RE: Form Based Authentication
Although we are working in a Websphere/LDAP environment, we had the same requirement as you, and we managed to solve it. What we did (and I'm going from fairly distant memories, so hopefully I'm at least close to right) is this... user logs on. We have a filter that checks for password expired/reset (both a forced PW change) via flags set in a previous filter (values taken from LDAP) and redirects to the change screen if applicable. This all of course happens only after a "successful" logon, i.e., user entered valid credentials, including expired password already. We destroy the session before leaving that filter. Password is changed, all without creating a new session along the way. Once it is changed, we redirect back through the logon process as before. We decided that it was *better* to make the user log on again because it proves they remember the password they entered 2 seconds ago :) I suppose if I had to allow that automatic authentication, I would NOT destroy the session and instead just redirect to the first protected resource of the app from the change PW screen. Since the user was let in the first time around, they are really authenticated already. In essence, the filter that catches that forced PW change flag is acting like the container, intercepting all protected requests and redirecting to a change PW screen. If you did it smartly you should be able to grab what resource was requested when the filter fired so as to not have to hardcode where to go to after that forced PW screen is finished. Frank -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com AIM: fzammetti Yahoo: fzammetti MSN: [EMAIL PROTECTED] On Tue, October 11, 2005 12:24 pm, Peter Bright said: > >> -Original Message- >> From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] >> Sent: 11 October 2005 17:23 >> To: Tomcat Users List >> Subject: RE: Form Based Authentication >> >> > From: Peter Bright [mailto:[EMAIL PROTECTED] >> > Subject: RE: Form Based Authentication >> > >> > > > >> > > > It's point (c) that's proving problematic; there's no way to >> > > > reauthenticate that I can see. >> > > >> > > What happens if you just invalidate the existing session? >> > >> > The user gets logged out. >> >> Exactly - and they then must reauthenticate with the updated password. >> Isn't that what you want? >> > No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the > new credentials /automatically/. Without making them have to > reauthenticate /by hand/. > > *** > The information contained in this electronic message may be confidential > and/or privileged. Any unauthorized use, dissemination, distribution, or > reproduction is strictly prohibited. If you have received this > communication in error, please contact the sender by reply email and > destroy all copies of the original message. > *** > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
> -Original Message- > From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] > Sent: 11 October 2005 17:23 > To: Tomcat Users List > Subject: RE: Form Based Authentication > > > From: Peter Bright [mailto:[EMAIL PROTECTED] > > Subject: RE: Form Based Authentication > > > > > > > > > > It's point (c) that's proving problematic; there's no way to > > > > reauthenticate that I can see. > > > > > > What happens if you just invalidate the existing session? > > > > The user gets logged out. > > Exactly - and they then must reauthenticate with the updated password. > Isn't that what you want? > No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the new credentials /automatically/. Without making them have to reauthenticate /by hand/. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
> From: Peter Bright [mailto:[EMAIL PROTECTED] > Subject: RE: Form Based Authentication > > > > > > > It's point (c) that's proving problematic; there's no way to > > > reauthenticate that I can see. > > > > What happens if you just invalidate the existing session? > > The user gets logged out. Exactly - and they then must reauthenticate with the updated password. Isn't that what you want? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
> -Original Message- > From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] > Sent: 11 October 2005 17:18 > To: Tomcat Users List > Subject: RE: Form Based Authentication > > > From: Peter Bright [mailto:[EMAIL PROTECTED] > > Subject: Form Based Authentication > > > > It's point (c) that's proving problematic; there's no way to > > reauthenticate that I can see. > > What happens if you just invalidate the existing session? > The user gets logged out. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
> From: Peter Bright [mailto:[EMAIL PROTECTED] > Subject: Form Based Authentication > > It's point (c) that's proving problematic; there's no way to > reauthenticate that I can see. What happens if you just invalidate the existing session? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication
Hello, We're currently using form-based authentication (i.e. FORM) but, as I suspect many people have found, it's rather limited. One requirement we have is enforced password changes in certain scenarios. Currently the approach we were thinking of using is as follows: a) the realm recognizes that the user has a mandatory password change flag set, and so gives them a degenerate set of roles; instead of their true role, they just have a MUST_CHANGE_PASSWORD role. b) a filter checks for the existance of this role, and if it's found, forces the user to go to our change password page. c) the password is changed and the user reauthenticated with their new credentials, to retrieve their full set of roles. It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. Our thinking is that we can resolve the inability to reauthenticate by creating a custom Authenticator; we could set some flag in the session to perform on-demand reauthentication, which would repopulate the list of roles, and everything would be hunky dory. Is this approach reasonable? How have other people tackled similar requirements? Is there any less contrived way of achieving what we want with the minimum of Tomcat-specific code? Peter *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. ***
Re: Certificate authentication
James Rome wrote: Why don't my methods get called? The start() method gets called, but nothing else. Take a look at http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/authenticator/package-summary.html Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Certificate authentication
I have looked at the source code and it seems to me that presented client certificates are only checked for their validity dates, and NOT for whether they have been revoked. I am able to access my Tomcat site with a revoked certificate. It is easy to implement OCSP and/or CRL checking, so I implemented an X509Realm that extends BasicRealm. I overrode all of the authenticate() methods, but they are never called when I access my site. I put my realm in the and require CLIENT-CERTS in the site . Why don't my methods get called? The start() method gets called, but nothing else. Jim Rome - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Reg form based authentication
thank you all Sreekanth On 10/1/05, Mark Thomas <[EMAIL PROTECTED]> wrote: > > sree kanth wrote: > > Hi all, > > i have been developing on JSP's for the last one year,but still i have > never > > implemented form based authentication. > > Can any one help me in implenting form based authentication? > > Thank you all > > Sreekanth > > Very basic example: > Put login.jsp and error.jsp in the root of your application and add > the web.xml snippet to your application's web.xml file. > > Mark > > login.jsp > > > Login > > > > > > > > > > > > error.jsp > > > Login Error > > > Login failed. > > > > web.xml snippet > > FORM > Test > > /login.jsp > /error.jsp > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
Re: Reg form based authentication
sree kanth wrote: Hi all, i have been developing on JSP's for the last one year,but still i have never implemented form based authentication. Can any one help me in implenting form based authentication? Thank you all Sreekanth Very basic example: Put login.jsp and error.jsp in the root of your application and add the web.xml snippet to your application's web.xml file. Mark login.jsp Login error.jsp Login Error Login failed. web.xml snippet FORM Test /login.jsp /error.jsp - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: combining form based authentication with https
Peddireddy Srikanth wrote: Hi all, I have a basic doubt If there are any resoursec which will me on this please point me towards them. I will carry on from there. My question is how to combine the form based authentication, where we use "jsecuritycheck" , "jusername" etc with https. As far as I know if we use form based authentication username and password will be authenticated by the container managed resource called 'jsecuritycheck". But the data transfer from client browser to tomcat will be still a plain text. i want to encrypt this and obviously i need to use https. So how to combine both and how tomcat wil help me doping this?? Providing you have an https connector configured, you can use something like this in your CONFIDENTIAL See the spec for more details. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Reg form based authentication
chk this link this might help you http://www.onjava.com/pub/a/onjava/2002/06/12/form.html u wil find lot of resources on net on this On 9/30/05, sree kanth <[EMAIL PROTECTED]> wrote: > Hi all, > i have been developing on JSP's for the last one year,but still i have > never > implemented form based authentication. > Can any one help me in implenting form based authentication? > Thank you all > Sreekanth > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Reg form based authentication
Hi all, i have been developing on JSP's for the last one year,but still i have never implemented form based authentication. Can any one help me in implenting form based authentication? Thank you all Sreekanth
combining form based authentication with https
Hi all, I have a basic doubt If there are any resoursec which will me on this please point me towards them. I will carry on from there. My question is how to combine the form based authentication, where we use "jsecuritycheck" , "jusername" etc with https. As far as I know if we use form based authentication username and password will be authenticated by the container managed resource called 'jsecuritycheck". But the data transfer from client browser to tomcat will be still a plain text. i want to encrypt this and obviously i need to use https. So how to combine both and how tomcat wil help me doping this?? thanx in advance Regards Srikanth Peddireddy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
BASIC authentication SSO with a separate IIS application
I've been told our working application must coexist with other applications using BASIC authentication, the same domain name and a shared authentication store to achieve single sign on (SSO). Our application has been working fine without IIS or Apache sitting in front of it. The application is almost entirely dynamic so I didn't feel a need before. Now that we've thrown the switch on our QA tier the SSO is not working. The other application seems to generate a key to store the authentication in the browser of "qa.ourserver.com", while our application generates a key of "qa.ourserver.com:80". The browser then treats these as separate domains. I do not see anywhere in the config files where this is set. Q1: Can I configure Tomcat to not include the ":80" at the end of the domain name? Q2: Should I configure Tomcat to run behind the same IIS the other application runs behind? I'm developing in Java and the other application is developed in C## and .net. Q3: If the BASIC authentication solution weren't already dictated, what would the preferred SSO solution be? Any additional insight is also appreciated. Thanks! -Steve-
RE: Can the Tomcat authentication module use an ASP.NET security token?
> From: Tracy Spratt [mailto:[EMAIL PROTECTED] > Subject: Can the Tomcat authentication module use an ASP.NET > security token? > > I have a Tomcat app (MM Flex app) that is called from an asp.net > application which is secured by "forms" (cookie-based) authentication. > (NOT NTLM / Windows Integrated) > > I don't want the user to have to log in again. > > I have a programmatic solution in mind, but it is going to be > comparitively ugly. > > Any ideas? You're going to have to use that programmatic solution. Forms authentication (by default) sets a session-id cookie, and the asp.net worker process maintains state information such as login details internally. You can't even get to it via classic ASP on the same IIS. - Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can the Tomcat authentication module use an ASP.NET security token?
I have a Tomcat app (MM Flex app) that is called from an asp.net application which is secured by "forms" (cookie-based) authentication. (NOT NTLM / Windows Integrated) I don't want the user to have to log in again. I have a programmatic solution in mind, but it is going to be comparitively ugly. Any ideas? Tracy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mixing Form-based authentication with Public Resources
No solution. You can filter prefix, or suffix, but not both. -Tim Marquez, Omar wrote: Hi, Im using Tomcat Form-based Authentication with a JDBC realm, this is working ok for all my pages that are protected trough web.xml with All System *.do *.jsp sys_user NONE however, now I have a set of pages, report*.jps and report*.do for which I would like to NOT require authentication. I.e. "Public access". My question is how can I declare a Public Resource in web xml that will not affect the "All System" security constrain above ? I tried, without luck, inserting before the constrain above a new constrain like so: Public Resources /includes/* report*.do report*.jsp Anonymous NONE Anybody knows the solution for this problem? Thanks, Omar - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Mixing Form-based authentication with Public Resources
Hi, Im using Tomcat Form-based Authentication with a JDBC realm, this is working ok for all my pages that are protected trough web.xml with All System *.do *.jsp sys_user NONE however, now I have a set of pages, report*.jps and report*.do for which I would like to NOT require authentication. I.e. "Public access". My question is how can I declare a Public Resource in web xml that will not affect the "All System" security constrain above ? I tried, without luck, inserting before the constrain above a new constrain like so: Public Resources /includes/* report*.do report*.jsp Anonymous NONE Anybody knows the solution for this problem? Thanks, Omar -- Omar Marquez Techops Software Engineer NAVTEQ 222 Merchandise Mart Suite 900 Chicago, IL 60654, USA Ph. (312) 894-7689 The information contained in this communication may be CONFIDENTIAL and is intended only for the use of the recipient(s) named above. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please notify the sender and delete/destroy the original message and any copy of it from your computer or paper files.
