tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sue Roe <sue....@cmi-plc.com>
Subject RE: IIS, Tomcat and NTLM Authentication
Date Fri, 28 Jan 2005 13:53:18 GMT
Thanks Allistair. 

Your blog was very interesting I had in fact already found it. I think we
should probably upgrade here so I will be sure to read it when we do.

Since posting this query I have in fact found a fix, typical! I explored the
contents of the Authorisation header and noted that rather than the auth
String starting with 'NTLM' it starts with 'Negotiate' in the scenarios that
didn't work! The encoded Domain and Username where still there, so I just
retrieved them as well.

Thanks for your reply

Regards
Sue 

-----Original Message-----
From: Allistair Crossley [mailto:Allistair.Crossley@QAS.com] 
Sent: 27 January 2005 11:30
To: Tomcat Users List
Subject: RE: IIS, Tomcat and NTLM Authentication

Sorry! just noticed you are not moving to TC 5. Perhaps this does not solve
your problem afterall.

> -----Original Message-----
> From: Allistair Crossley 
> Sent: 27 January 2005 11:28
> To: Tomcat Users List
> Subject: RE: IIS, Tomcat and NTLM Authentication
> 
> 
> Hi,
> 
> Sounds like you need to set tomcatAuthentication="false" for JK.
> 
> Have a look at my blog on upgrading issues here
> 
> http://www.adcworks.com/blog/
> 
> Allistair.
> 
> > -----Original Message-----
> > From: Sue Roe [mailto:sue.roe@cmi-plc.com]
> > Sent: 27 January 2005 11:09
> > To: Tomcat-User@Jakarta. Apache. Org 
> (tomcat-user@jakarta.apache.org)
> > Subject: IIS, Tomcat and NTLM Authentication
> > 
> > 
> > Hi
> > 
> >  
> > 
> > We have just upgraded our server software, running a Java 
> > application, as
> > follows:
> > 
> >  
> > 
> > From:
> > 
> > IIS 4, Tomcat 4.1 - both running on same server - NT4
> > 
> > To:
> > 
> > IIS 5, Tomcat 4.1 - both running on same server - Windows 2000
> > 
> >  
> > 
> >  The application is to be available to all staff, either over 
> > the Intranet
> > or the Internet.
> > 
> >  
> > 
> > An issue has arisen with NTLM authentication. We extract a users
> > domain\username details using NTLM Authentication, the code 
> > is listed at the
> > bottom of this e-mail. This mechanism worked 100% on the old 
> > configuration.
> > Unfortunately with the IIS server upgrade and change in OS the
> > authentication details do not seem to be being picked up in 
> > two scenarios. 
> > 
> >  
> > 
> > 1.	IE 6, unless Enable Integrated Windows Authentication 
> > is disabled.
> > We don't really want Browser settings to affect access.
> > 2.	IE 5! (We are trying to force client sites to upgrade 
> > to IE6, but
> > still why does the NTLM Authentication break down here?)
> > 
> >  
> > 
> > The IIS settings are as follow:
> > 
> > Default Web Site:         
> > 
> > Anonymous Access - OFF
> > 
> >                                     Basic Authentication - ON
> > 
> >                                     Integrated Windows 
> > Authentication - ON
> > 
> > Jakarta Virtual Directory:
> > 
> > Anonymous Access - ON
> > 
> >                                     Basic Authentication - ON
> > 
> >                                     Integrated Windows 
> > Authentication - ON
> > 
> >  
> > 
> > If anyone has had any similar experiences or knows of any 
> > other mechanism to
> > retrieve domain/username, it would be great to hear.
> > 
> >  
> > 
> > Thanks
> > 
> > Sue
> > 
> >  
> > 
> >  
> > 
> > Code to Extract domain/user Details
> > 
> > **************************************************************
> > **************
> > ***********
> > 
> > String auth = request.getHeader("Authorization");
> > 
> >             if (auth == null) {
> > 
> >                 response.setStatus(response.SC_UNAUTHORIZED);
> > 
> >                 response.setHeader("WWW-Authenticate", "NTLM");
> > 
> >                 return;
> > 
> >             }
> > 
> >             String domain = "";
> > 
> >             String username = "";
> > 
> >             if (auth.startsWith("NTLM ")) {
> > 
> >                 byte[] msg = new
> > sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
> > 
> >                 int off = 0, length, offset;
> > 
> >                 if (msg[8] == 1){
> > 
> >                     byte z = 0;
> > 
> >                     byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L',
> > (byte)'M', (byte)'S', (byte)'S', (byte)'P',
> > 
> >                         z,(byte)2, z, z, z, z, z, z, 
> > z,(byte)40, z, z, z,
> > 
> >                         (byte)1, (byte)130, z, z,z, 
> (byte)2, (byte)2,
> > 
> >                         (byte)2, z, z, z, z, z, z, z, z, z, 
> z, z, z};
> > 
> >                     response.setHeader("WWW-Authenticate", "NTLM " +
> > 
> >                         new 
