tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allistair Crossley" <Allistair.Cross...@QAS.com>
Subject RE: IIS, Tomcat and NTLM Authentication
Date Thu, 27 Jan 2005 11:27:39 GMT
Hi,

Sounds like you need to set tomcatAuthentication="false" for JK.

Have a look at my blog on upgrading issues here

http://www.adcworks.com/blog/

Allistair.

> -----Original Message-----
> From: Sue Roe [mailto:sue.roe@cmi-plc.com]
> Sent: 27 January 2005 11:09
> To: Tomcat-User@Jakarta. Apache. Org (tomcat-user@jakarta.apache.org)
> Subject: IIS, Tomcat and NTLM Authentication
> 
> 
> Hi
> 
>  
> 
> We have just upgraded our server software, running a Java 
> application, as
> follows:
> 
>  
> 
> From:
> 
> IIS 4, Tomcat 4.1 - both running on same server - NT4
> 
> To:
> 
> IIS 5, Tomcat 4.1 - both running on same server - Windows 2000
> 
>  
> 
>  The application is to be available to all staff, either over 
> the Intranet
> or the Internet.
> 
>  
> 
> An issue has arisen with NTLM authentication. We extract a users
> domain\username details using NTLM Authentication, the code 
> is listed at the
> bottom of this e-mail. This mechanism worked 100% on the old 
> configuration.
> Unfortunately with the IIS server upgrade and change in OS the
> authentication details do not seem to be being picked up in 
> two scenarios. 
> 
>  
> 
> 1.	IE 6, unless Enable Integrated Windows Authentication 
> is disabled.
> We don't really want Browser settings to affect access.
> 2.	IE 5! (We are trying to force client sites to upgrade 
> to IE6, but
> still why does the NTLM Authentication break down here?)
> 
>  
> 
> The IIS settings are as follow:
> 
> Default Web Site:         
> 
> Anonymous Access - OFF
> 
>                                     Basic Authentication - ON
> 
>                                     Integrated Windows 
> Authentication - ON
> 
> Jakarta Virtual Directory:
> 
> Anonymous Access - ON
> 
>                                     Basic Authentication - ON
> 
>                                     Integrated Windows 
> Authentication - ON
> 
>  
> 
> If anyone has had any similar experiences or knows of any 
> other mechanism to
> retrieve domain/username, it would be great to hear.
> 
>  
> 
> Thanks
> 
> Sue
> 
>  
> 
>  
> 
> Code to Extract domain/user Details
> 
> **************************************************************
> **************
> ***********
> 
> String auth = request.getHeader("Authorization");
> 
>             if (auth == null) {
> 
>                 response.setStatus(response.SC_UNAUTHORIZED);
> 
>                 response.setHeader("WWW-Authenticate", "NTLM");
> 
>                 return;
> 
>             }
> 
>             String domain = "";
> 
>             String username = "";
> 
>             if (auth.startsWith("NTLM ")) {
> 
>                 byte[] msg = new
> sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
> 
>                 int off = 0, length, offset;
> 
>                 if (msg[8] == 1){
> 
>                     byte z = 0;
> 
>                     byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L',
> (byte)'M', (byte)'S', (byte)'S', (byte)'P',
> 
>                         z,(byte)2, z, z, z, z, z, z, 
> z,(byte)40, z, z, z,
> 
>                         (byte)1, (byte)130, z, z,z, (byte)2, (byte)2,
> 
>                         (byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
> 
>                     response.setHeader("WWW-Authenticate", "NTLM " +
> 
>                         new 
> sun.misc.BASE64Encoder().encodeBuffer(msg1));
> 
>                     response.sendError(response.SC_UNAUTHORIZED);
> 
>                     return;
> 
>                 } else if (msg[8] == 3) {
> 
>                     off = 30;
> 
>                     length = msg[off+17]*256 + msg[off+16];
> 
>                     offset = msg[off+19]*256 + msg[off+18];
> 
>                     String remoteHost = new String(msg, 
> offset, length);
> 
>                     length = msg[off+1]*256 + msg[off];
> 
>                     offset = msg[off+3]*256 + msg[off+2];
> 
>                     domain = new String(msg, offset, length);
> 
>                     length = msg[off+9]*256 + msg[off+8];
> 
>                     offset = msg[off+11]*256 + msg[off+10];
> 
>                     username = new String(msg, offset, length);
> 
>                     String employeeNTLogin = domain + "\\" + username;
> 
>                     context.log("User NT Login: "+ 
> employeeNTLogin + ":: " +
> new Date(System.currentTimeMillis()));
> 
>                     session.setAttribute (Constants.DATABASE,
> context.getAttribute(Constants.DATABASE));
> 
>                     Employee userEmployee=null;
> 
>                     // 1. Get Employee Object for NT Login of 
> User & Roles
> 
>                     try {
> 
>                         userEmployee =
> myEmployeeDAO_Pool.getDetailsByNTLogin(employeeNTLogin);
> 
>                     } catch (DAOException daoex){
> 
>                     }
> 
>                     session.setAttribute(Constants.USER_EMPLOYEE,
> userEmployee);
> 
> etc etc
> 
>  
> 
> **************************************************************
> **************
> ************************
> 
> 
> 
> **********************************************************************
>    ***Disclaimer***
> 
> The contents of this Email may be privileged and are 
> confidential. If you are not the intended recipient, any 
> disclosure, copying, distribution or any action taken or 
> omitted to be taken in reliance on it, is prohibited and may 
> be unlawful.
> 
> Should you wish to use Email as a mode of communication, CMi 
> plc and its subsidiaries are unable to guarantee the security 
> of Email content outside of our own computer systems.
> 
> This footnote also confirms that this e-mail message has been 
> swept by Mimesweeper for the presence of computer viruses. 
> Whilst we run anti-virus software, you are solely responsible 
> for ensuring that any  e-mail or attachment you receive is 
> virus free. We disclaim any liability for any damage you 
> suffer as a consequence of receiving any virus.
> 
> Checkmate International plc (CMi)
> Registered in England No 1899857 
> Registered Office  4th Floor, 35 New Bridge Street, London, EC4V 6BW
> Head Office Tele + 44  (0) 1993 885600
> Head Office Fax  + 44  (0) 1993 885603
> Web Site :  www.cmi-plc.com
> **********************************************************************
> 
> 


<FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLUE> 
-------------------------------------------------------
QAS Ltd.
Developers of QuickAddress Software
<a href="http://www.qas.com">www.qas.com</a>
Registered in England: No 2582055
Registered in Australia: No 082 851 474
-------------------------------------------------------
</FONT>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message