tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Passing user id from web page to tomcat webapp
Date Thu, 14 Jul 2011 14:31:02 GMT
David kerber wrote:
> On 7/14/2011 9:50 AM, André Warnier wrote:
>> David kerber wrote:
>>> I have a situation where my users will be logging into their pages on
>>> an IIS 5 web server, which authenticates them with their user ID and
>>> password as configured in IIS. This works fine.
>>> Now I need to add some new functionality to the web site that will be
>>> using my tomcat webapp, and I don't want them to have to authenticate
>>> again in my app, so I'm trying to figure out how to pass the user ID
>>> from the web page on IIS, to my webapp. I thought
>>> request.getRemoteUser() would do it, but that's returning null, rather
>>> than the loggged-in user ID.
>> You need to specify what you use to forward requests from IIS to Tomcat.
>> If you are using Isapi_Redirect, then set the attribute
>> "tomcatAuthentication" to false in the Tomcat AJP <Connector> (in
>> server.xml).
> I'm not "forwarding" at all.  The call to tomcat from the IIS page is 
> just the "action" parameter of the form.  The only connector is the 
> standard http 1.1 connector.
Ah, ok, I missed that.
That's another thing altogether.
So what is happening is this :

a) user calls a page from IIS
b) IIS delivers the page to the user's browser. The page contains a <form>.
c) user posts the <form> directly to Tomcat (without going through IIS).
d) Tomcat gets a normal POST request, directly from the user's browser.

So on the last leg (c+d), there is nothing that IIS can do to add the user-id, it is not 
in the loop.

So you have to "convice" the user's browser to send the logged-in user-id to Tomcat.

The only way I can see of doing that in this simplistic scenario is relatively simple, but

*extremely insecure* :

At step (b) above, have the IIS application which generates that html page, insert a form

field like the following in the <form> :
<input type="hidden" name="userid" value="*******">
where ****** is the IIS user-id.
The IIS user-id can be obtained (on the IIS side) by code such as the one Melinda posted.
Then when the browser posts the form to Tomcat, there will be an additional POST parameter

"userid" containing the user-id.

Now again, the extreme insecurity :
- userA requests the form from IIS
- he gets a <form> with a hidden input containing the value "userA". So far, no problem.
- he saves this form, edits it, and replaces "userA" by "userB" (his boss'es userid)
- he posts that form to Tomcat
Result #1 : in your Tomcat app, he is now considered as userB.
Result #2 : if there is ever a security audit, you're dead


How it should be done :

There are essentially 2 ways :

1) have the <form> posted back to IIS, and have IIS "proxy" (forward) this call to Tomcat,

with IIS adding the IIS-authenticated user-id on the way

2) install additional logic in Tomcat, to allow Tomcat to authenticate the user 
(automatically) with the Windows domain (just like IIS itself does).
That can be done in several ways, all of them requiring some serious configuration work.
You can use :
- the newly-released "authenticator Valve" (?) available in Tomcat 7
- the Waffle software (look up in Google)
- the commercial Jespa software (
- (there may be others which I do not know)
All of the above suppose that your Tomcat is running on a computer that is itself within 
the Windows domain (or can be made part of it). So they will not work if the user 
workstations are inside the Windows domain, but the Tomcat server is outside on the 
Internet for example.
(But that also can be solved, ask if you need this.)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message