RE: how to configue tomcat ldap 2008
Hi Jeff, It is what our window administrator said, *** I checked and LDAP was open on the server (port 389 UDP and TCP), but I turned the firewall completely off on the server for testing. The log file still generates the same message. Any other things that need to be looked into? Thanks, Jill -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Thursday, January 20, 2011 5:06 PM To: 'Tomcat Users List' Subject: RE: how to configue tomcat ldap 2008 X-HOSTLOC: alverno.edu/10.0.60.9 Jill - Check your Windows firewall settings on the 2008 server. It's pretty locked down by default. Name/address resolution seems to be fine, so next thing to do is look for comms blocking, e.g. the Windows firewall or any external firewall. Jeff -Original Message- From: Jill Han [mailto:jill@alverno.edu] Sent: Thursday, January 20, 2011 3:09 PM To: Tomcat Users List; Tomcat Users List Subject: RE: how to configue tomcat ldap 2008 Here is ping output. Pinging DCSRV1.emp.alverno.edu [10.0.60.30] with 32 bytes of data: Reply from 10.0.60.30: bytes=32 time1ms TTL=127 Reply from 10.0.60.30: bytes=32 time1ms TTL=127 Reply from 10.0.60.30: bytes=32 time1ms TTL=127 Reply from 10.0.60.30: bytes=32 time1ms TTL=127 Ping statistics for 10.0.60.30: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Thanks, Jill -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, January 20, 2011 1:32 PM To: Tomcat Users List Subject: Re: how to configue tomcat ldap 2008 X-HOSTLOC: alverno.edu/10.0.60.9 Jill Han wrote: ... Jan 19, 2011 3:29:26 PM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.emp.alverno.edu:389 [Root exception is java.net.UnknownHostException: DomainDnsZones.emp.alverno.edu]] To me, the key seems to be : UnknownHostException: DomainDnsZones.emp.alverno.edu The first thing to do, would be to check if that host really exists, AND its name/address conversion can be done from the server where you are running this. In other words : - login to the server running Tomcat, in a console window - enter : ping DomainDnsZones.emp.alverno.edu What do you see ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: how to configue tomcat ldap 2008
SIGNED MESSAGE-
Hash: SHA1
Jill,
On 1/19/2011 4:56 PM, Jill Han wrote:
Here is the snippet of server.xml
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
debug isn't a valid attribute on any supported version of Tomcat. What
version are you using?
connectionName=usern...@some.college.edu
connectionPassword=userPass
connectionURL=ldap://some.college.edu:389;
So these credentials still work in the new installation?
referrals=follow
userBase=dc=some,dc=college,dc=edu
userSearch=(sAMAccountName={0})
userRoleName=memberof
roleBase=dc=some,dc=college,dc=edu
roleName=cn
roleSearch=(uniqueMember={0})
userSubtree=true
roleSubtree=false
Have you tested your query independently of Tomcat to see if it matches
anything?
It is working on 2003 server. However when the server is upgraded to
window 2008, it is not working anymore.
Any suggestions?
What do the log files say?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk03aXcACgkQ9CaO5/Lv0PBOvACfbMbEFH+JxwlrEulx68NKe0OM
I1cAnAn5Yp82TQM2lXe+rXVu5xWIFqYL
=aYzD
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: how to configue tomcat ldap 2008
Still no luck after trying adCompat=true.
Thanks,
Jill
-Original Message-
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Sent: Thursday, January 20, 2011 11:11 AM
To: Tomcat Users List
Subject: RE: how to configue tomcat ldap 2008
X-HOSTLOC: alverno.edu/10.0.60.9
Am Donnerstag, den 20.01.2011, 07:19 -0600 schrieb Jill Han:
Thanks for your reply.
1. Apache Tomcat version is 5.5.15.
2. Below is from the log file.
Jan 19, 2011 3:29:26 PM org.apache.catalina.realm.JNDIRealm
authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException [Root exception is
javax.naming.CommunicationException: DomainDnsZones.emp.alverno.edu:389
[Root exception is java.net.UnknownHostException:
DomainDnsZones.emp.alverno.edu]]
You could try adCompat='true' as shown on
http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html, or maybe
DomainDnsZones.emp.alverno.edu is really not a valid dns name in your
environment.
But since I don't have an ads server it is more or less a guess.
Felix
However, usern...@emp.alverno.edu will be valid when the window server
is 2003.
3. I haven't tested the query independently of Tomcat. I don't know
how. If you have the instructions, it will be very helpful.
Thanks again,
Jill
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, January 19, 2011 4:45 PM
To: Tomcat Users List
Subject: Re: how to configue tomcat ldap 2008
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jill,
On 1/19/2011 4:56 PM, Jill Han wrote:
Here is the snippet of server.xml
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
debug isn't a valid attribute on any supported version of Tomcat. What
version are you using?
connectionName=usern...@some.college.edu
connectionPassword=userPass
connectionURL=ldap://some.college.edu:389;
So these credentials still work in the new installation?
referrals=follow
userBase=dc=some,dc=college,dc=edu
userSearch=(sAMAccountName={0})
userRoleName=memberof
roleBase=dc=some,dc=college,dc=edu
roleName=cn
roleSearch=(uniqueMember={0})
userSubtree=true
roleSubtree=false
Have you tested your query independently of Tomcat to see if it
matches
anything?