> > sun.misc.BASE64Encoder().encodeBuffer(msg1));
> > 
> >                     response.sendError(response.SC_UNAUTHORIZED);
> > 
> >                     return;
> > 
> >                 } else if (msg[8] == 3) {
> > 
> >                     off = 30;
> > 
> >                     length = msg[off+17]*256 + msg[off+16];
> > 
> >                     offset = msg[off+19]*256 + msg[off+18];
> > 
> >                     String remoteHost = new String(msg, 
> > offset, length);
> > 
> >                     length = msg[off+1]*256 + msg[off];
> > 
> >                     offset = msg[off+3]*256 + msg[off+2];
> > 
> >                     domain = new String(msg, offset, length);
> > 
> >                     length = msg[off+9]*256 + msg[off+8];
> > 
> >                     offset = msg[off+11]*256 + msg[off+10];
> > 
> >                     username = new String(msg, offset, length);
> > 
> >                     String employeeNTLogin = domain + "\\" 
> + username;
> > 
> >                     context.log("User NT Login: "+ 
> > employeeNTLogin + ":: " +
> > new Date(System.currentTimeMillis()));
> > 
> >                     session.setAttribute (Constants.DATABASE,
> > context.getAttribute(Constants.DATABASE));
> > 
> >                     Employee userEmployee=null;
> > 
> >                     // 1. Get Employee Object for NT Login of 
> > User & Roles
> > 
> >                     try {
> > 
> >                         userEmployee =
> > myEmployeeDAO_Pool.getDetailsByNTLogin(employeeNTLogin);
> > 
> >                     } catch (DAOException daoex){
> > 
> >                     }
> > 
> >                     session.setAttribute(Constants.USER_EMPLOYEE,
> > userEmployee);
> > 
> > etc etc
> > 
> >  
> > 
> > **************************************************************
> > **************
> > ************************
> > 
> > 
> > 
> > 
> **********************************************************************
> >    ***Disclaimer***
> > 
> > The contents of this Email may be privileged and are 
> > confidential. If you are not the intended recipient, any 
> > disclosure, copying, distribution or any action taken or 
> > omitted to be taken in reliance on it, is prohibited and may 
> > be unlawful.
> > 
> > Should you wish to use Email as a mode of communication, CMi 
> > plc and its subsidiaries are unable to guarantee the security 
> > of Email content outside of our own computer systems.
> > 
> > This footnote also confirms that this e-mail message has been 
> > swept by Mimesweeper for the presence of computer viruses. 
> > Whilst we run anti-virus software, you are solely responsible 
> > for ensuring that any  e-mail or attachment you receive is 
> > virus free. We disclaim any liability for any damage you 
> > suffer as a consequence of receiving any virus.
> > 
> > Checkmate International plc (CMi)
> > Registered in England No 1899857 
> > Registered Office  4th Floor, 35 New Bridge Street, London, EC4V 6BW
> > Head Office Tele + 44  (0) 1993 885600
> > Head Office Fax  + 44  (0) 1993 885603
> > Web Site :  www.cmi-plc.com
> > 
> **********************************************************************
> > 
> > 
> 
> 
> <FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLUE> 
> -------------------------------------------------------
> QAS Ltd.
> Developers of QuickAddress Software
> <a href="http://www.qas.com">www.qas.com</a>
> Registered in England: No 2582055
> Registered in Australia: No 082 851 474
> -------------------------------------------------------
> </FONT>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


**********************************************************************
   ***Disclaimer***

The contents of this Email may be privileged and are confidential. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken or omitted to be taken
in reliance on it, is prohibited and may be unlawful.

Should you wish to use Email as a mode of communication, CMi plc and its subsidiaries are
unable to guarantee the security of Email content outside of our own computer systems.

This footnote also confirms that this e-mail message has been swept by Mimesweeper for the
presence of computer viruses. Whilst we run anti-virus software, you are solely responsible
for ensuring that any  e-mail or attachment you receive is virus free. We disclaim any liability
for any damage you suffer as a consequence of receiving any virus.

Checkmate International plc (CMi)
Registered in England No 1899857 
Registered Office  4th Floor, 35 New Bridge Street, London, EC4V 6BW
Head Office Tele + 44  (0) 1993 885600
Head Office Fax  + 44  (0) 1993 885603
Web Site :  www.cmi-plc.com
**********************************************************************


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message