Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Subject: Re: Mixed authentication
To: users@tomcat.apache.org
References: <502CB6FA13FD7944B03368AF387E69E94A09EBBD@CHASSERAL-MB3.intra.ceff.ch>
 <5804BBBD.8030706@ice-sa.com>
 <502CB6FA13FD7944B03368AF387E69E94A09F597@CHASSERAL-MB3.intra.ceff.ch>
From: =?UTF-8?Q?Andr=c3=a9_Warnier_=28tomcat=29?= <aw@ice-sa.com>
Message-ID: <5805F1C8.3070105@ice-sa.com>
Date: Tue, 18 Oct 2016 11:56:24 +0200
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101
 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <502CB6FA13FD7944B03368AF387E69E94A09F597@CHASSERAL-MB3.intra.ceff.ch>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
archived-at: Tue, 18 Oct 2016 09:56:33 -0000

On 18.10.2016 08:34, Brugnerotto Anglique wrote:
> -----Message d'origine-----
> De : Andr Warnier (tomcat) [mailto:aw@ice-sa.com]
> Envoy : lundi, 17 octobre 2016 13:54
>  : users@tomcat.apache.org
> Objet : Re: Mixed authentication
>
> On 17.10.2016 11:51, Brugnerotto Anglique wrote:
>> Good morning everybody.
>>
>> We use Tomcat 6 for an internal web site.
>> Actually, the authentication is negociate with SSO. It works fine. When we access the web site, the Windows authentication of the Windows session Windows is resumed.
>>
>> We would like to publish this site in external.
>> We have problems with negociate authentification.
>>
>> We have tried to put the mixed authentication with Form authentification.
>>
>> It works but the problem is that when we access the site, we have a page with a form and 2 choices :
>>      - Put the username/password
>>     - A button to use Windows authentication We have followed this
>> tutorial : http://code.dblock.org/2010/05/27/to...-w-waffle.html
>>
>> What we would like to do is that the web site tries automatically to do a negociate authentication and only if it can't, to show a form. We don't find how to do this. Is it possible ? Can you help us ?
>>
>
> Hello Anglique.
> What you are trying to do may be difficult, even impossible.
> One problem is that the browser will not even *try* Windows Integrated Authentication, if the workstation where it runs is not part of the same domain as the server (or at least a "trusted" server).
> (That is for security reasons, as WIA is only deemed "safe" within the same domain).
> So the browser will then (probably, depending on how the PC and the server are set up) automatically revert to HTTP Basic authentication (meaning that the browser built-in login popup dialog will appear).
> But that is not "form authentication".
>
> Note that one of the comments on the page which you mention above, says pretty much the same thing : see " Atdavie . 4 years ago "
> (Full link :
> http://code.dblock.org/2010/05/27/tomcat-single-sign-on-mixed-with-form-authentication-w-waffle.html)
>
> The whole issue is fairly complex, and has to do with discrepancies between what the HTTP protocol foresees or not as valid authentication methods (of which "form" is not one), and how the Windows (Microsoft-specific) authentication works.
>
> I would suggest that you stay with your current solution, it is the simplest one.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> Good morning,
>
> Thank you for the answer.
> Our workstation are on the same domain as the server. In internal, it's not possible to automatticaly do a Windows authentification on Tomcat ? And only in external, show a form to insert username and password ?
>
> The actual solution does not satisfies us :-(
>

What you want to achieve, in general, is perfectly possible. But it is your context "in 
Tomcat" which is slightly off the mark.
You will probably not be able to achieve what you want, just by changing some parameters 
in the Tomcat configuration; you have to look at the whole architecture.
(In other words : this is not a Tomcat-specific issue; you would have the same problem 
with any webserver).

The fundamental issue is : once you start a Windows authentication between a browser and a 
client, you cannot "cleanly step back" if it does not work, and restart a form-based 
authentication. There is just no mechanism available for doing this cleanly and reliably, 
either in the HTTP protocol, or in the way in which standard browsers are built.
(In other words again : the WIA authentication is a multi-step process, with a series of 
exchanges between the browser and the server. But once you have started it, there are only 
2 ways in which it can end : it either succeeds and you are logged-in, or it fails and the 
browser gets back a "forbidden" HTTP status. There is no "in-between" foreseen in the 
protocols, so even if you managed to make it work in some limited cases, it would always 
fail in some other cases.)

So you have to do the distinction earlier in the process, and then *either* start a 
Windows authentication, *or* start a form-based authentication.

One way to do this, would be to have a "filter", very soon in the process, which would 
check the IP address of the client, and determine if it is "internal" or "external", and 
then redirect (or forward) the call to one of 2 *separate* applications :
- one protected by a Windows authentication
- one protected by a form-based authentication
(That the code of these 2 applications could be exactly identical, is a separate issue).

There are different ways to do this, depending on your infrastructure and what you feel 
comfortable with.
For example, you could set up a front-end Apache httpd server to do the user 
authentication, and then forward an already-authenticated request to a back-end Tomcat.
Or, you might be able to do this directly in Tomcat, by using the URLRewrite filter/valve.
(I do not really know about this one; I know that it can do a lot of things, but I have 
never tried it for such a case).
See here : https://tomcat.apache.org/tomcat-8.0-doc/rewrite.html


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org