tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: IIS connector, several connectors with different authentication to one Tomcat
Date Thu, 08 Mar 2012 13:47:21 GMT
Marcel Stör wrote:
> Requirement:
> a) /myapp authenticated against AD for all users with Windows 
> authentication
> b) /myapp/API authenticated against AD for /one/ user with basic-auth
> The plan was to have two sites in IIS with appropriate authentication 
> schemes. They both have a 'jakarata' virtual directory pointing to one 
> and the same physical path (DLL etc.).
> Then we wanted to alter the security settings on the directory excluding 
> all but one user for requirement b). Since this modifies the security 
> settings of the physical folder we'd have to install the IIS Tomcat 
> connector a second time pointing to the same AJP port (one Tomcat 
> instance).
> Should this work in general?
> Are there better alternatives to implement the given requirements?

You are not really saying at which level you are doing this authentication (IIS or 
Tomcat), but I will assume you do it at the IIS level, and set 
tomcatAuthentication="false" in the Tomcat AJP Connector.

The first thing I would like to point out is that your (b) mechanism may not be applicable

in some environments, as it may not be allowed by the network security policies, and the 
browsers may not even be /allowed/ to do Basic authentication.  You should maybe check 
that first with the network admins.

My second question would be "why 2 sites ?".  Does IIS not allow you to specify 
authentication requirements on a per-location base inside the same "site" ?
Normally, in decent webservers (like Apache httpd and Tomcat ;-)), the longest matching 
path "wins", so for a request pointing to "/myapp/API", the specification in "/myapp/API"

should be applied, and not the one for "/myapp".
You should not need 2 sites, nor two connectors, for this.

You have also not really explained why you want to do Basic auth for "/myapp/API".  I 
suspect that it is because this URL would be accessed by some client other than a browser,

and this client is not able to do NTLM auth.  It may help to confirm this.

In a spirit of widening your scope of investigation, you may also want to have a look at 
having your client access Tomcat's "/myapp/API" directly (bypassing IIS), and in that case

do the AD authentication at the Tomcat level, using Tomcat's SPNEGO authentication Valve,

or Waffle or Jespa (commercial).  Jespa for instance provides ample possibilities to try 
NTLM/SPNEGO first, and if it doesn't work fall back to Basic auth (still with an AD back-end).
This scheme would even work via IIS and AJP, if you tell IIS to not authenticate for 
"/myapp/API" and proxy the call to Tomcat anyway, letting Tomcat do the authentication.

In summary, there are probably several ways to do this, depending on your exact 
circumstances/requirements.  The more details you provide though, the better people on 
this list may be able to help you.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message