Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 19837 invoked from network); 29 Sep 2009 15:46:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 29 Sep 2009 15:46:00 -0000 Received: (qmail 99188 invoked by uid 500); 29 Sep 2009 15:45:56 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 99135 invoked by uid 500); 29 Sep 2009 15:45:56 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 99124 invoked by uid 99); 29 Sep 2009 15:45:56 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Sep 2009 15:45:56 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Sep 2009 15:45:47 +0000 Received: from localhost (localhost [127.0.0.1]) by tor.combios.es (Postfix) with ESMTP id D6146226090 for ; Tue, 29 Sep 2009 17:45:25 +0200 (CEST) Received: from tor.combios.es ([127.0.0.1]) by localhost (tor.combios.es [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RN4urRphJdVW for ; Tue, 29 Sep 2009 17:45:25 +0200 (CEST) Received: from [192.168.245.129] (p549EA796.dip0.t-ipconnect.de [84.158.167.150]) by tor.combios.es (Postfix) with ESMTPA id 5D49522608F for ; Tue, 29 Sep 2009 17:45:25 +0200 (CEST) Message-ID: <4AC22B8A.4070001@ice-sa.com> Date: Tue, 29 Sep 2009 17:45:14 +0200 From: =?ISO-8859-1?Q?Andr=E9_Warnier?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: IIS, Tomcat, JNDI and ActiveDirectory References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi Joerg. The following remarks are more a question from me, than an answer to you. I am interested also in a real answer from someone who really knows.. Buchner, Joerg [T0I] (VW Sachsen) wrote: > Hi, > > i've got a Microsoft IIS 6.0 Webservice. > Behind the IIS is an Apache Tomcat 5.5.26 (connected via ISAPI and > AJP/1.3) protocoll. > > In the IIS "Integrated Windows Authentication" is enabled. Ok, so IIS authenticates the user's browser session, and gets a Windows Domain user-id. Then the AJP protocol passes this user-id to Tomcat (presumably as a request attribute). > > On server.xml tomcatauthentication is set to false. Allright, so Tomcat "believes" the user-id as it is given by AJP, and sets this in its own internal UserPrincipal structure. > Also o've configured a JNDI REALM: > > connectionURL="ldap://********:389/" > connectionName="*************" > connectionPassword="*********" > > userBase="OU=******,OU=********,OU=******,DC=******,DC=********" > userSearch="(sAMAccountName={0})" > userSubtree="true" > userRoleName="memberOf" > > roleBase="OU=******,OU=******,OU=******,OU=******,OU=*********,DC=*****, > DC=*****" > roleName="name" > roleSubtree="true" > roleSearch="(cn={0})" > /> > Does the above not *interfere* with what you are trying to do, more than it helps ? I mean, you already have an authenticated user-id, of which you are sure that it is in the AD directory. All that is needed now, is to get from AD, whatever fields that contain the "role-name"(s) which we are looking for, and compare with what we want to allow for this webapp. Do the "roles" or "groups", as understood by AD, match the "roles" as understood by Tomcat ? > in the web.xml of Tomcat (/conf/web.xml) i've configured an > security-constraint: > > > > Test > /* > GET > POST > PUT > DELETE > > > some_ad_role_name > > > > > > > Only 'tomcat' role is allowed to access this web > application > some_ad_role_name > > > As far as I understand, with the above, Tomcat is going to issue a HttpServletRequest.isUserInRole("some_ad_role_name") call, and only allow access if the response is true. Is that going to work in this case ? It is not very clear (to me at least), what this isUserInRole() is going to refer to. > Now, > i'ld like to realize, that Tomcat give access only to users, > which are in one Active Directory Group detected on IIS. > Since you already receive an authenticated user-id from IIS (but only a user-id), I would do the rest with a servlet filter wrapping your application (and allowing access or not depending on what it finds in AD for this user), rather than with the standard Tomcat declarative security model. But maybe that's only my own ignorance speaking. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org