tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Fors <chri...@hotmail.com>
Subject RE: Tomcat Built-in WinAuth - NEW THREAD
Date Tue, 05 Mar 2013 16:31:26 GMT
I have added in a <security-constraint> to the sample application web.xml (shown below)
and modified the hello.jsp to show a request.getRemoteUser().    This has shown to successfully
invoke an authentication process.    Now when browsing to the http: //server/sample I receive
a Windows prompt for user logon.  This is with IE9 and the browser is configured for autologon
for the Intranet zone and the server is in the Intranet zone.  And there are 401 errors in
the localhost_access.log:      10.208.101.129 - - [05/Mar/2013:16:25:21 +0000] "GET /sample/
HTTP/1.1" 401 951 Perhaps there is something wrong with the security-constraint xml code.
 I wish to allow any authenticated domain user but not certain as to how to best implement
this in the security constraint and role methods to achieve this. <security-constraint>
  <web-resource-collection>
    <web-resource-name>Hello World App</web-resource-name>
       <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
      <role-name>*</role-name>
  </auth-constraint>
</security-constraint> 
In the Tomcat7-stdout.log i see:2013-03-05 16:24:22 Commons Daemon procrun stdout initialized
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache
is null isInitiator true KeyTab is C:/Program Files/Apache Software Foundation/Tomcat 7.0/conf/krb5.keytab
refreshKrb5Config is false principal is svcTomcatDV@ITLAB.INT tryFirstPass is false useFirstPass
is false storePass is false clearPass is false
principal is svcTomcatDV@ITLAB.INT
Will use keytab
Commit Succeeded   [Krb5LoginModule]: Entering logout
  [Krb5LoginModule]: logged out Subject
Any suggestions? Thanks, 

 

Chris Fors

 > Date: Mon, 4 Mar 2013 18:48:24 -0600
> From: chris@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: Tomcat Built-in WinAuth - NEW THREAD
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Chris,
> 
> On 3/4/13 4:54 PM, Chris Fors wrote:
> >> Date: Mon, 4 Mar 2013 23:32:34 +0100 From: aw@ice-sa.com To:
> >> users@tomcat.apache.org Subject: Re: Tomcat Built-in WinAuth -
> >> NEW THREAD
> >> 
> >> Mark Thomas wrote:
> >>> On 04/03/2013 21:47, Chris Fors wrote:
> >>>> Could you please expand on what constraints you were
> >>>> referring to
> >>> 
> >>> Security constraints in web.xml
> >>> 
> >>>> and how they are best implemented, where, and in what syntax
> >>>> e.g. if implemented in web.xml what are the correct tags.
> >>> 
> >>> All defined in  the Servlet spec.
> >>> 
> >>>> If implemented in web.xml what are the correct tags. I have
> >>>> not found this clarified anywhere, yet.
> >>> 
> >>> Again, see the servlet spec.
> >> 
> >> You will find an example in the "manager" webapp that comes with
> >> Tomcat. Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts
> >> like this :
> >> 
> >> <security-constraint> <web-resource-collection> 
> >> <web-resource-name>HTML Manager interface (for
> >> humans)</web-resource-name> <url-pattern>/html/*</url-pattern>

> >> </web-resource-collection> <auth-constraint> 
> >> <role-name>manager-gui</role-name> </auth-constraint> 
> >> </security-constraint>
> >> 
> >> In not-quite-technical terms :
> >> 
> >> The above, present at the level of the webapp, specifies a "role"
> >> which the authenticated user must have, in order to be able to
> >> access this part of the webapp. To determine if the user has that
> >> role, Tomcat must first know the user. This is what "triggers"
> >> the authentication mechanism. If nothing forces Tomcat to
> >> authenticate the user of this webapp, the authentication method
> >> may well be specified, but it will not be invoked.
> >> 
> > Was hoping to not have to hunt through the complete JSR 315
> > specification.  I will give the  constraint model above a shot
> > tomorrow. Thanks, Chris
> 
> Honestly, it's like 3 pages of reading, most of which is tables and
> examples. Reading the servlet spec (it's not your average spec: mere
> mortals *can* read and understand it) should be required in order to
> develop web applications.
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEAREIAAYFAlE1QNgACgkQ9CaO5/Lv0PC80ACdF7zjHS4wi+fsY42e1bKsFPCJ
> kD4An3cF7A2CFc+1su5M/a9tejx6zlIC
> =QoqH
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message