BASIC authentication in Tomcat+IIS (second useful information)
Hello! I have another useful information about this problem... The version of Tomcat I have is 4.0.4b3: is it possible that this beta release contains some bug that doesn't let Tomcat to support correctly BASIC authentication (when it is used as Servlet Container and not in standalone mode)?? Anyway in this case I don't understand why in the test environment the basic authentication of Tomcat works well in fact the problem is present only in production environment using Server 1! If someone has some idea or suggestion to solve this problem I pray him to let me know (I am spending many work-days to solve it without success)! Thanks. Luca -Messaggio originale- Da: Luca Ventura [mailto:ventluca;tiscali.it] Inviato: giovedì 31 ottobre 2002 10.43 A: tomcat-user Oggetto: BASIC authentication in Tomcat+IIS (one useful information) Hello! I have another useful information about the problem described below that I have posted some day ago wihout receiving no solution for it :((( If I use Tomcat 4.x as Web Server (standalone mode), instead of IIS, the BASIC Authentication works well also on Server 1! This means there must be some strange setting in IIS or in Windows 2000 Advanced Server that forces the Tomcat's ISAPI filter (that is to say when Tomcat is used only as Servlet Container) not to ask for login and password to the user but to get their values directly from the system. I hope someone can help me. Best regards, Luca -Messaggio originale- Da: Luca Ventura [mailto:ventluca;tiscali.it] Inviato: martedì 29 ottobre 2002 12.12 A: tomcat-user Oggetto: BASIC authentication in Tomcat+IIS Hello everybody! I have the following GREAT problem with basic authentication in Tomcat I have two servers configured as follows: Server 1: Operating system: Windows 2000 Advanced Server Web Server: IIS 5.0 Servlet Container: Tomcat 4.x Server 2: Windows XP Professional Web Server: IIS 5.0 Servlet Container: Tomcat 4.x Server 2 is not connected to the Internet but it is used to test web applications before passing them in the production environment deployed in Server 1. In fact Server 1 is connected to the Internet and contains all the final versions of Web Applications. So I connect to Server 1 using a real domain name (for example: www.mydomain.com) while I connect to Server 2 using localhost. In both Servers I use Tomcat 4.x as Servlet Container and Micrososft IIS 5 as Web Server. I installed the ISAPI filter to redirect to Tomcat all the requests to Servlet/JSP pages or to web sites based on such java-technologies. I have tried to protect some Servlet/jsp-pages using basic authentication of Tomcat. So I configured the following tomcat files in such way: server.xml: ... !-- Define an AJP 1.3 Connector on port 8009 -- Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 minProcessors=5 maxProcessors=75 acceptCount=10 debug=0/ Realm className=org.apache.catalina.realm.MemoryRealm / ... tomcat-users.xml: tomcat-users user name=admin password=tomcat roles=adminrole / /tomcat-users web.xml: security-constraint display-nameAutenticazione Tomcat/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/MyServlet/url-pattern /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameadminrole/role-name /auth-constraint /security-constraint !-- Default login configuration uses form-based authentication -- login-config auth-methodBASIC/auth-method realm-nameAutenticazione Tomcat/realm-name /login-config Server.xml and tomcat-users.xml are present in /conf folder of Tomcat, while web.xml in the WEB-INF folder of the web application that contains the resource (in this case the servlet MyServlet) that I want to protect. All works fine in Server 2 (localhost): in fact when I connect to the protected resource (servlet MyServlet)Tomcat asks me in a window the login and the password to access to the resource. The problem appears after moving my application in Server 2 (production environment) because when I try to connect to the protected servlet I receive from Tomcat the following error page: Apache Tomcat/4.0.4-b3 - HTTPS Status 403 - Access to the requested resource has been denied type: Status report message: Access to the requested resource has been denied description: Access to the specified resource (Access to the requested resource has been denied) has been forbidden. The strange thing is that Tomcat, before showing the error page, doesn't ask to me for the login and the password to access the resource (as in the first case). It seems that IIS passes automatically an internal login and password to Tomcat to
