tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Question on workers.properties file
Date Thu, 20 May 2010 12:15:33 GMT
Hi.
I am a bit busy right now, and I'll have more time tonight to answer.
But in short, if you are using jCIFS until now, then Jespa is really a 
drop-in replacement. You get the user-id via getRemoteUser() just the 
same way. Only web.xml changes, the application does not, as far as I know.
But we'll look at the other possibilities later.
For now, maybe make sure that IIS is /really/ authenticating the URLs 
that go to Tomcat.  You may need to tell IIS something, for it to do that.


savoym wrote:
> My understanding is that IIS+ jk redirector is suppose to give us windows
> authentication what I cannot find either on the IIS website or the Apache
> Tomcat Connector website is HOW one gets to the authentication properties. 
> I've read the HOW to get it setup but that is as far as it goes on the
> Apache Tomcat Connector website.
> 
> I am hoping that this is still a viable solution.  We did look at Jespa and
> talked to Michael Allen extensively.  Unfortunately, we have a security
> paradigm that is underlying our entire web app.  I have no time to re-write
> my app.  Our app currently uses JCIFS but some of our users are using
> Windows 7/IE 8 and because JCIFS does not work with NTLMv2 the web app no
> longer comes up on Windows 7 that does not use NTLMv1.
> 
> There in lies my dilemma.  I appreciate again all the help.  Hopefully
> someone who has made this work will reply.
> 
> Regards.
> 
> 
> awarnier wrote:
>> savoym wrote:
>>> Thanks again for the reply.  
>>>
>>> I do already have the tomcatAuthentication="false" setting as you stated
>>> below and I had tried the getRemoteUse() from the HttpRequestServlet but
>>> that unfortunately did not work unless I did something wrong.
>>>
>>> I will try again but I do not think that is working.  Again, I appreciate
>>> the time and help.
>>>
>> No problem, that's why we're here.
>> As mentioned earlier, I'm not too sure that this works with IIS and the 
>> mod_jk redirector for IIS.
>> I am working on the assumption that it does the same thing as 
>> Apache/mod_jk : if Apache already has a user-id, then mod_jk forwards it 
>> to Tomcat.
>> When in Tomcat the tomcatAuthentication="false" is set, Tomcat accepts 
>> this user-id from Apache/mod_jk instead of trying to get its own.
>> Maybe IIS+ jk redirector does the same, maybe not.
>>
>> If not, there is another possibility : if IIS authenticates the user, it 
>> /might/ automatically add a HTTP header to the request, before even 
>> forwarding it to Tomcat through the redirector.
>> If so, a servlet filter at the Tomcat level might be able to pick up 
>> this header, extract the user-id, and pass it to your webapp in a way it 
>> can use it.
>>
>> If all of that is negative, then you need something like the Jespa 
>> filter from ioplex.
>> That filter /will/ authenticate the call on the base of the user's 
>> domain user-id, and set it in Tomcat, allowing your webapp to pick it up 
>> via getRemoteUser().  This is a certainty, not a guess. I use this often.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message