Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: domain of lists@nabble.com designates
 216.139.236.158 as permitted sender)
Message-ID: <28620069.post@talk.nabble.com>
Date: Thu, 20 May 2010 04:45:40 -0700 (PDT)
From: savoym <MelindaSavoy@texashealth.org>
To: users@tomcat.apache.org
Subject: Re: Question on workers.properties file
In-Reply-To: <4BF5188F.1080904@ice-sa.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
References: <28599711.post@talk.nabble.com> <4BF45BB5.6080808@ice-sa.com>
 <28615200.post@talk.nabble.com> <4BF4EA44.3060200@ice-sa.com>
 <28619632.post@talk.nabble.com> <4BF5188F.1080904@ice-sa.com>


My understanding is that IIS+ jk redirector is suppose to give us windows
authentication what I cannot find either on the IIS website or the Apache
Tomcat Connector website is HOW one gets to the authentication properties. 
I've read the HOW to get it setup but that is as far as it goes on the
Apache Tomcat Connector website.

I am hoping that this is still a viable solution.  We did look at Jespa and
talked to Michael Allen extensively.  Unfortunately, we have a security
paradigm that is underlying our entire web app.  I have no time to re-write
my app.  Our app currently uses JCIFS but some of our users are using
Windows 7/IE 8 and because JCIFS does not work with NTLMv2 the web app no
longer comes up on Windows 7 that does not use NTLMv1.

There in lies my dilemma.  I appreciate again all the help.  Hopefully
someone who has made this work will reply.

Regards.


awarnier wrote:
> 
> savoym wrote:
>> Thanks again for the reply.  
>> 
>> I do already have the tomcatAuthentication="false" setting as you stated
>> below and I had tried the getRemoteUse() from the HttpRequestServlet but
>> that unfortunately did not work unless I did something wrong.
>> 
>> I will try again but I do not think that is working.  Again, I appreciate
>> the time and help.
>> 
> No problem, that's why we're here.
> As mentioned earlier, I'm not too sure that this works with IIS and the 
> mod_jk redirector for IIS.
> I am working on the assumption that it does the same thing as 
> Apache/mod_jk : if Apache already has a user-id, then mod_jk forwards it 
> to Tomcat.
> When in Tomcat the tomcatAuthentication="false" is set, Tomcat accepts 
> this user-id from Apache/mod_jk instead of trying to get its own.
> Maybe IIS+ jk redirector does the same, maybe not.
> 
> If not, there is another possibility : if IIS authenticates the user, it 
> /might/ automatically add a HTTP header to the request, before even 
> forwarding it to Tomcat through the redirector.
> If so, a servlet filter at the Tomcat level might be able to pick up 
> this header, extract the user-id, and pass it to your webapp in a way it 
> can use it.
> 
> If all of that is negative, then you need something like the Jespa 
> filter from ioplex.
> That filter /will/ authenticate the call on the base of the user's 
> domain user-id, and set it in Tomcat, allowing your webapp to pick it up 
> via getRemoteUser().  This is a certainty, not a guess. I use this often.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/Question-on-workers.properties-file-tp28599711p28620069.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org