Re: password authentication causes 403 error
Thanks Bill - that did it! Bill Barker writes: <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Hi there, I would like to set up my development tomcat-5.0.28 (on port 8080) so that all webapps that are not password protected, to have password authentification. Since it is my dev box I would like to use the memory realm. I have this in my web.xml: /* GET POST It's: admin What you have (other than being invalid, if validation-checking was enabled :), tells Tomcat to forbid access to everyone. NONE BASIC I have this in my tomcat-users.xml: roles="admin,manager,role1"/> If I go to http://localhost:8080/manager it asks me to login and then gives me access to the webapp as expected. If I go to http://localhost:8080/ it asks me to login and if I get it wrong is gives me a 401 error as expected but if I get it right it gives me a 403 error instead of allowing access to the webapp. This happens with all webapps that do not have their own authentication. How do I configure tomcat to give me access to my webapps when I login correctly? Thanks, Paul -- Paul Mackinlay (PhD, MEng) http://www.webotech.co.uk/ [EMAIL PROTECTED] Tel: +44(0)7050 699971 Fax: +44(0)7050 699972 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Paul Mackinlay (PhD, MEng) http://www.webotech.co.uk/ [EMAIL PROTECTED] Tel: +44(0)7050 699971 Fax: +44(0)7050 699972 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: password authentication causes 403 error
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi there, > I would like to set up my development tomcat-5.0.28 (on port 8080) so that > all webapps that are not password protected, to have password > authentification. Since it is my dev box I would like to use the memory > realm. > I have this in my web.xml: > > > /* > GET > POST > > It's: admin What you have (other than being invalid, if validation-checking was enabled :), tells Tomcat to forbid access to everyone. > > NONE > > > > BASIC > > > I have this in my tomcat-users.xml: > > > > > > roles="admin,manager,role1"/> > > If I go to http://localhost:8080/manager it asks me to login and then > gives me access to the webapp as expected. If I go to > http://localhost:8080/ it asks me to login and if I get it wrong is gives > me a 401 error as expected but if I get it right it gives me a 403 error > instead of allowing access to the webapp. This happens with all webapps > that do not have their own authentication. > How do I configure tomcat to give me access to my webapps when I login > correctly? > Thanks, > Paul > -- > Paul Mackinlay (PhD, MEng) > http://www.webotech.co.uk/ > [EMAIL PROTECTED] > Tel: +44(0)7050 699971 > Fax: +44(0)7050 699972 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
password authentication causes 403 error
Hi there, I would like to set up my development tomcat-5.0.28 (on port 8080) so that all webapps that are not password protected, to have password authentification. Since it is my dev box I would like to use the memory realm. I have this in my web.xml: /* GET POST NONE BASIC I have this in my tomcat-users.xml: If I go to http://localhost:8080/manager it asks me to login and then gives me access to the webapp as expected. If I go to http://localhost:8080/ it asks me to login and if I get it wrong is gives me a 401 error as expected but if I get it right it gives me a 403 error instead of allowing access to the webapp. This happens with all webapps that do not have their own authentication. How do I configure tomcat to give me access to my webapps when I login correctly? Thanks, Paul -- Paul Mackinlay (PhD, MEng) http://www.webotech.co.uk/ [EMAIL PROTECTED] Tel: +44(0)7050 699971 Fax: +44(0)7050 699972 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: A good place to leanr how to use digest authentication
On 9/15/05, bachoo jahnkar <[EMAIL PROTECTED]> wrote: > Im trying to use Digest authentication with an AXIS web service hosted on > ... > connect the URL configured on the secure realm from IE 6.0. Presto whatever > I tried I always got 401. Once i changed authentication back to basic, > things started working, when I change them back to Digest i start getting > 401. I think this is an old problem with IE and digest auth: http://www.eweek.com/article2/0,1895,1500432,00.asp Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: A good place to leanr how to use digest authentication
http://www.devx.com/DevX/Article/21911 Chandan Gupta <[EMAIL PROTECTED]> wrote: Hi, Im trying to use Digest authentication with an AXIS web service hosted on Tomcat 5.0.28. The problem is in setting up Digest authentication for Tomcat. I did as was written in HOW-TO setting up a JDBC realm, I tried to connect the URL configured on the secure realm from IE 6.0. Presto whatever I tried I always got 401. Once i changed authentication back to basic, things started working, when I change them back to Digest i start getting 401. Is there some place where I could get exact description of setting up Digest authentication in Tomcat. Please help Regards, Chandan - Yahoo! for Good Click here to donate to the Hurricane Katrina relief effort.
A good place to leanr how to use digest authentication
Hi, Im trying to use Digest authentication with an AXIS web service hosted on Tomcat 5.0.28. The problem is in setting up Digest authentication for Tomcat. I did as was written in HOW-TO setting up a JDBC realm, I tried to connect the URL configured on the secure realm from IE 6.0. Presto whatever I tried I always got 401. Once i changed authentication back to basic, things started working, when I change them back to Digest i start getting 401. Is there some place where I could get exact description of setting up Digest authentication in Tomcat. Please help Regards, Chandan
basic authentication problem 5.5.9
Hi I suspect I am running into this bug in tomcat 5.5.9 which has been solved in tomcat 5.5.11 and I was wondering if there is a workaround: http://issues.apache.org/bugzilla/show_bug.cgi?id=22617 Let me first explain my situation. I have a webapplication which we use in production on multiple sites on tomcat 5.0.28. We have a major version upcoming in a few months and want to take the opportunity to move to tomcat 5.5.x (several technical reasons and not much going on on the 5.0 branch). We need a stable version of course (our customers don't like alpha stuff) and 5.5.9 appears to be it for the moment. Yesterday when I tried our web application in 5.5.9 it mostly worked as far as I could see. The only thing that didn't work was that our admin context was no longer password protected. I spent quite some time rechecking the configuration (which works fine on 5.0.28). Quite annoyingly the server.xml has a different, semantically equivalent notation for defining user databases but that was easy to fix. Still no luck. Then I searched google and eventually came up with the bug above which might explain things. The simple workaround there of defining a null user or a "" user didn't work though. To confirm I was running into a (solved) bug I tested on 5.5.11 and indeed authentication works fine there with identical configuration. So my question is threefold: - Is the bug above the problem I am running into or is it something else - Is there a workaround for it in 5.5.9. We can't support alpha versions on production sites so we need this fixed in the stable release. - If the answer is no, we'll have to put off support for 5.5.x until there is a stable version with the fix (and hopefully no new issues): is there a rough time schedule when that might happen? Regards, Jilles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Vs: RE: Windows Authentication in Tomcat
Hello, If you really can send me that code that would make my life much easier! Thanks, john_polinsky (at) suomi24.fi Cheers! Message Lähettäjä: [EMAIL PROTECTED] Päivämäärä: 2005/09/07 13:31 Vastaanottaja: "Tomcat Users List" Aihe: RE: Windows Authentication in Tomcat http://jcifs.samba.org/ If you want more information let me know and I will send you the code -Original Message- From: john polinsky [mailto:[EMAIL PROTECTED] Sent: 07 September 2005 11:28 To: tomcat-user@jakarta.apache.org Subject: Windows Authentication in Tomcat Hello there, How Tomcat is usually configured when it is wanted to get information from Windows Server (e.g. Active Directory running in W2k or Win2003)? What Realms should be used in Tomcat and how this is done, any document available? Second question is, that if I e.g. for testing purposes want to use my local PC's Windows's username and passwords for Tomcat's authentication how that can be done? In this case I would have only my own PC running Windows without Windows Network Servers. Can anyone give any tips to these questions? Cheers! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Windows Authentication in Tomcat
http://jcifs.samba.org/ If you want more information let me know and I will send you the code -Original Message- From: john polinsky [mailto:[EMAIL PROTECTED] Sent: 07 September 2005 11:28 To: tomcat-user@jakarta.apache.org Subject: Windows Authentication in Tomcat Hello there, How Tomcat is usually configured when it is wanted to get information from Windows Server (e.g. Active Directory running in W2k or Win2003)? What Realms should be used in Tomcat and how this is done, any document available? Second question is, that if I e.g. for testing purposes want to use my local PC's Windows's username and passwords for Tomcat's authentication how that can be done? In this case I would have only my own PC running Windows without Windows Network Servers. Can anyone give any tips to these questions? Cheers! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Windows Authentication in Tomcat
Hello there, How Tomcat is usually configured when it is wanted to get information from Windows Server (e.g. Active Directory running in W2k or Win2003)? What Realms should be used in Tomcat and how this is done, any document available? Second question is, that if I e.g. for testing purposes want to use my local PC's Windows's username and passwords for Tomcat's authentication how that can be done? In this case I would have only my own PC running Windows without Windows Network Servers. Can anyone give any tips to these questions? Cheers! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5 + SSL - Overriding default certificate authentication
Hi, Need to override the default certificate authentication to provide some own validation. Need to embed some new extensions in the certificate and validate them Got the following information but having problems doing what is explained 1. Write new SSLImplementation subclassing org.apache.tomcat.util.net.SSLImplementation 2. Specify SSLImplementation="com.MySSLImplementation" in connector for port 8443 in server.xml However i get a class not found error = org.apache.tomcat.util.net.SSLImplementation Any guidelines? Regards, Chandan P.S. : I got tomcat to load my sslimplementation - was as simple a matter as placing my jar in server\lib - sorry for being dumb. Still posting this in case there is an elegant simpler way.
login form based authentication
My web application uses tomcat 5.5.10. By using basic authentication, the application works fine. By using the form based authentication, if I submit a invalidate username/password, appication seems worked, a error.jsp was showed up. But if I submit a valid username/password, I got a "HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser". Is there anyone having this kind problem and to be solved? Please help me out. Thanks, Julia - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Securityfilter for authentication
I have the security filter .jar in my /lib directory but not the /lib directory of the webapp. But the server's /lib. -Original Message- From: Andrew Stepanenko [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 23, 2005 8:21 PM To: Mark Goking Subject: Re: Securityfilter for authentication Hello Mark, says jdbcrealm[null] I remember I also had this error but don't remember exactly a workaround. Checkout that you have a security filter .jar file in your WEB-INF/lib directory and also inspect tomcat log files. Regards, Andrew. Mark Goking wrote: >Hi this is my realm. I followed your catalina realm but when I login, it >says jdbcrealm[null] > >Is this org.apache.catalina.realm.JDBCRealm by default? Or doess my >class have to be the calssname of the oracle driver? > > > >className="org.securityfilter.realm.catalina.CatalinaRealmAdapter" /> > > > value="oracle.jdbc.driver.OracleDriver"/> > > value="jdbc:oracle:oci8:@bill" /> >value="cstest" /> >value="cstest" /> > > > > > > > > > -- Andrew Stepanenko, Software engineer, Ukrainian-Dutch Faculty of Economics and Management Ternopil State Economic University Shevchenko Street 9, Office 24-25 Ternopil, 46000 UKRAINE Tel: +38 (0352) 43 52 41 fax: +38 (0352) 43 52 45 Web: http://unf.tane.edu.ua - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Securityfilter for authentication
Hi Mark, I'm using SecurityFilter in my application successfully . What are your questions? Regards, -- Andrew Stepanenko, Software engineer, Ukrainian-Dutch Faculty of Economics and Management Ternopil State Economic University Shevchenko Street 9, Office 24-25 Ternopil, 46000 UKRAINE Tel: +38 (0352) 43 52 41 fax: +38 (0352) 43 52 45 Web: http://unf.tane.edu.ua Mark Goking wrote: Has anyone here used securityfilter for authetntication? The samples doesn't have any database realm example. If anyone got this working using db for authetnication pls let me know, I would like to ask some questions thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Securityfilter for authentication
Has anyone here used securityfilter for authetntication? The samples doesn't have any database realm example. If anyone got this working using db for authetnication pls let me know, I would like to ask some questions thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat authentication with Kerberos
From: "Wendy Smoak" <[EMAIL PROTECTED]> I have a standalone Tomcat 5.0 instance, and a third-party webapp that has support for authentication via LDAP. Of course, we don't have LDAP, we have Kerberos. It should be a simple matter to plug in a different Realm, right? Replying to myself for the benefit of the archives... I came up with three examples of Kerberos authentication with Tomcat and JAASRealm: http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatJspExamples The first one is converting the 'jsp-examples' webapp to use Kerberos by adding/changing config files, no Java code is required. From there, I have a custom LoginModule that wraps Sun's Krb5LoginModule in order to add more roles to the Subject in the 'commit' method. And finally, a custom Realm that extends JAASRealm and overrides 'authenticate' (for the same reason, to add roles). I welcome comments on the code... it works, but considering that I'm only a week into learning about CMA and JAAS, I'm sure it could be improved. I hope that once JSR 196 is final, someone will write a more robust LoginModule for Kerberos. Failover would be nice... AFAICT you can only configure one kdc for Sun's Krb5LoginModule. -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client Authentication
Hi All, I'm using client authenticate for my website (Tomcat 5.0.28) and everything works great. However, I had an idea for something I wanted to try, and I need to know if its possible. Would I be able to prompt for client certificates ONLY if a certain request parameter was present (and not prompt for client certificates if that parameter wasn't present)? If I can, what class in the Tomcat source would I need to mofidy? I've been searching around but still haven't come across anything. Thanks, Brett - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
LDAP Authentication & Fail Over
Does anyone know if there's a way to specify multiple LDAP servers for authentication? In case one LDAP server is down, I want tomcat to switch over to the other one. Is it possible? Thanks -- Bhupinder - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat authentication with Kerberos
I have a standalone Tomcat 5.0 instance, and a third-party webapp that has support for authentication via LDAP. Of course, we don't have LDAP, we have Kerberos. It should be a simple matter to plug in a different Realm, right? I'm finding it hard to believe that no one has done this (Tomcat authentication with Kerberos) yet, but Google just isn't turning up anything. I started at the Realm HowTo [0] and found the JAASRealm section. From here it looks like I need to write my own LoginModule. Except... there is com.sun.security.auth.module.Krb5LoginModule [1]. Can I just use that? (I thought we weren't supposed to use com.sun.* classes, but it's not as though I can write my *own* Kerberos LoginModule!) After I (somehow) get the user authenticated with Kerberos, then I need to look in a [non-JDBC] database to get the Role information. For User and Role, it looks like I can extend AbstractUser and AbstractRole... but where does the code go that would create instances? In short, I'm confused. Can anyone offer advice on what I need to do to make this work? Or better yet, point to someone who has already done it? Thanks in advance! [0] http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html [1] http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to Configure IIS/Tomcat to perform basic authentication
Hi Ben, Thanks for responding to my question, here is my operating environment: IIS 5.0 Tomcat 5.5.9 Note also that I have tried this setup with tomcat/apache and everything works, my problem comes when I do similar thing with IIS/Tomcat and I get HTTP 401 error message. Thanks, Ike -Original Message- From: Ben Ricker [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 13, 2005 6:04 PM To: Tomcat Users List Subject: Re: How to Configure IIS/Tomcat to perform basic authentication To answer your question, it would help to at least include the relevant OS and tomcat version information. In Tomcat, you can set a resource valvel that does the auth for you. Docs for 4.1: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html. Docs for 5.0: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html. You may be most interested in the Memory Realm if you want simple, file-based auth. Ben Ricker On 7/13/05, Ikonne, Ike <[EMAIL PROTECTED]> wrote: > > Hi all, > > I have been trying to configure IIS/Tomcat to perform basic > authentication > and have not had any success yet, I would appreciate it if someone could > > give me some pointers on how to make this to work. > > Thanks, > > Ike > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
URLConnection and form based authentication (j_username)
I cannot get this to work. It works for all other sites besides ones that have j_username & j_password. It always comes back to the login page. I see other messageboards via google that have the same problem, but there is no answer. Username: Password: Anthony Smith Programmer Analyst International Technologies 901-263-8953 "Having education and talent doesn't make you better than the world... it makes you responsible for it!"
