        = null

[Ajp13] sendHeaders()
[Ajp13] status is:  403(Forbidden)
[Ajp13] send()
[Ajp13] sending msg, len = 35
[Ajp13] doWrite(byte[], 0, 735)
[Ajp13] send()
[Ajp13] sending msg, len = 743
[Ajp13] finish()
[Ajp13] send()
[Ajp13] sending msg, len = 6
[Ajp13] recycle()
[Ajp13] receiveNextRequest()
[Ajp13] receive()
-------------------------------------------------------

This shows that at least the auth cookie is recognized, but in a request
to the page without security-constraint, it shows the exact same thing,
except with status 200 (or 302). With cookie and everything.

I've even browsed through the Ajp13-code, and found that this error
might come from 2 or 3 places where constraints/roles and other stuff is
checked. 

Is this a bug, or are support for security-constraints simply not
implemented in Ajp13? Is the bug really in Ajp13, that is, will it be
the same thing if i try mod_jk and apache instead?

I've tried setting the tomcatAuthenticating-parameter in the
Ajp13Connector to both false and true with no result. I've tried both
tomcat 4.0.1 and 4.0.1b2 with the same result. 

Please help. :)

Many thanks in advance.

//Joakim

____________________________________________________________
 Joakim Ahlén                    joakim.ahlen@geosition.com 
 Geosition AB                      http://www.geosition.com 
 Stena Center 1A                    phone: +46 31 772 81 91 
 SE-412 92 Gothenburg                 fax: +46 31 772 80 91 
 Sweden                                 Mob: +46 70 6508304 
____________________________________________________________



--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message