It is working on 2003 server. However when the server is upgraded to
window 2008, it is not working anymore.
Any suggestions?
What do the log files say?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk03aXcACgkQ9CaO5/Lv0PBOvACfbMbEFH+JxwlrEulx68NKe0OM
I1cAnAn5Yp82TQM2lXe+rXVu5xWIFqYL
=aYzD
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: how to configue tomcat ldap 2008
Here is ping output. Pinging DCSRV1.emp.alverno.edu [10.0.60.30] with 32 bytes of data: Reply from 10.0.60.30: bytes=32 time1ms TTL=127 Reply from 10.0.60.30: bytes=32 time1ms TTL=127 Reply from 10.0.60.30: bytes=32 time1ms TTL=127 Reply from 10.0.60.30: bytes=32 time1ms TTL=127 Ping statistics for 10.0.60.30: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Thanks, Jill -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, January 20, 2011 1:32 PM To: Tomcat Users List Subject: Re: how to configue tomcat ldap 2008 X-HOSTLOC: alverno.edu/10.0.60.9 Jill Han wrote: ... Jan 19, 2011 3:29:26 PM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.emp.alverno.edu:389 [Root exception is java.net.UnknownHostException: DomainDnsZones.emp.alverno.edu]] To me, the key seems to be : UnknownHostException: DomainDnsZones.emp.alverno.edu The first thing to do, would be to check if that host really exists, AND its name/address conversion can be done from the server where you are running this. In other words : - login to the server running Tomcat, in a console window - enter : ping DomainDnsZones.emp.alverno.edu What do you see ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
how to configue tomcat ldap 2008
Hi,
Here is the snippet of server.xml
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=usern...@some.college.edu
connectionPassword=userPass
connectionURL=ldap://some.college.edu:389;
referrals=follow
userBase=dc=some,dc=college,dc=edu
userSearch=(sAMAccountName={0})
userRoleName=memberof
roleBase=dc=some,dc=college,dc=edu
roleName=cn
roleSearch=(uniqueMember={0})
userSubtree=true
roleSubtree=false
/
It is working on 2003 server. However when the server is upgraded to
window 2008, it is not working anymore.
Any suggestions?
Thanks for your helps,
Jill
Active Directory authentication
Hi,
I tried to configure tomcat to authenticate against active directory.
Here is the relevant part in server.xml
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=ad...@tst.mycollege.edu
connectionPassword=adminpassword
connectionURL=ldap://tst.mycollege.edu:389;
userBase=DC=tst,DC=mycollege,DC=edu
userSearch=(sAMAccountName={0})
userRoleName=memberof
roleBase=DC=tst,DC=mycollege,DC=edu
roleName=cn
roleSearch=(uniqueMember={0})
userSubtree=true
roleSubtree=false
/
In the web.xml
...
security-constraint
.
auth-constraint
role-nameOU=EMP,dc=tst,DC=mycollege,DC=edu/role-name
/auth-constraint
/security-constraint
login-config
auth-methodBASIC/auth-method
realm-nameNEWS/realm-name
/login-config
security-role
role-nameOU=EMP,dc=tst,DC=mycollege,DC=edu/role-name
/security-role
...
The login window will prompt when you access the site, however no
login/password will be accepted, in the log file,
Jun 15, 2010 7:14:53 AM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.PartialResultException: Unprocessed Continuation
Reference(s); remaining name 'DC=tst,DC=mycollege,DC=edu'
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
at
com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumerati
on.java:129)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeratio
n.java:198)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.ja
va:171)
at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1067)
at
org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958)
at
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907)
at
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808)
at
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicA
uthenticator.java:180)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:490)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
48)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
at
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:
684)
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.
java:876)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:684)
at java.lang.Thread.run(Thread.java:595)
I don't know what could go wrong, AD setup on active directory site, or
the properties in the server.xml.