Realm programmatic authentication
Hi, I would like to use the configured realm to authenticate users but I don't want to use the standard J2EE mechanism (for many reasons). Also, my needs for authorisations are not limited to URLs and are more fine-grained. Since I configured a JNDI realm I wanted to access the reamù in my webapp but I haven't been able to. I am using Tomcat 5.5.9. Actually, I had a look at the sources of the manager application and tried to mimic it. I created a Servlet which implemented the ContainerServlet interface. Then using the setWrapper callback method I could access the wrapper and realm to authenticate users: Principal principal = wrapper.getRealm().authenticate(username, password); But i haven't managed to make it work I faced many issues: - catalina classes could not be loaded : I added the catalina.jar in the common.loader section of the catalina.properties file. - security exceptions: I had security java.lang.SecurityException which I have been unable to solve. I added (at least tried) permissions to the catalina.policy file for the webapp to be able to load catalina classes but it didn't work: permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; Is there a way via JMX or other to access the Realm to authenticate users manually? Thanks for your help . Luc - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic authentication won't accept password (intermittent)
Hi again, I just discovered bug 33157: "basic authentication fails in some cases", reported in Tomcat 5.5.4. http://issues.apache.org/bugzilla/show_bug.cgi?id=33157 It doesn't describe my exact problem, but it's the best theory so far. Unfortunately the hosting provider is unlikely to install 5.5.9 in the near future ;-) Will report back to the list when the resolution is known. Best, Eric:) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
basic authentication won't accept password (intermittent)
Hello, My client has a password-protected folder (as shown in the snippet from my web.xml below). The problem is that, when accessing a protected resource (/members/jobs/index.html), it sometimes asks for the login several times before returning the requested page. (This is using BASIC authentication, so the browser pops up a dialog in response to the 401.) Occasionally it gives up and shows the 401 Unauthorized error page instead. This problem is reproducible across several browsers on Windows 2000 (IE6, Firefox, Opera, lynx ...). The Authorization header is the same for both successful and unsuccessful requests. Hosting provider's environment: Linux 2.4.24 on i686 Apache 2.0.47 Tomcat 5.5.4 Java: Blackdown-1.4.2-rc1 In server.xml, I've increased maxThreads to 250, although this is not a high-volume site. (Obviously I'm shooting in the dark at this point ;-) My questions are: (1) Where should we look for misconfiguration, whether in my app or in the hosting environment? (2) Is there any other explanation for this behavior? This is my first Tomcat site in production, so hopefully it's a configuration problem. I appreciate any suggestions! Thanks, Eric:) === from my web.xml === BASIC Members Area Authorized members members Search Engine /jsp/admin/* Data Listing /list.do admin members area /members/* members - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to do authentication and secure line HTTPS (SSL)
Please read http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html Regards, Yasir Khan - Original Message - From: Abdullah Abdullah To: tomcat-user@jakarta.apache.org Sent: Thursday, July 21, 2005 2:43 PM Subject: How to do authentication and secure line HTTPS (SSL) Dear all Actually, I would like to ask you that how can I do authentication and secure line HTTPS (SSL) for my web pages ? It is worth mentioning that I am using JSP and Tomcat 5.5.9 . Thank you in advance. Regards Abdullah _ Winks & nudges are here - download MSN Messenger 7.0 today! http://messenger.msn.co.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to do authentication and secure line HTTPS (SSL)
Dear all Actually, I would like to ask you that how can I do authentication and secure line HTTPS (SSL) for my web pages ? It is worth mentioning that I am using JSP and Tomcat 5.5.9 . Thank you in advance. Regards Abdullah _ Winks & nudges are here - download MSN Messenger 7.0 today! http://messenger.msn.co.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
FW: How to do authentication and secure line HTTPS (SSL)
From: "Abdullah Abdullah" <[EMAIL PROTECTED]> Reply-To: "Tomcat Developers List" To: tomcat-dev@jakarta.apache.org Subject: How to do authentication and secure line HTTPS (SSL) Date: Wed, 20 Jul 2005 10:50:01 +0100 Dear all Actually, I would like to ask you that how can I do authentication and secure line HTTPS (SSL) for my web pages ? It is worth mentioning that I am using JSP and Tomcat 5.5.9 . Thank you in advance. Regards Abdullah _ Use MSN Messenger to send music and pics to your friends http://messenger.msn.co.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Be the first to hear what's new at MSN - sign up to our free newsletters! http://www.msn.co.uk/newsletters - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to Replace Tomcat authentication?
Bill Barker wrote: > > "ohaya" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Hi, > > > > I've been looking into possibly replacing Tomcat's authentication with > > our own functionality. It looks like there use to be a class called > > SimpleRealm in the older Tomcat versions that would have done the trick > > if we replaced it, but I can't find any references to it in the latest > > source that I downloaded. > > > > In TC versions > 3.x.x, the replacement is RealmBase (in > org.apache.catalina.realm). It's an abstract class, so you extend it with > the functionality that you want. [Sorry everyone. I'm resending this because it looks like I got a bounce from my previous attempts?? Jim] Hi Bill, Thanks! I think that I've at least been able to get started with this, but instead of RealmBase, I've gotten a very (I mean, VERY) crude JAASRealm example working, where I built my own JAASLoginModule, etc. So far, it seems to be working ok, but I haven't really added any too complicated yet... Jim P.S. I forgot to ask: Is this mailing list appropriate for questions about this type of subject? Or, is one of the other Tomcat lists more appropriate? I'll be needing to add more functionality to this, so I'm just wondering if this is the right place for future questions? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to Replace Tomcat authentication?
Bill Barker wrote: > > "ohaya" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Hi, > > > > I've been looking into possibly replacing Tomcat's authentication with > > our own functionality. It looks like there use to be a class called > > SimpleRealm in the older Tomcat versions that would have done the trick > > if we replaced it, but I can't find any references to it in the latest > > source that I downloaded. > > > > In TC versions > 3.x.x, the replacement is RealmBase (in > org.apache.catalina.realm). It's an abstract class, so you extend it with > the functionality that you want. [Sorry everyone. I'm resending this because it looks like I got a bounce from my previous attempts?? Jim] Hi Bill, Thanks! I think that I've at least been able to get started with this, but instead of RealmBase, I've JUST gotten a very (I mean, VERY) crude JAASRealm example working, where I built my own JAASLoginModule, etc. So far, it seems to be working ok, but I haven't really added any too complicated yet... Jim P.S. I forgot to ask: Is this mailing list appropriate for questions about this type of subject? Or, is one of the other Tomcat lists more appropriate? I'll be needing to add more functionality to this, so I'm just wondering? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to Replace Tomcat authentication?
Bill Barker wrote: > > "ohaya" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Hi, > > > > I've been looking into possibly replacing Tomcat's authentication with > > our own functionality. It looks like there use to be a class called > > SimpleRealm in the older Tomcat versions that would have done the trick > > if we replaced it, but I can't find any references to it in the latest > > source that I downloaded. > > > > In TC versions > 3.x.x, the replacement is RealmBase (in > org.apache.catalina.realm). It's an abstract class, so you extend it with > the functionality that you want. P.S. I forgot to ask: Is this mailing list appropriate for questions about this type of subject? Or, is one of the other Tomcat lists more appropriate? I'll be needing to add more functionality to this, so I'm just wondering? Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to Replace Tomcat authentication?
Bill Barker wrote: > > "ohaya" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Hi, > > > > I've been looking into possibly replacing Tomcat's authentication with > > our own functionality. It looks like there use to be a class called > > SimpleRealm in the older Tomcat versions that would have done the trick > > if we replaced it, but I can't find any references to it in the latest > > source that I downloaded. > > > > In TC versions > 3.x.x, the replacement is RealmBase (in > org.apache.catalina.realm). It's an abstract class, so you extend it with > the functionality that you want. Hi Bill, Thanks! I think that I've at least been able to get started with this, but instead of RealmBase, I've JUST gotten a very (I mean, VERY) crude JAASRealm example working, where I built my own JAASLoginModule, etc. So far, it seems to be working ok, but I haven't really added any too complicated yet... Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to Replace Tomcat authentication?
"ohaya" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi, > > I've been looking into possibly replacing Tomcat's authentication with > our own functionality. It looks like there use to be a class called > SimpleRealm in the older Tomcat versions that would have done the trick > if we replaced it, but I can't find any references to it in the latest > source that I downloaded. > In TC versions > 3.x.x, the replacement is RealmBase (in org.apache.catalina.realm). It's an abstract class, so you extend it with the functionality that you want. > Has anyone here done this before, and can you provide me to some > pointers as to where/how to get started with it with the current version > of Tomcat? > > Thanks in advance!! > > Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to Replace Tomcat authentication?
