tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allistair Crossley" <Allistair.Cross...@QAS.com>
Subject RE: IIS, Tomcat and NTLM Authentication
Date Thu, 27 Jan 2005 11:30:05 GMT
Sorry! just noticed you are not moving to TC 5. Perhaps this does not solve your problem afterall.

> -----Original Message-----
> From: Allistair Crossley 
> Sent: 27 January 2005 11:28
> To: Tomcat Users List
> Subject: RE: IIS, Tomcat and NTLM Authentication
> 
> 
> Hi,
> 
> Sounds like you need to set tomcatAuthentication="false" for JK.
> 
> Have a look at my blog on upgrading issues here
> 
> http://www.adcworks.com/blog/
> 
> Allistair.
> 
> > -----Original Message-----
> > From: Sue Roe [mailto:sue.roe@cmi-plc.com]
> > Sent: 27 January 2005 11:09
> > To: Tomcat-User@Jakarta. Apache. Org 
> (tomcat-user@jakarta.apache.org)
> > Subject: IIS, Tomcat and NTLM Authentication
> > 
> > 
> > Hi
> > 
> >  
> > 
> > We have just upgraded our server software, running a Java 
> > application, as
> > follows:
> > 
> >  
> > 
> > From:
> > 
> > IIS 4, Tomcat 4.1 - both running on same server - NT4
> > 
> > To:
> > 
> > IIS 5, Tomcat 4.1 - both running on same server - Windows 2000
> > 
> >  
> > 
> >  The application is to be available to all staff, either over 
> > the Intranet
> > or the Internet.
> > 
> >  
> > 
> > An issue has arisen with NTLM authentication. We extract a users
> > domain\username details using NTLM Authentication, the code 
> > is listed at the
> > bottom of this e-mail. This mechanism worked 100% on the old 
> > configuration.
> > Unfortunately with the IIS server upgrade and change in OS the
> > authentication details do not seem to be being picked up in 
> > two scenarios. 
> > 
> >  
> > 
> > 1.	IE 6, unless Enable Integrated Windows Authentication 
> > is disabled.
> > We don't really want Browser settings to affect access.
> > 2.	IE 5! (We are trying to force client sites to upgrade 
> > to IE6, but
> > still why does the NTLM Authentication break down here?)
> > 
> >  
> > 
> > The IIS settings are as follow:
> > 
> > Default Web Site:         
> > 
> > Anonymous Access - OFF
> > 
> >                                     Basic Authentication - ON
> > 
> >                                     Integrated Windows 
> > Authentication - ON
> > 
> > Jakarta Virtual Directory:
> > 
> > Anonymous Access - ON
> > 
> >                                     Basic Authentication - ON
> > 
> >                                     Integrated Windows 
> > Authentication - ON
> > 
> >  
> > 
> > If anyone has had any similar experiences or knows of any 
> > other mechanism to
> > retrieve domain/username, it would be great to hear.
