tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mohr James <>
Subject Tomcat 3.2.1 security newbie - Basic authentication Win2k/MIIS
Date Mon, 15 Apr 2002 08:27:47 GMT
Hi all!

I am trying to implement an Intranet/Extranet where menus are created
dynamic based on the username. To determine the user, I am using REMOTE_USER
and this works fine with active service pages. However, any JSP page does
not seem to be able to read this correctly. Because we have to use Tomcat
for a specific application, we would like to limit the number of languages
we use, so we don't have to use Java plus VBScript.   

I set up the perms in IIS for Basic authentication only. When I try to
connect to the page, I get the popup and login, then the page is displayed.
In the jsp-page I have the following:

   username = request.getRemoteUser();
   host = request.getRemoteHost();
 %>Authtype: <%=authtype %><BR> <%
  %>Username: <%=username %><BR> <%
  %>Host:    <%=host %><BR> <%

In the web.xml I have this: 

         <web-resource-name>Protected Area</web-resource-name>
	 <!-- Define the context-relative URL(s) to be protected -->
	 <!-- If you list http methods, only those methods are protected -->
         <!-- Anyone with one of the listed roles may access this area -->

    <!-- Default login configuration uses BASIC authentication -->
      <realm-name>Example Basic Authentication Area</realm-name>

Whnen I try to access /sd-sp4-test/Kunde/start.jsp, *without* asking me for
a username and password, I get the following:

Authtype: null
Username: null

This says the user has not logged in. If I try to load
/sd-sp4-test/Kunde/login.html, I get the standard popup and am I can input
username/password with no problem. It seems that the JSP redirectory kicks
in before the basic authentication. So, maybe I am not clear on the concept.
Is the basic authentication from MIIS, or is Tomcat doing on its own?
Looking through the mailing list archive, it seems that tomcat is doing
this. However, when I turn off basic authentication in MIIS and set it to
anonymous, I still have the same problem.  

The directory /sd-sp4-test is defined as a virtual directory within IIS. I
found a reference on saying that "the url pattern is relative to
your web context", but I am confused as to what the "context" is here. 

Could the problem be as simple as using the wrong object and method (i.e.
something other than request.getRemoteUser(); ). 

One important aspect is the ability to set permissions at the Win2K level
that are respected by the web server, rather than having to do all of the
security ourselves. We have several customers with different users and need
to keep data from each customer seperate, plus give access to specific areas
only to specific users (i.e. only management gets access to the reporting

Any and all help would be greatly appreaciated.


Jim Mohr

ELAXY Brokerage & Trading GmbH & Co KG
James Mohr
Help Desk Manager
Am HofbrÀuhaus 1
96450 Coburg 
Fon +49 (0) 95 61.55 43.0
Fax +49 (0) 95 61.55 43.302
"Science has promised man power...But, as so often happens when people are 
seduced by promises of power, the price is servitude and impotence.  Power
nothing if it is not the power to choose."
Joseph Weizenbaum of MIT said in reference to Computers.
The Great Linux-NT Debate: 

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message