tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David kerber <>
Subject Re: Passing user id from web page to tomcat webapp
Date Thu, 14 Jul 2011 14:50:55 GMT
On 7/14/2011 10:31 AM, André Warnier wrote:
> David kerber wrote:
>> On 7/14/2011 9:50 AM, André Warnier wrote:
>>> David kerber wrote:
>>>> I have a situation where my users will be logging into their pages on
>>>> an IIS 5 web server, which authenticates them with their user ID and
>>>> password as configured in IIS. This works fine.
>>>> Now I need to add some new functionality to the web site that will be
>>>> using my tomcat webapp, and I don't want them to have to authenticate
>>>> again in my app, so I'm trying to figure out how to pass the user ID
>>>> from the web page on IIS, to my webapp. I thought
>>>> request.getRemoteUser() would do it, but that's returning null, rather
>>>> than the loggged-in user ID.
>>> You need to specify what you use to forward requests from IIS to Tomcat.
>>> If you are using Isapi_Redirect, then set the attribute
>>> "tomcatAuthentication" to false in the Tomcat AJP <Connector> (in
>>> server.xml).
>> I'm not "forwarding" at all. The call to tomcat from the IIS page is
>> just the "action" parameter of the form. The only connector is the
>> standard http 1.1 connector.
> Ah, ok, I missed that.
> That's another thing altogether.
> So what is happening is this :
> a) user calls a page from IIS
> b) IIS delivers the page to the user's browser. The page contains a <form>.
> c) user posts the <form> directly to Tomcat (without going through IIS).
> d) Tomcat gets a normal POST request, directly from the user's browser.

Yes, that's it.  The only missing thing is that I thought that since the 
user has authenticated through IIS, that his user ID might be carried 
along somewhere from the browser side.  But that is not happening.

> So on the last leg (c+d), there is nothing that IIS can do to add the
> user-id, it is not in the loop.
> So you have to "convice" the user's browser to send the logged-in
> user-id to Tomcat.
> The only way I can see of doing that in this simplistic scenario is
> relatively simple, but *extremely insecure* :
> At step (b) above, have the IIS application which generates that html
> page, insert a form field like the following in the <form> :
> <input type="hidden" name="userid" value="*******">
> where ****** is the IIS user-id.
> The IIS user-id can be obtained (on the IIS side) by code such as the
> one Melinda posted.
> Then when the browser posts the form to Tomcat, there will be an
> additional POST parameter "userid" containing the user-id.
> Now again, the extreme insecurity :
> - userA requests the form from IIS
> - he gets a <form> with a hidden input containing the value "userA". So
> far, no problem.
> - he saves this form, edits it, and replaces "userA" by "userB" (his
> boss'es userid)
> - he posts that form to Tomcat
> Result #1 : in your Tomcat app, he is now considered as userB.
> Result #2 : if there is ever a security audit, you're dead

Yes, I had already thought of that method, and am hoping to avoid it. 
This data page has extremely low security requirements, but I'd still 
like something better if I can figure it out.  If nothing else, I'll 
then have something in my pocket when an application comes up that needs 
better security.

> -----------------
> How it should be done :
> There are essentially 2 ways :
> 1) have the <form> posted back to IIS, and have IIS "proxy" (forward)
> this call to Tomcat, with IIS adding the IIS-authenticated user-id on
> the way

This is what I'd like to do, but it's new to me; Up to this point, the 
IIS web site and the tomcat applications have been completely unrelated 
and unconnected.  I'll see what I can google up.

> 2) install additional logic in Tomcat, to allow Tomcat to authenticate
> the user (automatically) with the Windows domain (just like IIS itself
> does).
> That can be done in several ways, all of them requiring some serious
> configuration work.
> You can use :
> - the newly-released "authenticator Valve" (?) available in Tomcat 7
> - the Waffle software (look up in Google)
> - the commercial Jespa software (
> - (there may be others which I do not know)
> All of the above suppose that your Tomcat is running on a computer that
> is itself within the Windows domain (or can be made part of it). So they
> will not work if the user workstations are inside the Windows domain,
> but the Tomcat server is outside on the Internet for example.
> (But that also can be solved, ask if you need this.)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message