Hi, I've been looking into possibly replacing Tomcat's authentication with our own functionality. It looks like there use to be a class called SimpleRealm in the older Tomcat versions that would have done the trick if we replaced it, but I can't find any references to it in the latest source that I downloaded. Has anyone here done this before, and can you provide me to some pointers as to where/how to get started with it with the current version of Tomcat? Thanks in advance!! Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to Configure IIS/Tomcat to perform basic authentication
To answer your question, it would help to at least include the relevant OS and tomcat version information. In Tomcat, you can set a resource valvel that does the auth for you. Docs for 4.1: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html. Docs for 5.0: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html. You may be most interested in the Memory Realm if you want simple, file-based auth. Ben Ricker On 7/13/05, Ikonne, Ike <[EMAIL PROTECTED]> wrote: > > Hi all, > > I have been trying to configure IIS/Tomcat to perform basic > authentication > and have not had any success yet, I would appreciate it if someone could > > give me some pointers on how to make this to work. > > Thanks, > > Ike > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to Configure IIS/Tomcat to perform basic authentication
Hi all, I have been trying to configure IIS/Tomcat to perform basic authentication and have not had any success yet, I would appreciate it if someone could give me some pointers on how to make this to work. Thanks, Ike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to configure IIS/Tomcat to perform basic authentication
Hi all, I have been trying to configure IIS/Tomcat to perform basic authentication and have not had any success yet, I would appreciate it if someone could give me some pointers on how to make this to work. Thanks, Ike
How to configure Tomcat and IIS to perform Basic authentication
Hi all, I have been trying to configure IIS/Tomcat to perform basic authentication and have not had any success yet, I would appreciate it if someone could give me some pointers on how to make this to work. Thanks, Ike
Authentication 401 not passing login box to apache2
Hi First apologies, I am a total newbie to this stuff so please don't eat me alive. :) I'm driving myself up the wall with this one and hope you can help. although there doesn't seem to be anything in the archive. I've got tomcat 5.5 setup and working on localhost directly. I've complied and installed mod_jk so I can access webapps (specifically davenport) through apache 2. It works fine, until I try to go to a page that needs an authentication box. Apache just returns a page saying: "Unauthorized This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. Additionally, a 401 Authorization Required error was encountered while trying to use an ErrorDocument to handle the request." Frustrating as it didn't even give me a login box to try! Accessing tomcat directly gives the login box and everything works fine. So I am thinking it is something to do with my mod_jk.so or apache conf? Any ideas? I am losing my mind! Thanks for your help Phil Jones - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Web Server Authentication on Tomcat (5.5)
Title: Nachricht Hello, I want to use Tomcat together with IIS to let IIS do the Windows based authentication. I've managed to install and configure isapi_redirect-1.2.13, and everything seems to work. When I call "request.getUserPrincipal()" in my servlet, I get a principal object with the correct name. But the problem is: this principal object (a CoyotePrincipal) is generated very early in request processing, not by the installed realm. No authenticate() method of the realm is ever called, so depending on the kind of realm I use, this simply doesn't work. (The realm I'm using, guess what, is JBossSecurityMgrRealm - the result is that the JBoss LoginModules are completely ignored because Tomcat doesn't authenticate().) Which is the right way? Can anybody help? Many thanks!! Regards, Marcus. _ prosystems IT GmbH Anwendungsentwicklung Postfach 31 51 53021 Bonn (Germany) Tel: 0228 / 3366 - 3329, Fax: 0228 / 3366 - 73329 mailto:[EMAIL PROTECTED] http://www.prosystemsIT.de Amtsgericht Bonn - HR B 13189 Der Austausch von Nachrichten mit der prosystems IT GmbH via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Verfaelschungen des urspruenglichen Inhaltes dieser Nachricht bei der Datenuebertragung koennen nicht ausgeschlossen werden. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Authentication for individual apps
Dear All My developer give me a .war file which I place it as jboss/server/default/deploy/test.war Thus I have around 5 .war placed in the server. All the apps are presently accessed using https://myorg.com:8080/test1/, https://myorg.com:8080/test2/ ... and so on. Next I want to implement client auth for certain apps. How do i go about it.?? Regards & Thanks Mahesh S Kudva -Original Message- From: "Bill Barker" <[EMAIL PROTECTED]> To: tomcat-user@jakarta.apache.org Date: Fri, 1 Jul 2005 21:56:37 -0700 Subject: Re: Certificate Authentication for individual apps > > "Mahesh S Kudva" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > Hi All > > > > Thanks for the note. May be I was not clear in my earlier mail. > > > > > > I have client authentication using certificates. I want to skip > client > > auth for certain hosted applications on the server but preserve > client > > auth for other apps. > > > > On the Connector leave the 'clientAuth' attribute as 'false' (or use > 'want', if you really want to be annoying :). Then in the webapps that > care > setup your web.xml files with something like: > >CLIENT-CERT > > > In this case, any page protected by a will force > the > user to send a client-cert. Unfortunately, most of the > production-quality > Realms that ship with Tomcat don't support CLIENT-CERT auth. > > For 4.1.x <= tcversion <= 5.0.x, there is also a request attribute that > you > can use to do the same thing. If you need it, search the archives. > > > Regards & Thanks > > ==== > > Mahesh S Kudva > > > > > > -Original Message- > > From: Paul Singleton <[EMAIL PROTECTED]> > > To: Tomcat Users List > > Date: Fri, 01 Jul 2005 15:32:12 +0100 > > Subject: Re: Certificate Authentication for individual apps > > > >> Mahesh S Kudva wrote: > >> > >> > How can I have different certificate authentication for different > >> applications and skip certificate > >> > authentication for some applications hosted on the same server. > >> > >> I believe that, at least under SSL, certificates authenticate > >> *servers* not applications, and that the Connector offers a > >> certificate before it checks, or regardless of, the context > >> path within that server. > >> > >> So you need to deploy each app at a different (virtual) host, > >> each with a different IP address. We do this currently with > >> 5.5.9. You can use the default keystore for all hosts, and > >> use the (undocumented) keyAlias="myalias" Connector attribute > >> to offer the appropriate certificate for each host, e.g. > >> > >> >> address="288.104.197.211" > >> port="8443" > >> scheme="https" > >> secure="true" > >> sslProtocol="TLS" > >> keyAlias="mrk2" > >> /> > >> > >> (in 5.5.9 you also need sslProtocol="TLS" explicitly) > >> > >> Paul Singleton > >> > >> > >> -- > >> No virus found in this outgoing message. > >> Checked by AVG Anti-Virus. > >> Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: > >> 30/Jun/2005 > >> > >> > >> > - > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --- > > Robosoft Technologies - Partners in Product Development > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Authentication for individual apps
"Mahesh S Kudva" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi All > > Thanks for the note. May be I was not clear in my earlier mail. > > > I have client authentication using certificates. I want to skip client > auth for certain hosted applications on the server but preserve client > auth for other apps. > On the Connector leave the 'clientAuth' attribute as 'false' (or use 'want', if you really want to be annoying :). Then in the webapps that care setup your web.xml files with something like: CLIENT-CERT In this case, any page protected by a will force the user to send a client-cert. Unfortunately, most of the production-quality Realms that ship with Tomcat don't support CLIENT-CERT auth. For 4.1.x <= tcversion <= 5.0.x, there is also a request attribute that you can use to do the same thing. If you need it, search the archives. > Regards & Thanks > > Mahesh S Kudva > > > -Original Message- > From: Paul Singleton <[EMAIL PROTECTED]> > To: Tomcat Users List > Date: Fri, 01 Jul 2005 15:32:12 +0100 > Subject: Re: Certificate Authentication for individual apps > >> Mahesh S Kudva wrote: >> >> > How can I have different certificate authentication for different >> applications and skip certificate >> > authentication for some applications hosted on the same server. >> >> I believe that, at least under SSL, certificates authenticate >> *servers* not applications, and that the Connector offers a >> certificate before it checks, or regardless of, the context >> path within that server. >> >> So you need to deploy each app at a different (virtual) host, >> each with a different IP address. We do this currently with >> 5.5.9. You can use the default keystore for all hosts, and >> use the (undocumented) keyAlias="myalias" Connector attribute >> to offer the appropriate certificate for each host, e.g. >> >> > address="288.104.197.211" >> port="8443" >> scheme="https" >> secure="true" >> sslProtocol="TLS" >> keyAlias="mrk2" >> /> >> >> (in 5.5.9 you also need sslProtocol="TLS" explicitly) >> >> Paul Singleton >> >> >> -- >> No virus found in this outgoing message. >> Checked by AVG Anti-Virus. >> Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: >> 30/Jun/2005 >> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] > > > > --- > Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Authentication for individual apps
Hi All Thanks for the note. May be I was not clear in my earlier mail. I have client authentication using certificates. I want to skip client auth for certain hosted applications on the server but preserve client auth for other apps. Regards & Thanks Mahesh S Kudva -Original Message- From: Paul Singleton <[EMAIL PROTECTED]> To: Tomcat Users List Date: Fri, 01 Jul 2005 15:32:12 +0100 Subject: Re: Certificate Authentication for individual apps > Mahesh S Kudva wrote: > > > How can I have different certificate authentication for different > applications and skip certificate > > authentication for some applications hosted on the same server. > > I believe that, at least under SSL, certificates authenticate > *servers* not applications, and that the Connector offers a > certificate before it checks, or regardless of, the context > path within that server. > > So you need to deploy each app at a different (virtual) host, > each with a different IP address. We do this currently with > 5.5.9. You can use the default keystore for all hosts, and > use the (undocumented) keyAlias="myalias" Connector attribute > to offer the appropriate certificate for each host, e.g. > >address="288.104.197.211" > port="8443" > scheme="https" > secure="true" > sslProtocol="TLS" > keyAlias="mrk2" > /> > > (in 5.5.9 you also need sslProtocol="TLS" explicitly) > > Paul Singleton > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: > 30/Jun/2005 > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
CSJakharia: Security Realm Authentication
Configuation -- Tommat 5.5.2 Windows XP JDK 1.5 Requirement -- I have a Security realm Authentication ready for a Web Application linking to a Database. When the user sign ups the form then he has to login into the application through the signup form instead of directly going to the application. How can this be done? Thanks in advance CSJakharia Subscribe to bermudaEmail: [input] [input] Browse Archives at groups-beta.google.com __ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Authentication for individual apps
Mahesh S Kudva wrote: How can I have different certificate authentication for different applications and skip certificate authentication for some applications hosted on the same server. I believe that, at least under SSL, certificates authenticate *servers* not applications, and that the Connector offers a certificate before it checks, or regardless of, the context path within that server. So you need to deploy each app at a different (virtual) host, each with a different IP address. We do this currently with 5.5.9. You can use the default keystore for all hosts, and use the (undocumented) keyAlias="myalias" Connector attribute to offer the appropriate certificate for each host, e.g. (in 5.5.9 you also need sslProtocol="TLS" explicitly) Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: 30/Jun/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication using Apache Httpd and Tomcat
Hi, Next to my first problem, I also have the following (sorry to bother the list with this but I'm leaving on holiday next week and some PM shoved this task on my lap :S) We have the following local setup: Apache 2.0 --- Tomcat 4.1.31 On Tomcat, we have several applications called app1, app2, app3. Now, we want a basic authentication scheme (later they probably want something more but that's for then :-) where, when a user enters the URL http://localhost/app1 he gets immediately a challenge request box for login. Now, how should I do this? BB Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Certificate Authentication for individual apps
Hi All How can I have different certificate authentication for different applications and skip certificate authentication for some applications hosted on the same server. Regards & Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: User authentication using Realms
