tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Newman, John W" <>
Subject How to have some webapps use IIS security and some not?
Date Wed, 01 Aug 2007 13:38:27 GMT


This is a nasty problem but I hope someone out there has figured it out.
We have been using tomcat 5.5.17, IIS 6, and JK2 happily for about a
year now.  Up to this point, we have not used IIS directory security to
pass the NT username to tomcat.  Some of our webapps have no security
requirements, some have their own security mechanism, but now we have
one that would benefit from pulling the NT username from IIS.


I have gotten all that to work fine on localhost,
getRequest().getRemoteUser() returns exactly what I want.  The issue is
that on the actual server, it's either all or nothing.  In IIS the
Jakarta virtual directory either has security or not.  I can't specify
it at the webapp level.


So I thought maybe I could have two tomcat instances on the same
machine, one Jakarta directory w/o security, and the other with it
turned on.  I was able to get both instances installed, but I can't get
the second (secure) one connected to IIS.  I spent a good bit of time
with this yesterday and have gotten pretty close.  


I actually hex edited the second isapi_redirector2.dll to change the
registry key to point to Isapi Rediretor\2.1 instead of Isapi
Redirector\2.0.  That allowed me to have two instances pointing to
c:\tomcat and c:\tomcat-sec ... I could have just rebuilt the thing from
source but am too busy/lazy to sit through the visual studio install yet
again ... that seriously takes like 45 minutes J


So I got to that point where everything should work right?  Well sort
of, the second filter at the bottom of the order in IIS works.  The
first one just hangs.  If I switch the order, the other one works fine
and the one that was working breaks.  I ran across this which looks like
a similar problem with jk1


Just wondering if anyone out there can give me some ideas.  Maybe two
tomcat instances is not the way to go and there is a better solution.
I just need to figure out how to have some webapps be able to pull the
NT name and some not.


Thanks for any help


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message