Return-Path: 
 <users-return-226135-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 9252E7B6D
	for <apmail-tomcat-users-archive@www.apache.org>;
 Thu, 14 Jul 2011 14:51:29 +0000 (UTC)
Received: (qmail 55549 invoked by uid 500); 14 Jul 2011 14:51:26 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 55473 invoked by uid 500); 14 Jul 2011 14:51:25 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 55464 invoked by uid 99); 14 Jul 2011 14:51:25 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Jul 2011 14:51:25 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of dckerber@verizon.net designates
 206.46.173.11 as permitted sender)
Received: from [206.46.173.11] (HELO vms173011pub.verizon.net) (206.46.173.11)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Jul 2011 14:51:17 +0000
MIME-version: 1.0
Content-transfer-encoding: 8BIT
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Received: from [172.17.47.42] ([unknown] [64.17.225.82])
 by vms173011.mailsrvcs.net
 (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
 with ESMTPA id <0LOB009E1VWV7AX1@vms173011.mailsrvcs.net> for
 users@tomcat.apache.org; Thu, 14 Jul 2011 09:50:56 -0500 (CDT)
Message-id: <4E1F024F.3010206@verizon.net>
Date: Thu, 14 Jul 2011 10:50:55 -0400
From: David kerber <dckerber@verizon.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17)
 Gecko/20110414 Thunderbird/3.1.10
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Passing user id from web page to tomcat webapp
References: <4E1EEA12.3020707@verizon.net> <4E1EF430.4050207@ice-sa.com>
 <4E1EF779.1060105@verizon.net> <4E1EFDA6.1070204@ice-sa.com>
In-reply-to: <4E1EFDA6.1070204@ice-sa.com>
X-Virus-Checked: Checked by ClamAV on apache.org

On 7/14/2011 10:31 AM, Andr� Warnier wrote:
> David kerber wrote:
>> On 7/14/2011 9:50 AM, Andr� Warnier wrote:
>>> David kerber wrote:
>>>> I have a situation where my users will be logging into their pages on
>>>> an IIS 5 web server, which authenticates them with their user ID and
>>>> password as configured in IIS. This works fine.
>>>>
>>>> Now I need to add some new functionality to the web site that will be
>>>> using my tomcat webapp, and I don't want them to have to authenticate
>>>> again in my app, so I'm trying to figure out how to pass the user ID
>>>> from the web page on IIS, to my webapp. I thought
>>>> request.getRemoteUser() would do it, but that's returning null, rather
>>>> than the loggged-in user ID.
>>>>
>>> You need to specify what you use to forward requests from IIS to Tomcat.
>>> If you are using Isapi_Redirect, then set the attribute
>>> "tomcatAuthentication" to false in the Tomcat AJP <Connector> (in
>>> server.xml).
>>
>> I'm not "forwarding" at all. The call to tomcat from the IIS page is
>> just the "action" parameter of the form. The only connector is the
>> standard http 1.1 connector.
>>
> Ah, ok, I missed that.
> That's another thing altogether.
> So what is happening is this :
>
> a) user calls a page from IIS
> b) IIS delivers the page to the user's browser. The page contains a <form>.
> c) user posts the <form> directly to Tomcat (without going through IIS).
> d) Tomcat gets a normal POST request, directly from the user's browser.

Yes, that's it.  The only missing thing is that I thought that since the 
user has authenticated through IIS, that his user ID might be carried 
along somewhere from the browser side.  But that is not happening.

>
> So on the last leg (c+d), there is nothing that IIS can do to add the
> user-id, it is not in the loop.
>
> So you have to "convice" the user's browser to send the logged-in
> user-id to Tomcat.
>
> The only way I can see of doing that in this simplistic scenario is
> relatively simple, but *extremely insecure* :
>
> At step (b) above, have the IIS application which generates that html
> page, insert a form field like the following in the <form> :
> <input type="hidden" name="userid" value="*******">
> where ****** is the IIS user-id.
> The IIS user-id can be obtained (on the IIS side) by code such as the
> one Melinda posted.
> Then when the browser posts the form to Tomcat, there will be an
> additional POST parameter "userid" containing the user-id.
>
> Now again, the extreme insecurity :
> - userA requests the form from IIS
> - he gets a <form> with a hidden input containing the value "userA". So
> far, no problem.
> - he saves this form, edits it, and replaces "userA" by "userB" (his
> boss'es userid)
> - he posts that form to Tomcat
> Result #1 : in your Tomcat app, he is now considered as userB.
> Result #2 : if there is ever a security audit, you're dead

Yes, I had already thought of that method, and am hoping to avoid it. 
This data page has extremely low security requirements, but I'd still 
like something better if I can figure it out.  If nothing else, I'll 
then have something in my pocket when an application comes up that needs 
better security.


>
> -----------------
>
> How it should be done :
>
> There are essentially 2 ways :
>
> 1) have the <form> posted back to IIS, and have IIS "proxy" (forward)
> this call to Tomcat, with IIS adding the IIS-authenticated user-id on
> the way

This is what I'd like to do, but it's new to me; Up to this point, the 
IIS web site and the tomcat applications have been completely unrelated 
and unconnected.  I'll see what I can google up.


>
> 2) install additional logic in Tomcat, to allow Tomcat to authenticate
> the user (automatically) with the Windows domain (just like IIS itself
> does).
> That can be done in several ways, all of them requiring some serious
> configuration work.
> You can use :
> - the newly-released "authenticator Valve" (?) available in Tomcat 7
> - the Waffle software (look up in Google)
> - the commercial Jespa software (www.ioplex.com)
> - (there may be others which I do not know)
> All of the above suppose that your Tomcat is running on a computer that
> is itself within the Windows domain (or can be made part of it). So they
> will not work if the user workstations are inside the Windows domain,
> but the Tomcat server is outside on the Internet for example.
> (But that also can be solved, ask if you need this.)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org