tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From savoym <>
Subject Re: Question on file
Date Thu, 20 May 2010 12:22:34 GMT

The issue is that we do not currently use web.xml to set the particulars for
JCIFS.  A wrapper was built by our former team lead who has now left the
company and Michael Allen had stated that we had to use the settings as he
has it in his doc in order for JESPA to work.  As I stated previously, we
cannot rip out the security code that is currently there and just replace it
with the JESPA instructions because there is a lot more that the security
package does than just wrap JCIFS it has built-in security components for a
second layer of security against our legacy system.  

Thanks again.

awarnier wrote:
> Hi.
> I am a bit busy right now, and I'll have more time tonight to answer.
> But in short, if you are using jCIFS until now, then Jespa is really a 
> drop-in replacement. You get the user-id via getRemoteUser() just the 
> same way. Only web.xml changes, the application does not, as far as I
> know.
> But we'll look at the other possibilities later.
> For now, maybe make sure that IIS is /really/ authenticating the URLs 
> that go to Tomcat.  You may need to tell IIS something, for it to do that.
> savoym wrote:
>> My understanding is that IIS+ jk redirector is suppose to give us windows
>> authentication what I cannot find either on the IIS website or the Apache
>> Tomcat Connector website is HOW one gets to the authentication
>> properties. 
>> I've read the HOW to get it setup but that is as far as it goes on the
>> Apache Tomcat Connector website.
>> I am hoping that this is still a viable solution.  We did look at Jespa
>> and
>> talked to Michael Allen extensively.  Unfortunately, we have a security
>> paradigm that is underlying our entire web app.  I have no time to
>> re-write
>> my app.  Our app currently uses JCIFS but some of our users are using
>> Windows 7/IE 8 and because JCIFS does not work with NTLMv2 the web app no
>> longer comes up on Windows 7 that does not use NTLMv1.
>> There in lies my dilemma.  I appreciate again all the help.  Hopefully
>> someone who has made this work will reply.
>> Regards.
>> awarnier wrote:
>>> savoym wrote:
>>>> Thanks again for the reply.  
>>>> I do already have the tomcatAuthentication="false" setting as you
>>>> stated
>>>> below and I had tried the getRemoteUse() from the HttpRequestServlet
>>>> but
>>>> that unfortunately did not work unless I did something wrong.
>>>> I will try again but I do not think that is working.  Again, I
>>>> appreciate
>>>> the time and help.
>>> No problem, that's why we're here.
>>> As mentioned earlier, I'm not too sure that this works with IIS and the 
>>> mod_jk redirector for IIS.
>>> I am working on the assumption that it does the same thing as 
>>> Apache/mod_jk : if Apache already has a user-id, then mod_jk forwards it 
>>> to Tomcat.
>>> When in Tomcat the tomcatAuthentication="false" is set, Tomcat accepts 
>>> this user-id from Apache/mod_jk instead of trying to get its own.
>>> Maybe IIS+ jk redirector does the same, maybe not.
>>> If not, there is another possibility : if IIS authenticates the user, it 
>>> /might/ automatically add a HTTP header to the request, before even 
>>> forwarding it to Tomcat through the redirector.
>>> If so, a servlet filter at the Tomcat level might be able to pick up 
>>> this header, extract the user-id, and pass it to your webapp in a way it 
>>> can use it.
>>> If all of that is negative, then you need something like the Jespa 
>>> filter from ioplex.
>>> That filter /will/ authenticate the call on the base of the user's 
>>> domain user-id, and set it in Tomcat, allowing your webapp to pick it up 
>>> via getRemoteUser().  This is a certainty, not a guess. I use this
>>> often.
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message