Hey Frank, No the space seemed to make no difference. I tried it by replacing the space with an underscore and got the same result. Yes, I tested the DSN via my simple Java class and it works fine. The two "methods" I was talking about are as follows: Class.forName ("sun.jdbc.odbc.JdbcOdbcDriver"); // Use next two statements to connect directly to Access DB. String dbName = "C:/Inetpub/wwwroot/SPID/db1.mdb"; String dbConnStr = "jdbc:odbc:Driver={Microsoft Access Driver (*.mdb)};DBQ=" + dbName.trim () + ";DriverID=22;READONLY=true}"; // OR // Use next statement to connect to Access DB via DSN. String dbURL = "jdbc:odbc:Cost History"; // dbConnection = DriverManager.getConnection (dbConnStr, "", ""); dbConnection = DriverManager.getConnection (dbURL, "", ""); I simply have the first method commented out. Notice the space in the DSN name I use in the class. It works just fine. It works when I use the "Simple JSP" DSN too. I was hoping for more responses to these questions, but Frank, you seem to be the only one who takes the time to try to help someone out. I have gotten no further in this endeavor. I've read more of the Tomcat documentation, but have found no more insight into how to actually DO it. It does no good to provide a collection of documents if they don't provide the material necessary to help someone USE what they spend so much time describing. It doesn't give me great confidence in these mailing list/newsgroup/bulletin board type venues. I've tried to make use of resources such as this in the past and found them to be next to useless, because I either got no responses, or the few I would receive were of no help at all. What good is it, if it does not help those who use it? Thanks, Joe -Original Message- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Monday, June 20, 2005 9:58 AM To: Tomcat Users List Cc: Tomcat Users List Subject: Re: User authentication using Realms Glad to hear you got it working so far! :) Is your DSN name literally "Simple JSP"? If so, I suggest trying something without a space in it... I have a feeling it might not work with spaces in the name. Note that the exception you are getting is actually coming from Access, it is simply being "passed through" JDBC. So, as you try and Google for a solution, you can *almost* forget you are working in Java temporarily. Also, does your DSN actually work via the test function in the ODBC manager? I tend to assume you tried that already, but just making sure ;) Actually, it looks like your saying you have a test class that does connect via that DSN, is that correct? If so, ignore this suggestion! :) I notice you say your code can switch between two connection methods... is it possible that somehow it isn't switched to the DSN method and is trying to connect with the path you specified? That makes a little more sense with the exception you are seeing. Ok, that's all the shots in the dark I have right now :) -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Mon, June 20, 2005 9:34 am, Gagnon, Joseph M \(US SSA\) said: > I've finally (with lots of help) figured out how to do form-based user > authentication of a simple test JSP webapp. So far, so good ... it > seems to be working. > > However, the "database" is a list of roles and users currently defined > in conf/tomcat-users.xml. While this worked fine while I was learning > how to do this and finally get it up and running, this is definitely not > the method I want to use for the "real thing". > > So, I started looking around at some more of the Tomcat documentation > and stumbled upon realms. This seems to be the vehicle to allow Tomcat > to provide a better method of performing user authentication. The > question now is: how do I make use of this? The docs refer to the set > of built-in realm types that are available for use, but I don't > understand the subtle differences between many of them. There don't > seem to be any examples of how to use them. I don't know which ones > should be used for different situations. > > I'm running on a PC with MS Access installed. This is the database (at > least for now) that I intend to use. I have successfully accessed > information from an Access DB using a Java class to create the > connection and execute SQL statements. I've done only a very simple > case at this point, just to demonstrate that I can do it successfully. > > The class actually has two possible methods of connection to the DB, one > method defines the actual path to the DB file and a complex (and for the > most part, not understood) connection string, the other meth
Re: User authentication using Realms
Glad to hear you got it working so far! :) Is your DSN name literally "Simple JSP"? If so, I suggest trying something without a space in it... I have a feeling it might not work with spaces in the name. Note that the exception you are getting is actually coming from Access, it is simply being "passed through" JDBC. So, as you try and Google for a solution, you can *almost* forget you are working in Java temporarily. Also, does your DSN actually work via the test function in the ODBC manager? I tend to assume you tried that already, but just making sure ;) Actually, it looks like your saying you have a test class that does connect via that DSN, is that correct? If so, ignore this suggestion! :) I notice you say your code can switch between two connection methods... is it possible that somehow it isn't switched to the DSN method and is trying to connect with the path you specified? That makes a little more sense with the exception you are seeing. Ok, that's all the shots in the dark I have right now :) -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Mon, June 20, 2005 9:34 am, Gagnon, Joseph M \(US SSA\) said: > I've finally (with lots of help) figured out how to do form-based user > authentication of a simple test JSP webapp. So far, so good ... it > seems to be working. > > However, the "database" is a list of roles and users currently defined > in conf/tomcat-users.xml. While this worked fine while I was learning > how to do this and finally get it up and running, this is definitely not > the method I want to use for the "real thing". > > So, I started looking around at some more of the Tomcat documentation > and stumbled upon realms. This seems to be the vehicle to allow Tomcat > to provide a better method of performing user authentication. The > question now is: how do I make use of this? The docs refer to the set > of built-in realm types that are available for use, but I don't > understand the subtle differences between many of them. There don't > seem to be any examples of how to use them. I don't know which ones > should be used for different situations. > > I'm running on a PC with MS Access installed. This is the database (at > least for now) that I intend to use. I have successfully accessed > information from an Access DB using a Java class to create the > connection and execute SQL statements. I've done only a very simple > case at this point, just to demonstrate that I can do it successfully. > > The class actually has two possible methods of connection to the DB, one > method defines the actual path to the DB file and a complex (and for the > most part, not understood) connection string, the other method defines a > "URL" in the following format: "jdbc:odbc:". The DSN name was > set up in the Windows ODBC data source administrator utility. The > second method is the one I'm using at this point. > > I tried setting up a JDBCRealm realm to use an Access DB with two > tables, one for user names and passwords, the other for user names and > roles. I set up another ODBC DSN as described above and placed a > reference to that in the realm element. I *think* I followed the > directions correctly, but ran into a problem that I don't know how to > address. > > When I restart Tomcat, I'm getting the following error message in the > logs (stderr and catalina): > > Jun 20, 2005 9:06:57 AM org.apache.catalina.realm.JDBCRealm authenticate > SEVERE: Exception performing authentication > java.sql.SQLException: [Microsoft][ODBC Microsoft Access Driver] > '(unknown)' is not a valid path. Make sure that the path name is > spelled correctly and that you are connected to the server on which the > file resides. > at sun.jdbc.odbc.JdbcOdbc.createSQLException(JdbcOdbc.java:6958) > at sun.jdbc.odbc.JdbcOdbc.standardError(JdbcOdbc.java:7115) > at sun.jdbc.odbc.JdbcOdbc.SQLDriverConnect(JdbcOdbc.java:3074) > at > sun.jdbc.odbc.JdbcOdbcConnection.initialize(JdbcOdbcConnection.java:323) > at sun.jdbc.odbc.JdbcOdbcDriver.connect(JdbcOdbcDriver.java:174) > at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:694) > at > org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:344) > at > org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAut > henticator.java:256) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator > Base.java:391) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java > :126) > at > org.apache.catalina.valves.ErrorReportValve.in
User authentication using Realms
I've finally (with lots of help) figured out how to do form-based user authentication of a simple test JSP webapp. So far, so good ... it seems to be working. However, the "database" is a list of roles and users currently defined in conf/tomcat-users.xml. While this worked fine while I was learning how to do this and finally get it up and running, this is definitely not the method I want to use for the "real thing". So, I started looking around at some more of the Tomcat documentation and stumbled upon realms. This seems to be the vehicle to allow Tomcat to provide a better method of performing user authentication. The question now is: how do I make use of this? The docs refer to the set of built-in realm types that are available for use, but I don't understand the subtle differences between many of them. There don't seem to be any examples of how to use them. I don't know which ones should be used for different situations. I'm running on a PC with MS Access installed. This is the database (at least for now) that I intend to use. I have successfully accessed information from an Access DB using a Java class to create the connection and execute SQL statements. I've done only a very simple case at this point, just to demonstrate that I can do it successfully. The class actually has two possible methods of connection to the DB, one method defines the actual path to the DB file and a complex (and for the most part, not understood) connection string, the other method defines a "URL" in the following format: "jdbc:odbc:". The DSN name was set up in the Windows ODBC data source administrator utility. The second method is the one I'm using at this point. I tried setting up a JDBCRealm realm to use an Access DB with two tables, one for user names and passwords, the other for user names and roles. I set up another ODBC DSN as described above and placed a reference to that in the realm element. I *think* I followed the directions correctly, but ran into a problem that I don't know how to address. When I restart Tomcat, I'm getting the following error message in the logs (stderr and catalina): Jun 20, 2005 9:06:57 AM org.apache.catalina.realm.JDBCRealm authenticate SEVERE: Exception performing authentication java.sql.SQLException: [Microsoft][ODBC Microsoft Access Driver] '(unknown)' is not a valid path. Make sure that the path name is spelled correctly and that you are connected to the server on which the file resides. at sun.jdbc.odbc.JdbcOdbc.createSQLException(JdbcOdbc.java:6958) at sun.jdbc.odbc.JdbcOdbc.standardError(JdbcOdbc.java:7115) at sun.jdbc.odbc.JdbcOdbc.SQLDriverConnect(JdbcOdbc.java:3074) at sun.jdbc.odbc.JdbcOdbcConnection.initialize(JdbcOdbcConnection.java:323) at sun.jdbc.odbc.JdbcOdbcDriver.connect(JdbcOdbcDriver.java:174) at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:694) at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:344) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAut henticator.java:256) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator Base.java:391) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 48) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:85 6) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC onnection(Http11Protocol.java:744) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint .java:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow erWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:684) at java.lang.Thread.run(Thread.java:534) I don't know what the problem is. What am I not specifying such that it reports back with "unknown"? Am I using the wrong realm type? Does the method I'm trying to use not work with DSNs? The realm I've defined in my server.xml file is as follows: The connectionURL value (I think) should point to the ODBC DSN name I defined for my simple test DB. The table and field names are correct. By the way, I had previously commented out the following entry in server.xml: I figured I would be causing complications and confusion by leaving this entry "active". The reference to the UserDatabase resource was defined earlier in the file (within the GlobalNamingResources eleme
Re: Client authentication using Keystores...
Manuel Gil Perez wrote: The client authentication only works if I add the CA certificate into the $JAVA_HOME/jre/lib/security/cacerts. If the Tomcat keystore contains the CA certificate but not the JDK keystore... the client authentication fails. AFAIK this can't be done without some custom code. http://issues.apache.org/bugzilla/show_bug.cgi?id=34643 should provide you with some pointers. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mix form based and basic authentication in one web-app?
[EMAIL PROTECTED] wrote: Hi there, I have two servlets. One is configured to listen to "/forms/*" and the other to "/documents/*". I configured a security realm, so users need to use form based authentication when accessing "/forms/*". Can I, in the same web.xml configure a second security realm that uses basic authentication? We need the basic since the /documents/* servlet serves webDAV and Webfolders doesn't do form based authentication. Would that work? :-) stw No can do. webapps are allowed no more than 1 form of authentication. Maybe use two web applications? Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client authentication using Keystores...
Hi all, I would like to enrol my server to accept authenticated connections from authorized parties using X.509 certificates. I follow the instructions indicated in SSL Configuration HOW-TO (http://jakarta.apache.org/tomcat/tomcat-5.5-doc/ssl-howto.html) and I generate my keystore file with the certificate/private key of the web server and the CA certificate. The client authentication only works if I add the CA certificate into the $JAVA_HOME/jre/lib/security/cacerts. If the Tomcat keystore contains the CA certificate but not the JDK keystore... the client authentication fails. Can somebody tell me how can I manage these keystores and to add only the CA certificate in the Tomcat keystore... leaving the original JDK keystore intact?? Thanks! -- Manuel Gil Pérez - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Mix form based and basic authentication in one web-app?
Hi there, I have two servlets. One is configured to listen to "/forms/*" and the other to "/documents/*". I configured a security realm, so users need to use form based authentication when accessing "/forms/*". Can I, in the same web.xml configure a second security realm that uses basic authentication? We need the basic since the /documents/* servlet serves webDAV and Webfolders doesn't do form based authentication. Would that work? :-) stw
Problem posting a large request that requires authentication and is forwarded through the NSAPI redirector
For the following configuration: Sun ONE / iPlanet 6.0sp5 NSAPI redirector from jakarta-tomcat-connectors-1.2.8 Tomcat 5.5 (embedded in JBoss 4.0.2) All of the requests that get forwarded over the redirector require authentication. The configuration works fine if the request body is less than ~150k or if I include the http authorization header in the initial request. However, if I attempt to post a request over 150k and don't include the authorization header (which forces the authentication challenge) I get an "Error writing to server" on the client. If I look at the nsapi redirector log I see that Tomcat does not read the entire request before issuing the challenge, though I don't know if it should: [Fri Jun 03 10:21:24 2005] [715:0] [debug] service::jk_lb_worker.c (482): service worker=worker3 jvm_route=worker3 rc=1 [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_marshal_into_msgb::jk_ajp_common.c (551): ajp marshaling done [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_service::jk_ajp_common.c (1594): processing with 3 retries [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (883): sending to ajp13 pos=4 len=254 max=8192 [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_send_request::jk_ajp_common.c (1199): request body to send 180594 - request body to resend 0 [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (883): sending to ajp13 pos=4 len=8192 max=8192 [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1007): received from ajp13 pos=0 len=126 max=8192 [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_unmarshal_response::jk_ajp_common.c (606): status = 401 [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_unmarshal_response::jk_ajp_common.c (613): Number of headers is = 3 [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_unmarshal_response::jk_ajp_common.c (669): Header[0] [WWW-Authenticate] = [Basic realm="Salton"] [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_unmarshal_response::jk_ajp_common.c (669): Header[1] [Content-Type] = [text/html;charset=utf-8] [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_unmarshal_response::jk_ajp_common.c (669): Header[2] [Content-Length] = [952] [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1007): received from ajp13 pos=0 len=956 max=8192 [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1007): received from ajp13 pos=0 len=2 max=8192 [Fri Jun 03 10:21:24 2005] [715:0] [debug] ajp_done::jk_ajp_common.c (1942): recycling connection cache slot=0 If I post the request directly to Tomcat (not over AJP through the redirector) then it also works fine. Has anyone run into this issue? Any information would be appreciated. Thanks, Kevin Convy Icebox LLC