> > 
> >  
> > 
> > Thanks
> > 
> > Sue
> > 
> >  
> > 
> >  
> > 
> > Code to Extract domain/user Details
> > 
> > **************************************************************
> > **************
> > ***********
> > 
> > String auth = request.getHeader("Authorization");
> > 
> >             if (auth == null) {
> > 
> >                 response.setStatus(response.SC_UNAUTHORIZED);
> > 
> >                 response.setHeader("WWW-Authenticate", "NTLM");
> > 
> >                 return;
> > 
> >             }
> > 
> >             String domain = "";
> > 
> >             String username = "";
> > 
> >             if (auth.startsWith("NTLM ")) {
> > 
> >                 byte[] msg = new
> > sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
> > 
> >                 int off = 0, length, offset;
> > 
> >                 if (msg[8] == 1){
> > 
> >                     byte z = 0;
> > 
> >                     byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L',
> > (byte)'M', (byte)'S', (byte)'S', (byte)'P',
> > 
> >                         z,(byte)2, z, z, z, z, z, z, 
> > z,(byte)40, z, z, z,
> > 
> >                         (byte)1, (byte)130, z, z,z, 
> (byte)2, (byte)2,
> > 
> >                         (byte)2, z, z, z, z, z, z, z, z, z, 
> z, z, z};
> > 
> >                     response.setHeader("WWW-Authenticate", "NTLM " +
> > 
> >                         new 
> > sun.misc.BASE64Encoder().encodeBuffer(msg1));
> > 
> >                     response.sendError(response.SC_UNAUTHORIZED);
> > 
> >                     return;
> > 
> >                 } else if (msg[8] == 3) {
> > 
> >                     off = 30;
> > 
> >                     length = msg[off+17]*256 + msg[off+16];
> > 
> >                     offset = msg[off+19]*256 + msg[off+18];
> > 
> >                     String remoteHost = new String(msg, 
> > offset, length);
> > 
> >                     length = msg[off+1]*256 + msg[off];
> > 
> >                     offset = msg[off+3]*256 + msg[off+2];
> > 
> >                     domain = new String(msg, offset, length);
> > 
> >                     length = msg[off+9]*256 + msg[off+8];
> > 
> >                     offset = msg[off+11]*256 + msg[off+10];
> > 
> >                     username = new String(msg, offset, length);
> > 
> >                     String employeeNTLogin = domain + "\\" 
> + username;
> > 
> >                     context.log("User NT Login: "+ 
> > employeeNTLogin + ":: " +
> > new Date(System.currentTimeMillis()));
> > 
> >                     session.setAttribute (Constants.DATABASE,
> > context.getAttribute(Constants.DATABASE));
> > 
> >                     Employee userEmployee=null;
> > 
> >                     // 1. Get Employee Object for NT Login of 
> > User & Roles
> > 
> >                     try {
> > 
> >                         userEmployee =
> > myEmployeeDAO_Pool.getDetailsByNTLogin(employeeNTLogin);
> > 
> >                     } catch (DAOException daoex){
> > 
> >                     }
> > 
> >                     session.setAttribute(Constants.USER_EMPLOYEE,
> > userEmployee);
> > 
> > etc etc
> > 
> >  
> > 
> > **************************************************************
> > **************
> > ************************
> > 
> > 
> > 
> > 
> **********************************************************************
> >    ***Disclaimer***
> > 
> > The contents of this Email may be privileged and are 
> > confidential. If you are not the intended recipient, any 
> > disclosure, copying, distribution or any action taken or 
> > omitted to be taken in reliance on it, is prohibited and may 
> > be unlawful.
> > 
> > Should you wish to use Email as a mode of communication, CMi 
> > plc and its subsidiaries are unable to guarantee the security 
> > of Email content outside of our own computer systems.
> > 
> > This footnote also confirms that this e-mail message has been 
> > swept by Mimesweeper for the presence of computer viruses. 
> > Whilst we run anti-virus software, you are solely responsible 
> > for ensuring that any  e-mail or attachment you receive is 
> > virus free. We disclaim any liability for any damage you 
> > suffer as a consequence of receiving any virus.
> > 
> > Checkmate International plc (CMi)
> > Registered in England No 1899857 
> > Registered Office  4th Floor, 35 New Bridge Street, London, EC4V 6BW
> > Head Office Tele + 44  (0) 1993 885600
> > Head Office Fax  + 44  (0) 1993 885603
> > Web Site :  www.cmi-plc.com
> > 
> **********************************************************************
> > 
> > 
> 
> 
> <FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLUE> 
> -------------------------------------------------------
> QAS Ltd.
> Developers of QuickAddress Software
> <a href="http://www.qas.com">www.qas.com</a>
> Registered in England: No 2582055
> Registered in Australia: No 082 851 474
> -------------------------------------------------------
> </FONT>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message