tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Stör <>
Subject Re: IIS connector, several connectors with different authentication to one Tomcat
Date Thu, 08 Mar 2012 14:00:25 GMT
First, thank you so much for the thorough response.

On 08.03.2012 14:47, André Warnier wrote:
> Marcel Stör wrote:
>> Requirement:
>> a) /myapp authenticated against AD for all users with Windows
>> authentication
>> b) /myapp/API authenticated against AD for /one/ user with basic-auth
>> The plan was to have two sites in IIS with appropriate authentication
>> schemes. They both have a 'jakarata' virtual directory pointing to one
>> and the same physical path (DLL etc.).
>> Then we wanted to alter the security settings on the directory
>> excluding all but one user for requirement b). Since this modifies the
>> security settings of the physical folder we'd have to install the IIS
>> Tomcat connector a second time pointing to the same AJP port (one
>> Tomcat instance).
>> Should this work in general?
>> Are there better alternatives to implement the given requirements?
> You are not really saying at which level you are doing this
> authentication (IIS or Tomcat), but I will assume you do it at the IIS
> level, and set tomcatAuthentication="false" in the Tomcat AJP Connector.


> The first thing I would like to point out is that your (b) mechanism may
> not be applicable in some environments, as it may not be allowed by the
> network security policies, and the browsers may not even be /allowed/ to
> do Basic authentication. You should maybe check that first with the
> network admins.

I understand that. We're in a closed environment that we don't control 
but understand.

> My second question would be "why 2 sites ?". Does IIS not allow you to
> specify authentication requirements on a per-location base inside the
> same "site" ?

I don't know (yet) - I wish the customer had allowed us to use Apache httpd.

> Normally, in decent webservers (like Apache httpd and Tomcat ;-)), the
> longest matching path "wins", so for a request pointing to "/myapp/API",
> the specification in "/myapp/API" should be applied, and not the one for
> "/myapp".
> You should not need 2 sites, nor two connectors, for this.

That'd be my preference, too.

> You have also not really explained why you want to do Basic auth for
> "/myapp/API". I suspect that it is because this URL would be accessed by
> some client other than a browser, and this client is not able to do NTLM
> auth. It may help to confirm this.


> In a spirit of widening your scope of investigation, you may also want
> to have a look at having your client access Tomcat's "/myapp/API"
> directly (bypassing IIS), and in that case do the AD authentication at
> the Tomcat level, using Tomcat's SPNEGO authentication Valve, or Waffle
> or Jespa (commercial). Jespa for instance provides ample possibilities
> to try NTLM/SPNEGO first, and if it doesn't work fall back to Basic auth
> (still with an AD back-end).
> This scheme would even work via IIS and AJP, if you tell IIS to not
> authenticate for "/myapp/API" and proxy the call to Tomcat anyway,
> letting Tomcat do the authentication.

We only brought IIS into the game because it felt like the easiest 
option to get NTLM/SPNEGO done. I'm aware of the alternatives but have 
never used either of them (in contrast to IIS).

> In summary, there are probably several ways to do this, depending on
> your exact circumstances/requirements. The more details you provide
> though, the better people on this list may be able to help you.

Hope the above clarifications help.


Marcel Stör,
O< ascii ribbon campaign - stop html mail -

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message