tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: IIS, Tomcat, JNDI and ActiveDirectory
Date Tue, 29 Sep 2009 15:45:14 GMT
Hi Joerg.
The following remarks are more a question from me, than an answer to 
you. I am interested also in a real answer from someone who really knows..

Buchner, Joerg [T0I] (VW Sachsen) wrote:
> Hi,
> 
> i've got a Microsoft IIS 6.0 Webservice.
> Behind the IIS is an Apache Tomcat 5.5.26 (connected via ISAPI and
> AJP/1.3) protocoll.
> 
> In the IIS "Integrated Windows Authentication" is enabled.

Ok, so IIS authenticates the user's browser session, and gets a Windows 
Domain user-id.
Then the AJP protocol passes this user-id to Tomcat (presumably as a 
request attribute).

> 
> On server.xml tomcatauthentication is set to false.

Allright, so Tomcat "believes" the user-id as it is given by AJP, and 
sets this in its own internal UserPrincipal structure.

> Also o've configured a JNDI REALM:
> 
>  <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> 		     		connectionURL="ldap://********:389/"
>       			connectionName="*************"
> 		      	connectionPassword="*********"
> 	
> userBase="OU=******,OU=********,OU=******,DC=******,DC=********"
>       			userSearch="(sAMAccountName={0})"
> 		      	userSubtree="true"
> 				userRoleName="memberOf"
> 	
> roleBase="OU=******,OU=******,OU=******,OU=******,OU=*********,DC=*****,
> DC=*****"
> 		      	roleName="name"
>       			roleSubtree="true"
> 		      	roleSearch="(cn={0})"
>       	   />     
> 

Does the above not *interfere* with what you are trying to do, more than 
it helps ?
I mean, you already have an authenticated user-id, of which you are sure 
that it is in the AD directory.  All that is needed now, is to get from 
AD, whatever fields that contain the "role-name"(s) which we are looking 
for, and compare with what we want to allow for this webapp.
Do the "roles" or "groups", as understood by AD, match the "roles" as 
understood by Tomcat ?

> in the web.xml of Tomcat (/conf/web.xml) i've configured an
> security-constraint:
> 
> <security-constraint>
> 	<web-resource-collection>
> 		<web-resource-name>Test</web-resource-name>
> 		<url-pattern>/*</url-pattern>
> 		<http-method>GET</http-method>
> 		<http-method>POST</http-method>
> 		<http-method>PUT</http-method>
> 		<http-method>DELETE</http-method>
> 	</web-resource-collection>
> 	<auth-constraint>
> 		<role-name>some_ad_role_name</role-name>
> 	</auth-constraint>
> </security-constraint>
> 
> 
> 
> <security-role>
> 	<description>Only 'tomcat' role is allowed to access this web
> application</description>
> 	<role-name>some_ad_role_name</role-name>
> </security-role>
> 
> 

As far as I understand, with the above, Tomcat is going to issue a 
HttpServletRequest.isUserInRole("some_ad_role_name") call, and only 
allow access if the response is true.
Is that going to work in this case ?
It is not very clear (to me at least), what this isUserInRole() is going 
to refer to.

> Now,
> i'ld like to realize, that Tomcat give access only to users,
> which are in one Active Directory Group detected on IIS.
> 

Since you already receive an authenticated user-id from IIS (but only a 
user-id), I would do the rest with a servlet filter wrapping your 
application (and allowing access or not depending on what it finds in AD 
for this user), rather than with the standard Tomcat declarative 
security model.

But maybe that's only my own ignorance speaking.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message