BASIC authentication in Tomcat+IIS (second useful information)
Hello! I have another useful information about this problem... The version of Tomcat I have is 4.0.4b3: is it possible that this beta release contains some bug that doesn't let Tomcat to support correctly BASIC authentication (when it is used as Servlet Container and not in standalone mode)?? Anyway in this case I don't understand why in the test environment the basic authentication of Tomcat works well in fact the problem is present only in production environment using Server 1! If someone has some idea or suggestion to solve this problem I pray him to let me know (I am spending many work-days to solve it without success)! Thanks. Luca -Messaggio originale- Da: Luca Ventura [mailto:ventluca;tiscali.it] Inviato: giovedì 31 ottobre 2002 11.12 A: tomcat-dev Oggetto: BASIC authentication in Tomcat+IIS (one useful information) Hello! I have another useful information about the problem described below that I have posted some day ago wihout receiving no solution for it :((( If I use Tomcat 4.x as Web Server (standalone mode), instead of IIS, the BASIC Authentication works well also on Server 1! This means there must be some strange setting in IIS or in Windows 2000 Advanced Server that forces the Tomcat's ISAPI filter (that is to say when Tomcat is used only as Servlet Container) not to ask for login and password to the user but to get their values directly from the system. I hope someone can help me. Best regards, Luca -Messaggio originale- Da: Luca Ventura [mailto:ventluca;tiscali.it] Inviato: martedì 29 ottobre 2002 12.12 A: tomcat-dev Oggetto: BASIC authentication in Tomcat+IIS Hello everybody! I have the following GREAT problem with basic authentication in Tomcat I have two servers configured as follows: Server 1: Operating system: Windows 2000 Advanced Server Web Server: IIS 5.0 Servlet Container: Tomcat 4.x Server 2: Windows XP Professional Web Server: IIS 5.0 Servlet Container: Tomcat 4.x Server 2 is not connected to the Internet but it is used to test web applications before passing them in the production environment deployed in Server 1. In fact Server 1 is connected to the Internet and contains all the final versions of Web Applications. So I connect to Server 1 using a real domain name (for example: www.mydomain.com) while I connect to Server 2 using localhost. In both Servers I use Tomcat 4.x as Servlet Container and Micrososft IIS 5 as Web Server. I installed the ISAPI filter to redirect to Tomcat all the requests to Servlet/JSP pages or to web sites based on such java-technologies. I have tried to protect some Servlet/jsp-pages using basic authentication of Tomcat. So I configured the following tomcat files in such way: server.xml: ... !-- Define an AJP 1.3 Connector on port 8009 -- Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 minProcessors=5 maxProcessors=75 acceptCount=10 debug=0/ Realm className=org.apache.catalina.realm.MemoryRealm / ... tomcat-users.xml: tomcat-users user name=admin password=tomcat roles=adminrole / /tomcat-users web.xml: security-constraint display-nameAutenticazione Tomcat/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/MyServlet/url-pattern /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameadminrole/role-name /auth-constraint /security-constraint !-- Default login configuration uses form-based authentication -- login-config auth-methodBASIC/auth-method realm-nameAutenticazione Tomcat/realm-name /login-config Server.xml and tomcat-users.xml are present in /conf folder of Tomcat, while web.xml in the WEB-INF folder of the web application that contains the resource (in this case the servlet MyServlet) that I want to protect. All works fine in Server 2 (localhost): in fact when I connect to the protected resource (servlet MyServlet)Tomcat asks me in a window the login and the password to access to the resource. The problem appears after moving my application in Server 2 (production environment) because when I try to connect to the protected servlet I receive from Tomcat the following error page: Apache Tomcat/4.0.4-b3 - HTTPS Status 403 - Access to the requested resource has been denied type: Status report message: Access to the requested resource has been denied description: Access to the specified resource (Access to the requested resource has been denied) has been forbidden. The strange thing is that Tomcat, before showing the error page, doesn't ask to me for the login and the password to access the resource (as in the first case). It seems that IIS passes automatically an internal login and password to Tomcat to