Re: client authentication with client certificates (ssl)
Paul Puschmann wrote: That is fine, but how can I use the CLIENT-CERT information in my applications? The certificate is exposed as a servlet attribute. You need to read section SRV.4.7 of the servlet specification and if you search the specification for "certificate" you will find some useful supporting information. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: client authentication with client certificates (ssl)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Thomas wrote: > Paul Puschmann wrote: > >> we'd like to use our Tomcat with ssl and client certificates. >> >> Does anybody know if the user information (of the user-certificate) can >> be used to authenticate? >> >> Tomcat is 5.5.7 > > CLIENT-CERT authentication is supported. > That is fine, but how can I use the CLIENT-CERT information in my applications? In the client certificates should be a name and/or customer number in the usual fields. I want my application to use e.g. the customer number for further authorization. (Please answer below the quote, this enhances readability) Paul - -- Linux-User #271918 with the Linux Counter, http://counter.li.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iEYEARECAAYFAkKerp0ACgkQqErKtBWD7VSoagCgh9qmuiRedu7h8Jc3bhnVIlCi d14An0ZOBFp2vGfB8tu6Ym/xyNuyCEsj =0rap -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: client authentication with client certificates (ssl)
Paul, CLIENT-CERT authentication is supported. Mark Paul Puschmann wrote: we'd like to use our Tomcat with ssl and client certificates. Does anybody know if the user information (of the user-certificate) can be used to authenticate? Tomcat is 5.5.7 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
client authentication with client certificates (ssl)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, we'd like to use our Tomcat with ssl and client certificates. Does anybody know if the user information (of the user-certificate) can be used to authenticate? Tomcat is 5.5.7 Paul - -- Linux-User #271918 with the Linux Counter, http://counter.li.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iEYEARECAAYFAkKdlLkACgkQqErKtBWD7VRYqACdEGzKWKtmIOYChETbsH4AnkIW l50AoLqVNHzQKjF05nz475tgN70t4H16 =EY9o -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication and Re-Authentication on Tomcat 4.1.24 for Authorization
I have done more related to this challenge: In my servlet, I've tried: response.setStatus(response.SC_UNAUTHORIZED); // Ie 401 response.setHeader("WWW-AUTHENTICATE","BASIC realm=\"UserDatabase\""); //commenting out this one: response.setHeader("WWW-AUTHENTICATE","BASIC"); dispatcher.forward(request,response); That change makes "UserDatabase" appear on the basic auth. Dialog box. I've also tried the above like this: session.invalidate(); response.setStatus(response.SC_UNAUTHORIZED); // Ie 401 response.setHeader("WWW-AUTHENTICATE","BASIC realm=\"UserDatabase\""); // response.setHeader("WWW-AUTHENTICATE","BASIC"); dispatcher.forward(request,response); That change means that I end up in a never ending loop where the original login form opens, I login, authenticate, then after I attempt to clear the basic authentication, I am sent back to the form authentication, then basic, then form, and on, and on. This tells me that my server.xml is overriding my application.xml. Here is my tomcat_home/webapps/application.xml : // // Link to the UserDatabase instance from which //we request lists of defined role names. // UserDatabase // org.apache.catalina.UserDatabase // mrcjava /LNGDIST/AdminOptions.jsp /mrcjava/GetAttsAdmin NTSADMIN BASIC mrcjava The role that is required to log in to the Manager Application NTSADMIN Thanks for any help. Robyne K. Vaughn Programmer/Analyst Lubbock ISD 1628 19th St Lubbock, TX 79401 806-766-1119 -Original Message- From: Robyne Vaughn Sent: Tuesday, May 24, 2005 9:05 AM To: tomcat-user@jakarta.apache.org Subject: Authentication and Re-Authentication on Tomcat 4.1.24 for Authorization In my server.xml, I have a JNDI realm which works for authenticating every user against Microsoft Active Directory. The user requests a URL which I have set up as an alias in my web.xml for a servlet which authenticates the user against the active directory and then does a dispatcher.forward(request,response) to what is essentially an opening page for the user. (A menu of links to specific programs.) I am trying to implement further authorization for certain programs for administrators. If a person tries to open (I'm only testing 1 page at the moment) the protected page, before doing the dispatcher.forward(request,response), I rewrite the http header to be basic authentication in an effort to trick Tomcat into re-authenticating for this page. response.setStatus(response.SC_UNAUTHORIZED); // Ie 401 response.setHeader("WWW-AUTHENTICATE","BASIC"); dispatcher.forward(request,response); I have set up a context fragment similar to tomcat_home/webapps/application.xml trying to set up the additional authentication. It wants to use the user database, and in fact, it does pop up the basic login window after one has cleared the jndi authentication. However, after 3 attempts to login, it neither gives me a "bad password" message, nor a "successful" message, instead after the 3 attempts, it just allows the already authenticated user access whether or not they have been assigned the appropriate role in the tomcat-users.xml. Any ideas why it doesn't seem to be actually using the tomcat-users.xml? It's a miracle that it's this close to working. I'm feeling my way through this, I'm not very experienced at Tomcat or Java or Jndi, I only touch on them occasionally. So, please answer in full, rich answers. Robyne Vaughn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
NTLM authentication using jCIFS over JK1.2.10 & IIS fails
I am currently using TC 5.0.28 & http1.1-connector and JCIFS for authentication in a webapp. Authentication is done completely within the webapp without using TC methods and only when necessary. This is working quite well except for few users, who are accessing over squid proxy, which suppresses the ntlm auth headers. Only to overcome this and for these users I added access via https/443 using IIS (W2K-Server) and JK2.0.4, furthermore using jCIFS for authentication. This is running ok but unfortunately JK2.0.4 has this file upload bug. Therefore I wanted to upgrade to JK1.2.10 (and thereby TC 5.5.9). But I cannot get the ntlm authentication running over JK1.2.10/IIS. IE shows the login box, though it should silently authenticate. It seems that IIS/JK interferes with the authentication headers/process. I have configured "jakarta" within IIS to not use basic or integrated windows auth. In the mailing lists I have not found anything (of course except using IIS builtin authentication). I have found a description with also a jCIFS/JK problem, http://lists.samba.org/archive/jcifs/2003-July/002359.html but no solution. Also I did not found any jk configuration parameters, which seem to apply to this. Primarily I do not want to activate authentication within IIS. I want to leave it to the webapp & jCIFS in order to avoid two different auth methods. The tomcat version does not seam to matter. Summary: requests running via TC + http1.1 + jCIFS authenticating: OK TC + jk2.0.4/IIS + noauthenticating: OK TC + jk2.0.4/IIS + jCIFS authenticating: OK TC + jk1.2.10/IIS + noauthenticating: OK TC + jk1.2.10/IIS + JCIFS authenticating: NOT OK Anyone an idea whats the difference between jk2.0.4 and jk1.2.10 causing this behaviour ? Have I overlooked something? Is this a bug within JK1.2.10? Regards Karl-Heinz ___ Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client authentication for single servlet
In Tomcat 5.0.x Is it possible to for a servlet to get a client's certificate without forcing the whole server to use client authentication? in server.xml: clientAuth=true - stops everyone accessing via https clientAuth=want - secure servlet displays no content clientAuth=false - request.getAttribute("javax.servlet.request.X509Certificate") doesn't get the cert thanks, Alistair - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Different Authentication Requirements Based On Connector, Por t or Protocol?
You might think about using Apache HTTP server to proxy (mod_proxy) the external traffic back to your tomcat instance on ports 80 (80 <->8080) & 443 (443<->8443). I've run into situations where ports other than the "standard" 80 & 443 are blocked by corporate firewalls. You might be able to use apache to do the authentication that way too. Just my 2 cents. --Dan -Original Message- From: Daniel Rigal [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 25, 2005 9:09 AM To: tomcat-user@jakarta.apache.org Subject: Different Authentication Requirements Based On Connector, Port or Protocol? Hi, We have a Tomcat server (without Apache HTTP server) serving on two ports, 8080 and 8443 (HTTP and HTTPS respectively) using two connectors as described in the various Tomcat SSL FAQs. What I want to do is require users coming in on port 8443 (from the internet) to pass basic user authentication before they can access anything while still allowing our internal users on port 8080 (which will not be accessible from the internet) access without authentication. Basically, I am trying to make a secure extranet the lazy way without annoying the existing intranet users. Can anybody suggest a reasonably easy way to do this? At first I was thinking that I could just put a url-pattern inside a security-constraint in web.xml but I realised that this does not operate on the full URL so I could not filter by port number or protocol here. Thanks, Daniel. -- Daniel Rigal MSc. Systems Administrator - Jai Kudo IT Support Team. This message has been scanned for viruses by MessageLabs. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Different Authentication Requirements Based On Connector, Port or Protocol?
Hi, We have a Tomcat server (without Apache HTTP server) serving on two ports, 8080 and 8443 (HTTP and HTTPS respectively) using two connectors as described in the various Tomcat SSL FAQs. What I want to do is require users coming in on port 8443 (from the internet) to pass basic user authentication before they can access anything while still allowing our internal users on port 8080 (which will not be accessible from the internet) access without authentication. Basically, I am trying to make a secure extranet the lazy way without annoying the existing intranet users. Can anybody suggest a reasonably easy way to do this? At first I was thinking that I could just put a url-pattern inside a security-constraint in web.xml but I realised that this does not operate on the full URL so I could not filter by port number or protocol here. Thanks, Daniel. -- Daniel Rigal MSc. Systems Administrator - Jai Kudo IT Support Team. This message has been scanned for viruses by MessageLabs. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication and Re-Authentication on Tomcat 4.1.24 for Authorization
In my server.xml, I have a JNDI realm which works for authenticating every user against Microsoft Active Directory. The user requests a URL which I have set up as an alias in my web.xml for a servlet which authenticates the user against the active directory and then does a dispatcher.forward(request,response) to what is essentially an opening page for the user. (A menu of links to specific programs.) I am trying to implement further authorization for certain programs for administrators. If a person tries to open (I'm only testing 1 page at the moment) the protected page, before doing the dispatcher.forward(request,response), I rewrite the http header to be basic authentication in an effort to trick Tomcat into re-authenticating for this page. response.setStatus(response.SC_UNAUTHORIZED); // Ie 401 response.setHeader("WWW-AUTHENTICATE","BASIC"); dispatcher.forward(request,response); I have set up a context fragment similar to tomcat_home/webapps/application.xml trying to set up the additional authentication. It wants to use the user database, and in fact, it does pop up the basic login window after one has cleared the jndi authentication. However, after 3 attempts to login, it neither gives me a "bad password" message, nor a "successful" message, instead after the 3 attempts, it just allows the already authenticated user access whether or not they have been assigned the appropriate role in the tomcat-users.xml. Any ideas why it doesn't seem to be actually using the tomcat-users.xml? It's a miracle that it's this close to working. I'm feeling my way through this, I'm not very experienced at Tomcat or Java or Jndi, I only touch on them occasionally. So, please answer in full, rich answers. Robyne Vaughn
RE: Client Authentication certificates
Thanks Philip.. ever so much help. I really appreciate this! -Original Message- From: Philippe Johan [mailto:[EMAIL PROTECTED] Sent: 24 May 2005 08:55 To: tomcat-user@jakarta.apache.org Subject: RE: Client Authentication certificates Hi Mark, To answer your questions: - You can create your own Certificate Authority (CA) with no links to any other certificate, institution,... A typical CA certificate is just that: a self-signed certificate (=signed with the private key matching the public key contained inside the certificate). - Client authentication is part of SSL. It is during the SSL hand-shake that the server will request the client certificate. So the short answer would be: NO you can not implement this without SSL. - The CA the server requires for the client certificates can be completely unrelated to the server certificate. So I think your ideal solution would be to have a standard (i.e. Verisign) server certificate, but your own client certificates with their own CA (the one you created yourself). To implement this, your keystoreFile (containing the server and matching CA certificate) will be different from your truststoreFile (containing the client CA certificate). If you go with the really cheap option to create the server certificate yourself as well, you will indeed have the issue mentioned below. But do know that this CA certificate is typically automatically added in the browser store during the generation of the client certificate. Meaning that if 100% of your clients will be accessing this server with a client certificate this is not an issue. Have a look at EJBCA (Enterprise Java Beans Certificate Authority http://ejbca.sourceforge.net/) for the certificate management part. Distributing certificates, and more important the matching private keys, is not an easy thing to do with the OpenSSL command-line tools. Regards, Johan -Original Message- From: Tim Diggins [mailto:[EMAIL PROTECTED] Sent: maandag 23 mei 2005 12:24 To: Tomcat Users List Subject: Re: Client Authentication certificates Hi Mark - I saw it, and... don't know the answers for the second two (don't fully understand the questions) , but yes, you can create your own Certificate Authority, no problem -- however your clients will each then either have to click-through various warning dialogues each time, or they will have to add the root certificate to their list of trusted certificate authorities. How exactly to do this various from browser to browser (and OS to OS sometimes)... --Tim Mark Benussi wrote: > Morning all.. > > > > I have a web app and for certain areas of the site I wish to restrict access > to a Client Authentication certificate. I want to generate a root > Certificate for my company domain and then sub domains for a variety of > customers. Then I wish to be able to generate certificates for certain users > within these sub domains. > > > > My questions are: > > > > Can I build a root certificate that is not signed by someone like Verisign > or any other trusted root? (This is a cost issue). > > Can I implement the Client Authentication on a server which does not have > SSL implemented? > > Can I implement the Client Authentication on a server which already has an > SSL certificate, signed by someone like Verisign and effectively run both? > > > > Would appreciate your thoughts and also any pointers on where to start > digging. > > > > TIA Mark > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Client Authentication certificates
