Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates
 212.85.38.228 as permitted sender)
Message-ID: <51498524.40106@ice-sa.com>
Date: Wed, 20 Mar 2013 10:45:08 +0100
From: =?ISO-8859-1?Q?Andr=E9_Warnier?= <aw@ice-sa.com>
Reply-To: Tomcat Users List <users@tomcat.apache.org>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Manager App not working with Windows authentication enabled
References: 
 <2D02633C2E5AE142B114C189ADECE7CA1F1DF2@WPDOCEXCL02.ds.doc.state.or.us>
 <5148E68A.9090806@ice-sa.com>
 <2D02633C2E5AE142B114C189ADECE7CA1F1E50@WPDOCEXCL02.ds.doc.state.or.us>
In-Reply-To: 
 <2D02633C2E5AE142B114C189ADECE7CA1F1E50@WPDOCEXCL02.ds.doc.state.or.us>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Harris Mark R wrote:
> Sorry, guess I was not clear enough.  We are using Microsoft's IIS to front-end Tomcat, not the Apache HTTP server.  Apache HTTP server is not an option for our environment.  We would prefer to use the Windows authenticated user passed to Tomcat by IIS, but are open to anything that works reliably.
> 
It's my turn to apologise.  That was clear in your original post, I just misread that.
It is the same however with IIS.  If the user is authenticated by IIS, and you set 
tomcatAuthentication="false", then Tomcat will take the user-id from what the IIS/AJP 
module is passing on from IIS, and it will not redo the user authentication by himself 
(him being Tomcat).


> As I said, our custom application is working great in this environment, but the manager app is not.  We are having trouble associating the roles that the manager app is expecting with the authenticated user.   We have tried altering the tomcat-users file just about every which way we could think of.   Essentially we need any way to associate the authenticated user with the " "manager-gui" that the manager app is expecting.  Would we need to implement a custom realm to make this work?
> 
Yes, I think that you understand the issue correctly.
Tomcat's standard "user access control" to an application is based on the concept of 
"roles". You tell Tomcat that any users who has a "role" xxx can access that application.
So Tomcat needs a way, given the present user-id, to find out if that user-id has this 
"role" (isUserInRole() ?).  Unfortunately, what AJP passes to Tomcat is only a user-id, 
not any kind of "roles" information that this user has.  I suppose that Tomcat somehow 
must use a <Realm> to get that kind of information, and I do not know if this Realm is 
capable of providing that information if it has not authenticated this user by itself.

Maybe there is a way to tell Tomcat, for the manager application, to just check the 
user-id, and not the role ? I suppose that the right place to check would be the 
applicable Servlet Specification, in the web.xml/<auth-constraints> paragraph.
How do you do it for your other application, the one that works ?


On a totally different track, if you want to use WIA anyway, you may want to have a look 
at Jespa, at http://www.ioplex.com.  It's a totally different authentication and security 
approach. based on a servlet filter in Tomcat which authenticates the Windows user 
directly at the Tomcat level, not on the base of the id that IIS determines (and AJP 
passes on).  Jespa is capable of "translating" the concept of Windows "users groups" into 
Tomcat "roles".  One advantage of that approach is that you would have the various Tomcat 
"roles" managed at the same place as the other user-management functions (on the Windows 
domain AD server), and not have a different set of user information for Tomcat alone.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org