Thank you ever so much. The certificates will be for a subset of my clients and so I am not that worried. I really appreciate your help. -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: 23 May 2005 23:13 To: Tomcat Users List Subject: Re: Client Authentication certificates Mark Benussi wrote: > Can I build a root certificate that is not signed by someone like Verisign > or any other trusted root? (This is a cost issue). Yes, but then people have to trust your root certifcate. One of the services Verisign and the other CAs offer (depending on the type of certificate you get) is the verification of the entity that posses the private key associated with the certificate. > Can I implement the Client Authentication on a server which does not have > SSL implemented? No. SSl is a pre-reqisite for CLIENT-CERT authentication > Can I implement the Client Authentication on a server which already has an > SSL certificate, signed by someone like Verisign and effectively run both? Yes, with some caveats. A tomcat connector is SSL enabled or not. It can not be both. Tomcat can have multiple SSL enabled connectors but they must use different ports. Each Tomcat SSL connector can be associated with one, and only one, certificate. HTH, Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Client Authentication certificates
Hi Mark, To answer your questions: - You can create your own Certificate Authority (CA) with no links to any other certificate, institution,... A typical CA certificate is just that: a self-signed certificate (=signed with the private key matching the public key contained inside the certificate). - Client authentication is part of SSL. It is during the SSL hand-shake that the server will request the client certificate. So the short answer would be: NO you can not implement this without SSL. - The CA the server requires for the client certificates can be completely unrelated to the server certificate. So I think your ideal solution would be to have a standard (i.e. Verisign) server certificate, but your own client certificates with their own CA (the one you created yourself). To implement this, your keystoreFile (containing the server and matching CA certificate) will be different from your truststoreFile (containing the client CA certificate). If you go with the really cheap option to create the server certificate yourself as well, you will indeed have the issue mentioned below. But do know that this CA certificate is typically automatically added in the browser store during the generation of the client certificate. Meaning that if 100% of your clients will be accessing this server with a client certificate this is not an issue. Have a look at EJBCA (Enterprise Java Beans Certificate Authority http://ejbca.sourceforge.net/) for the certificate management part. Distributing certificates, and more important the matching private keys, is not an easy thing to do with the OpenSSL command-line tools. Regards, Johan -Original Message- From: Tim Diggins [mailto:[EMAIL PROTECTED] Sent: maandag 23 mei 2005 12:24 To: Tomcat Users List Subject: Re: Client Authentication certificates Hi Mark - I saw it, and... don't know the answers for the second two (don't fully understand the questions) , but yes, you can create your own Certificate Authority, no problem -- however your clients will each then either have to click-through various warning dialogues each time, or they will have to add the root certificate to their list of trusted certificate authorities. How exactly to do this various from browser to browser (and OS to OS sometimes)... --Tim Mark Benussi wrote: > Morning all.. > > > > I have a web app and for certain areas of the site I wish to restrict access > to a Client Authentication certificate. I want to generate a root > Certificate for my company domain and then sub domains for a variety of > customers. Then I wish to be able to generate certificates for certain users > within these sub domains. > > > > My questions are: > > > > Can I build a root certificate that is not signed by someone like Verisign > or any other trusted root? (This is a cost issue). > > Can I implement the Client Authentication on a server which does not have > SSL implemented? > > Can I implement the Client Authentication on a server which already has an > SSL certificate, signed by someone like Verisign and effectively run both? > > > > Would appreciate your thoughts and also any pointers on where to start > digging. > > > > TIA Mark > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with redirection for Tomcat Basic Authentication
I suspect the IE and IIS are conspiring to use Windows Native Authentication. I think this is a browser setting where IE tries this by default if talking to IIS. The settings should be under something like: IE > Tools > Internet options > security > custom level > user authentication I can't remember what setting you need to use but try the various options and see what happens. Mark Javier Santos Martin-Moreno wrote: Hello, I am running Tomcat 5.5.9 on Windows 2000. I configured the ISAPI redirector (version 1.2.12) so that Tomcat worked along with IIS and everything seemed to work fine, but... I have a Tomcat application which requires basic authentication. Everything works fine if I access from http://localhost:8080/mywebapp/, I get authenticated and can navigate, so I think the realm is configured correctly. But if I try to access from http://localhost/mywebapp/ (the path to my app is added to uriworkermap.properties) I get a Windows authentication prompt window ('Enter network password' with fields to introduce username, password plus domain) instead of Tomcat's basic authentication prompt window. However, once I login (using http://localhost:8080/mywebapp/) I can navigate without problems through the application pages without using the ':8080' part. So it seems like redirection works except for the authentication part. Does anyone have any ideas so that I can login to my application from without the need to specify the port? Thanks in advance, Javier Santos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication certificates
Mark Benussi wrote: Can I build a root certificate that is not signed by someone like Verisign or any other trusted root? (This is a cost issue). Yes, but then people have to trust your root certifcate. One of the services Verisign and the other CAs offer (depending on the type of certificate you get) is the verification of the entity that posses the private key associated with the certificate. Can I implement the Client Authentication on a server which does not have SSL implemented? No. SSl is a pre-reqisite for CLIENT-CERT authentication Can I implement the Client Authentication on a server which already has an SSL certificate, signed by someone like Verisign and effectively run both? Yes, with some caveats. A tomcat connector is SSL enabled or not. It can not be both. Tomcat can have multiple SSL enabled connectors but they must use different ports. Each Tomcat SSL connector can be associated with one, and only one, certificate. HTH, Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with redirection for Tomcat Basic Authentication
Hello, I am running Tomcat 5.5.9 on Windows 2000. I configured the ISAPI redirector (version 1.2.12) so that Tomcat worked along with IIS and everything seemed to work fine, but... I have a Tomcat application which requires basic authentication. Everything works fine if I access from http://localhost:8080/mywebapp/, I get authenticated and can navigate, so I think the realm is configured correctly. But if I try to access from http://localhost/mywebapp/ (the path to my app is added to uriworkermap.properties) I get a Windows authentication prompt window ('Enter network password' with fields to introduce username, password plus domain) instead of Tomcat's basic authentication prompt window. However, once I login (using http://localhost:8080/mywebapp/) I can navigate without problems through the application pages without using the ':8080' part. So it seems like redirection works except for the authentication part. Does anyone have any ideas so that I can login to my application from without the need to specify the port? Thanks in advance, Javier Santos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication certificates
Hi Mark - I saw it, and... don't know the answers for the second two (don't fully understand the questions) , but yes, you can create your own Certificate Authority, no problem -- however your clients will each then either have to click-through various warning dialogues each time, or they will have to add the root certificate to their list of trusted certificate authorities. How exactly to do this various from browser to browser (and OS to OS sometimes)... --Tim Mark Benussi wrote: Morning all.. I have a web app and for certain areas of the site I wish to restrict access to a Client Authentication certificate. I want to generate a root Certificate for my company domain and then sub domains for a variety of customers. Then I wish to be able to generate certificates for certain users within these sub domains. My questions are: Can I build a root certificate that is not signed by someone like Verisign or any other trusted root? (This is a cost issue). Can I implement the Client Authentication on a server which does not have SSL implemented? Can I implement the Client Authentication on a server which already has an SSL certificate, signed by someone like Verisign and effectively run both? Would appreciate your thoughts and also any pointers on where to start digging. TIA Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client Authentication certificates
Did anyone see this message as Remote host said: 554 delivery error: This user doesn't have an account. Can someone please confirm they got it? -Original Message- From: Mark Benussi [mailto:[EMAIL PROTECTED] Sent: 23 May 2005 10:38 To: tomcat-user@jakarta.apache.org Subject: Client Authentication certificates Morning all.. I have a web app and for certain areas of the site I wish to restrict access to a Client Authentication certificate. I want to generate a root Certificate for my company domain and then sub domains for a variety of customers. Then I wish to be able to generate certificates for certain users within these sub domains. My questions are: Can I build a root certificate that is not signed by someone like Verisign or any other trusted root? (This is a cost issue). Can I implement the Client Authentication on a server which does not have SSL implemented? Can I implement the Client Authentication on a server which already has an SSL certificate, signed by someone like Verisign and effectively run both? Would appreciate your thoughts and also any pointers on where to start digging. TIA Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client Authentication certificates
Morning all.. I have a web app and for certain areas of the site I wish to restrict access to a Client Authentication certificate. I want to generate a root Certificate for my company domain and then sub domains for a variety of customers. Then I wish to be able to generate certificates for certain users within these sub domains. My questions are: Can I build a root certificate that is not signed by someone like Verisign or any other trusted root? (This is a cost issue). Can I implement the Client Authentication on a server which does not have SSL implemented? Can I implement the Client Authentication on a server which already has an SSL certificate, signed by someone like Verisign and effectively run both? Would appreciate your thoughts and also any pointers on where to start digging. TIA Mark
Re: Form Authentication with SSL behind Load Balancer
Just a follow-up to let others know how this worked out. The fix turned out to be pure load balancer configuration. Cisco Support instructed us to use the CSS load balancer's "urlrewrite" feature to ensure that the HTTP 302's after Tomcat-managed authentication come back targeting the correct host and protocol. This prevented the protocol switch from HTTPS to HTTP. It now works fine. Thanks to those on this list who contributed their suggestions! >>> [EMAIL PROTECTED] 2005-05-11 12:31 PM >>> I'm running into a problem using form-based authentication with Tomcat 5.5.9 behind a Cisco CSS load balancer, and I'm hoping someone can point me in the right direction. We've got Tomcat deployed on 2 nodes, not clustered, but load-balanced via NAT distribution by the Cisco device. We want the site traffic to be secured with SSL, but the SSL is actually terminated in the load balancer for efficiency and to offload the encryption/decryption burden from Tomcat. We also planned to use J2EE container-managed authentication using the form-based option. This is where we're having problems. When we reference secure content within the target web app with an HTTPS address, Tomcat serves back the configured Login page just fine. When we submit the Login form, however, and authentication succeeds, we are redirected to the original resource over HTTP instead of HTTPS. Since the SSL terminates in the load balancer, the Cisco device actually routes the request to Tomcat on the standard HTTP port (8080). It appears that, after successful authentication by the container via the Login form, Tomcat redirects the user to the original resource URL with the HTTP protocol instead of HTTPS, because Tomcat doesn't know about the HTTPS address intercepted by Cisco. To Tomcat, the requests all come in looking like plain old HTTP. Just for grins, I tried setting transport-guarantee = CONFIDENTIAL in my web.xml. It didn't work, just created a Catch-22 where Tomcat tries to redirect to HTTPS but Cisco intercedes and forwards the request to Tomcat as HTTP. I spoke with our Network engineers, and they don't believe they can do anything about this on the Cisco side. They believe it's a web server / Tomcat issue. Once I'm into the app, I can type the "s" after "http" in the browser's location bar to "switch back" to SSL. Clicking links with relative URLs in the pages appears to stick with the HTTPS protocol after that. It's only the initial container-managed login and redirection to the original requested resource that seems to cause the protocol switch. Any advice is greatly appreciated. Thanks! Brian Burt Enterprise Application Engineer Gordon Food Service e-mail: [EMAIL PROTECTED] office phone: 616-717-6972 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
Hi all I sorted it out. Thanks for you help. These are the steps I followed. Hope it helps someone. 1) perl CA.pl -newca(create a new CA) 2) perl CA.pl -newreq (new client request) 3) perl CA.pl -sign (sign the certificare request) 4) openssl rsa < newreq.pem > client_key.pem (extract the RSA key) 5) mv newreq.pem client_req.pem(renaming for your identification) 6) mv newcert.pem client_cert.pem (renaming for your identification) 7) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12(generate a pkcs12 certificate) 8) keytool -genkey -alias tomcat -keyalg RSA (generate your keystore) 9) keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr (generate a request for tomcat) 10) openssl x509 -req -CA democa/cacert.pem -CAkey democa/private/cakey.pem -extensions v3_ca -in tomcat.csr -inform DER - out tomcat.x509 -CAcreateserial (signs the tomcat certificate request with your CA) 11) keytool -import -alias MyRootCA -keystore JAVA_HOME/jre/lib/security/cacerts -file democa/cacert.pem (import CA selfsigned into the truststore) 12) keytool -import -alias tomcat -file tomcat.x509 Import both the democa/cacert.pem and client.p12 to the clients machine. In your server.xml file enable client authentication by changing clientauth="true" and that's it. Regards & Thanks Mahesh S Kudva -Original Message- From: "Mahesh S Kudva" <[EMAIL PROTECTED]> To: "Tomcat Users List" Date: Fri, 13 May 2005 22:26:59 +0530 Subject: Re: Client Authentication > Hi All > > Ho do i go about with clien Authentication > > Regards & Thanks > > Mahesh S Kudva > > > -Original Message- > From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > To: "Tomcat Users List" > Date: Tue, 10 May 2005 20:51:08 +0530 > Subject: Re: Client Authentication > > Hi All > > Nothing seems to work out for me whith client auth. Here is what 've > done > > CA and Certificates > 1) perl CA.pl -newca > 2) perl CA.pl -newreq > 3) perl CA.pl -sign > 4) openssl rsa < newreq.pem > server_key.pem > 5) mv newcert.pem server_cert.pem > 6) mv newreq.pem server_req.pem > 7) perl CA.pl -newreq > 8) perl CA.pl -sign > 9) mv newreq.pem client_req.pem > 10) mv newcert.pem client_cert.pem > 11) openssl rsa < client_req.pem > client_key.pem > 12) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem > -out > client.p12 > 13) openssl x509 -in server_cert.pem -out server.x509 > 14) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem >-out server.p12 > 15) keytool -genkey -alias tomcat -storepass changeit > 16) keytool -import -alias TomcatCA -file demoCA/cacert.pem > > I then import the CA's self signed certificate to the clients machine > along with the p12 certficicate > > My Tomcat-users.xml file > > > > > > > > >password="" > roles="tomcat,certs"/> > > > > > > > > Where am i going wrong? Even if the certificates are in the client's > mcahine the certificates identity windows alowys pop's up > > > > Regards & Thanks > > Mahesh S Kudva > > > -Original Message- > From: Mark Thomas <[EMAIL PROTECTED]> > To: Tomcat Users List > Date: Tue, 03 May 2005 23:00:57 +0100 > Subject: Re: Client Authentication > > > The CN for your server cert can be anything you like but you will get > a > > warning in your browser if the CN differs from how you express it in > > the > > URL. > > > > The user needs to look something like this > > > password="null" roles="tomcat,certs"/> > > in tomcat-users. It must be the full DN of the user certificate. > > > > HTH, > > > > Mark > > > > Mahesh S Kudva wrote: > > > Hi > > > > > > It seems like a silly question. But I am new to SSL and > Certificates > > as > > > well as Tomcat. > > > > > > If my machines IP is 192.168.0.1 then I access tomcat as > > > https://192.168.0.1:8443. Keeping this mind should I give the > Common > > Name > > > as 192.168.0.1 ??? > > > > > > How do I specify the client info in the tomcat-users.xml? > > > > > > > > > > > > This is how my tomcat-users.xml file looks like. > > > > > > Regards & Thanks > > > > > > Mahesh S Kudva > > > > > > > > > -Original Messag
Re: Client Authentication
Hi All Ho do i go about with clien Authentication Regards & Thanks Mahesh S Kudva -Original Message- From: "Mahesh S Kudva" <[EMAIL PROTECTED]> To: "Tomcat Users List" Date: Tue, 10 May 2005 20:51:08 +0530 Subject: Re: Client Authentication Hi All Nothing seems to work out for me whith client auth. Here is what 've done CA and Certificates 1) perl CA.pl -newca 2) perl CA.pl -newreq 3) perl CA.pl -sign 4) openssl rsa < newreq.pem > server_key.pem 5) mv newcert.pem server_cert.pem 6) mv newreq.pem server_req.pem 7) perl CA.pl -newreq 8) perl CA.pl -sign 9) mv newreq.pem client_req.pem 10) mv newcert.pem client_cert.pem 11) openssl rsa < client_req.pem > client_key.pem 12) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 13) openssl x509 -in server_cert.pem -out server.x509 14) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 15) keytool -genkey -alias tomcat -storepass changeit 16) keytool -import -alias TomcatCA -file demoCA/cacert.pem I then import the CA's self signed certificate to the clients machine along with the p12 certficicate My Tomcat-users.xml file Where am i going wrong? Even if the certificates are in the client's mcahine the certificates identity windows alowys pop's up Regards & Thanks Mahesh S Kudva -Original Message- From: Mark Thomas <[EMAIL PROTECTED]> To: Tomcat Users List Date: Tue, 03 May 2005 23:00:57 +0100 Subject: Re: Client Authentication > The CN for your server cert can be anything you like but you will get a > warning in your browser if the CN differs from how you express it in > the > URL. > > The user needs to look something like this > password="null" roles="tomcat,certs"/> > in tomcat-users. It must be the full DN of the user certificate. > > HTH, > > Mark > > Mahesh S Kudva wrote: > > Hi > > > > It seems like a silly question. But I am new to SSL and Certificates > as > > well as Tomcat. > > > > If my machines IP is 192.168.0.1 then I access tomcat as > > https://192.168.0.1:8443. Keeping this mind should I give the Common > Name > > as 192.168.0.1 ??? > > > > How do I specify the client info in the tomcat-users.xml? > > > > > > > > This is how my tomcat-users.xml file looks like. > > > > Regards & Thanks > > > > Mahesh S Kudva > > > > > > -Original Message- > > From: "lercoli" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" > > Date: Tue, 3 May 2005 14:33:46 +0200 > > Subject: Re: Client Authentication > > > > > >>CA and Tomcat common name should be the same (localhost or better > your > >>DNS). > >>First and Last Name of client sould the name of a Tomcat user > declared > >>in > >>tomcat-users.xml. > >> > >>Luca Ercoli > >> > >>- Original Message - > >>From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > >>To: "Tomcat Users List" > >>Sent: Tuesday, May 03, 2005 1:41 PM > >>Subject: Re: Client Authentication > >> > >> > >> > >>>Hi > >>> > >>>What kind of information do i need to put in the fields of First and > >> > >>Last > >> > >>>name and Common name. Will any information do or is it required that > >> > >>I > >> > >>>need to put in the server address in the client.p12 certificate.. > >>> > >>>Regards & Thanks > >>>==== > >>>Mahesh S Kudva > >>> > >>> > >>>-Original Message- > >>>From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > >>>To: "Tomcat Users List" > >>>Date: Mon, 02 May 2005 23:04:50 +0530 > >>>Subject: Re: Client Authentication > >>> > >>> > >>>>Hi > >>>> > >>>>I tried with client.p12 first, when i failed I went on with > >>>>client_cert.x509. I placed it in the personal folder ... > >>>> > >>>>Regards & Thanks > >>>> > >>>>Mahesh S Kudva > >>>> > >>>> > >>>>-Original Message- > >>>>From: "lercoli" <[EMAIL PROTECTED]> > >>>>To: "Tomcat Users List" > >>
Re: Form Authentication with SSL behind Load Balancer
Thanks for the suggestions, Hari. I've provided some Ethereal packet capture files to Cisco, and they're evaluating the behavior from their side. I'll post anything useful that comes out of their investigation. Thanks again! Brian Burt Enterprise Application Engineer Gordon Food Service e-mail: [EMAIL PROTECTED] office phone: 616-717-6972 >>> Hari Mailvaganam <[EMAIL PROTECTED]> 2005-05-11 1:34 PM >>> A couple of suggestions: - force all traffic on load balancer to/from extrenal world to SSL. - after form authentication on Tomcat, redirect users to the URL used by the load balancer - i.e. not XXX:8080/authenticate but www.YYY.com/authenticate - or both Hope this helps. regards, Hari Mailvaganam On 5/11/05, Brian Burt <[EMAIL PROTECTED]> wrote: > I'm running into a problem using form-based authentication with Tomcat 5.5.9 > behind a Cisco CSS load balancer, and I'm hoping someone can point me in the > right direction. > > We've got Tomcat deployed on 2 nodes, not clustered, but load-balanced via > NAT distribution by the Cisco device. We want the site traffic to be secured > with SSL, but the SSL is actually terminated in the load balancer for > efficiency and to offload the encryption/decryption burden from Tomcat. > > We also planned to use J2EE container-managed authentication using the > form-based option. This is where we're having problems. > > When we reference secure content within the target web app with an HTTPS > address, Tomcat serves back the configured Login page just fine. When we > submit the Login form, however, and authentication succeeds, we are > redirected to the original resource over HTTP instead of HTTPS. > > Since the SSL terminates in the load balancer, the Cisco device actually > routes the request to Tomcat on the standard HTTP port (8080). It appears > that, after successful authentication by the container via the Login form, > Tomcat redirects the user to the original resource URL with the HTTP protocol > instead of HTTPS, because Tomcat doesn't know about the HTTPS address > intercepted by Cisco. To Tomcat, the requests all come in looking like plain > old HTTP. > > Just for grins, I tried setting transport-guarantee = CONFIDENTIAL in my > web.xml. It didn't work, just created a Catch-22 where Tomcat tries to > redirect to HTTPS but Cisco intercedes and forwards the request to Tomcat as > HTTP. I spoke with our Network engineers, and they don't believe they can do > anything about this on the Cisco side. They believe it's a web server / > Tomcat issue. > > Once I'm into the app, I can type the "s" after "http" in the browser's > location bar to "switch back" to SSL. Clicking links with relative URLs in > the pages appears to stick with the HTTPS protocol after that. It's only the > initial container-managed login and redirection to the original requested > resource that seems to cause the protocol switch. > > Any advice is greatly appreciated. Thanks! > > Brian Burt > Enterprise Application Engineer > Gordon Food Service > e-mail: [EMAIL PROTECTED] > office phone: 616-717-6972 > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication
Having a problem being challenged on Linux. Form based using the tomcat-users.xml file works under windows. However, when same code is deployed to Linux the page is never challenged. I checked server.xml on both platforms as well as the specific webapp. Even built a Hello World example to eliminate other stuff. Any suggestions/ideas? thanks Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
Never Mind - It was permissions on the tomcat-users.xml file. Duh! -Original Message- From: David B. Saul [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 7:37 PM To: 'Tomcat Users List' Subject: Form Based Authentication Having a problem being challenged on Linux. Form based using the tomcat-users.xml file works under windows. However, when same code is deployed to Linux the page is never challenged. I checked server.xml on both platforms as well as the specific webapp. Even built a Hello World example to eliminate other stuff. Any suggestions/ideas? thanks Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form Authentication with SSL behind Load Balancer
A couple of suggestions: - force all traffic on load balancer to/from extrenal world to SSL. - after form authentication on Tomcat, redirect users to the URL used by the load balancer - i.e. not XXX:8080/authenticate but www.YYY.com/authenticate - or both Hope this helps. regards, Hari Mailvaganam On 5/11/05, Brian Burt <[EMAIL PROTECTED]> wrote: > I'm running into a problem using form-based authentication with Tomcat 5.5.9 > behind a Cisco CSS load balancer, and I'm hoping someone can point me in the > right direction. > > We've got Tomcat deployed on 2 nodes, not clustered, but load-balanced via > NAT distribution by the Cisco device. We want the site traffic to be secured > with SSL, but the SSL is actually terminated in the load balancer for > efficiency and to offload the encryption/decryption burden from Tomcat. > > We also planned to use J2EE container-managed authentication using the > form-based option. This is where we're having problems. > > When we reference secure content within the target web app with an HTTPS > address, Tomcat serves back the configured Login page just fine. When we > submit the Login form, however, and authentication succeeds, we are > redirected to the original resource over HTTP instead of HTTPS. > > Since the SSL terminates in the load balancer, the Cisco device actually > routes the request to Tomcat on the standard HTTP port (8080). It appears > that, after successful authentication by the container via the Login form, > Tomcat redirects the user to the original resource URL with the HTTP protocol > instead of HTTPS, because Tomcat doesn't know about the HTTPS address > intercepted by Cisco. To Tomcat, the requests all come in looking like plain > old HTTP. > > Just for grins, I tried setting transport-guarantee = CONFIDENTIAL in my > web.xml. It didn't work, just created a Catch-22 where Tomcat tries to > redirect to HTTPS but Cisco intercedes and forwards the request to Tomcat as > HTTP. I spoke with our Network engineers, and they don't believe they can do > anything about this on the Cisco side. They believe it's a web server / > Tomcat issue. > > Once I'm into the app, I can type the "s" after "http" in the browser's > location bar to "switch back" to SSL. Clicking links with relative URLs in > the pages appears to stick with the HTTPS protocol after that. It's only the > initial container-managed login and redirection to the original requested > resource that seems to cause the protocol switch. > > Any advice is greatly appreciated. Thanks! > > Brian Burt > Enterprise Application Engineer > Gordon Food Service > e-mail: [EMAIL PROTECTED] > office phone: 616-717-6972 > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Authentication with SSL behind Load Balancer
I'm running into a problem using form-based authentication with Tomcat 5.5.9 behind a Cisco CSS load balancer, and I'm hoping someone can point me in the right direction. We've got Tomcat deployed on 2 nodes, not clustered, but load-balanced via NAT distribution by the Cisco device. We want the site traffic to be secured with SSL, but the SSL is actually terminated in the load balancer for efficiency and to offload the encryption/decryption burden from Tomcat. We also planned to use J2EE container-managed authentication using the form-based option. This is where we're having problems. When we reference secure content within the target web app with an HTTPS address, Tomcat serves back the configured Login page just fine. When we submit the Login form, however, and authentication succeeds, we are redirected to the original resource over HTTP instead of HTTPS. Since the SSL terminates in the load balancer, the Cisco device actually routes the request to Tomcat on the standard HTTP port (8080). It appears that, after successful authentication by the container via the Login form, Tomcat redirects the user to the original resource URL with the HTTP protocol instead of HTTPS, because Tomcat doesn't know about the HTTPS address intercepted by Cisco. To Tomcat, the requests all come in looking like plain old HTTP. Just for grins, I tried setting transport-guarantee = CONFIDENTIAL in my web.xml. It didn't work, just created a Catch-22 where Tomcat tries to redirect to HTTPS but Cisco intercedes and forwards the request to Tomcat as HTTP. I spoke with our Network engineers, and they don't believe they can do anything about this on the Cisco side. They believe it's a web server / Tomcat issue. Once I'm into the app, I can type the "s" after "http" in the browser's location bar to "switch back" to SSL. Clicking links with relative URLs in the pages appears to stick with the HTTPS protocol after that. It's only the initial container-managed login and redirection to the original requested resource that seems to cause the protocol switch. Any advice is greatly appreciated. Thanks! Brian Burt Enterprise Application Engineer Gordon Food Service e-mail: [EMAIL PROTECTED] office phone: 616-717-6972 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]