Thanks for your help as always,
Jill
RE: search engine
There are .html, .php, .jsp, .pdf pages on the apache server. Thanks, Jill -Original Message- From: Neil Aggarwal [mailto:n...@jammconsulting.com] Sent: Monday, November 16, 2009 9:15 AM To: 'Tomcat Users List' Subject: RE: search engine X-HOSTLOC: alverno.edu/10.0.60.10 Jill: Is there any search engine you would recommend that could search public, and non public( page needs login) pages? If your pages are HTML, you can use something like HtDig: http://www.htdig.org/ If your pages are part of a web app, I have done this in the past: 1. Write some code to pull the text content from each page and store them in a MySQL table with a full text index. 2. When your users perform a search, you run a full text search query and return the result. I hope this helps, Neil -- Neil Aggarwal, (281)846-8957, http://UnmeteredVPS.net Host your tomcat app on a CentOS VPS for only $25/month! Unmetered bandwidth, 7 day no risk trial, Google Checkout - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: customize HTTP Status 401 error page
The display-name is Faculty Resources. If I supply this name to the url, http://localhost:8080/Faculty Resources, it will generate 404 error. -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Thursday, April 23, 2009 4:08 PM To: Tomcat Users List Subject: RE: customize HTTP Status 401 error page X-HOSTLOC: alverno.edu/10.0.60.10 the url-pattern is usually the contextPath such as http://host:port + ContextPath is compared to the url-pattern http://edocs.bea.com/wls/docs61/webapp/web_xml.html what is the webapplication name? what happens when you supply the webapplication name to url-pattern and restart TC? Martin __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Subject: RE: customize HTTP Status 401 error page Date: Thu, 23 Apr 2009 15:19:39 -0500 From: jill@alverno.edu To: users@tomcat.apache.org Here is web.xml web-app display-nameFaculty Resources/display-name security-constraint web-resource-collection web-resource-nameFACRES/web-resource-name url-pattern*/url-pattern /web-resource-collection auth-constraint role-nameCN=FacultyStaff,OU=Groups,OU=EMP,DC=AC/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameTESTING/realm-name /login-config error-page error-code401/error-code location/error.html/location /error-page security-role role-nameCN=FacultyStaff,OU=Groups,OU=EMP,DC=AC/role-name /security-role session-config session-timeout2/session-timeout /session-config /web-app Yes, if it is run on Window, no credential window was prompted, but instead, the error.html However, if it is run on Linux, credential window was prompted, but, if unsuccessful, or clicking Cancel, 401 error message still show up. error-page was ignored. Jill -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, April 23, 2009 2:55 PM To: Tomcat Users List Subject: Re: customize HTTP Status 401 error page -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, On 4/23/2009 1:20 PM, Jill Han wrote: I still need helps. Here is the web.xml ... login-config auth-methodBASIC/auth-method realm-nameTESTING/realm-name /login-config error-page error-code401/error-code location/error.html/location /error-page ... The error.html is replaced the 401 error message, however there will be no authentication window prompted, error.html is somehow loaded all the time. What do your security-constraint elements look like? Are you saying you are getting a 401 response but never being asked for your credentials? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknwx6UACgkQ9CaO5/Lv0PBfLACfU2OGHvHDUX0qeCeaIVoRoJz9 rO4AoK5hbI7c96Dz31J0ZCaOhLzgPcaS =xKJK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Rediscover Hotmail®: Now available on your iPhone or BlackBerry http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobile2_042009 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
RE: customize HTTP Status 401 error page
At this point, I just explored the options between basic and form-based authentication. No real webapp is build yet. The displayed name is just directory name, app1, under webapps. As I stated before, if it is run on window, http://localhost:8080/app1, there will be no authentication window prompted, instead error.html; even after I restarted the TC, and put http://localhost:8080/app1 in the address bar. If it is run on Linux, http://serverName:8080/app1, authentication window is prompted, but error.html will not replace 401 message when authentication failed. If I choose to use form-based authentication, there will be other issues as I stated in the previous email about form-based authentication. Right now, I am not quite sure which route. Jill -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, April 24, 2009 9:23 AM To: Tomcat Users List Subject: Re: customize HTTP Status 401 error page -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, On 4/24/2009 9:04 AM, Jill Han wrote: The display-name is Faculty Resources. If I supply this name to the url, http://localhost:8080/Faculty Resources, it will generate 404 error. I think you may be very confused about a lot of things. The display-name element basically just names the webapp so that if you are using a tool to browse webapps (like LambdaProbe or others) that's the name that gets displayed. It has nothing to do with deployment, and certainly won't respond to a request in any meaningful way. Do you have a resource defined for Faculty Resources? I suspect not. What is the name of your webapp? That's either the name of the WAR file or the name of the context XML file (without the .xml extension) you put into conf/[engine]/[host]/myContextName.xml. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknxyzoACgkQ9CaO5/Lv0PBOPwCePKi5y7Hw96zrN0bMQ96utxE3 ePcAn20+xPa694Plp1+bZXyOntHGS57d =L0NA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
customize HTTP Status 401 error page
If using Basic authentication, the unsuccessful login, or just click Cancel button will trigger the 401 page. My question is 1. is there a way to customize cancel action? So there will be no error message prompted. 2. Is there a way to customize tomcat HTTP Status 401 error message to a more user meaningful one? Thanks, Jill
RE: customize HTTP Status 401 error page
Would you give some instructions on doing that? I tried to put error-page/error.html/error-page in application own web.xml And tomcat conf/web.xml, they won't work. The HTTP Status 401 error page is still used. Thanks, Jill -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, April 23, 2009 10:18 AM To: Tomcat Users List Subject: Re: customize HTTP Status 401 error page -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, You've hijacked your own thread. :( On 4/23/2009 11:09 AM, Jill Han wrote: If using Basic authentication, the unsuccessful login, or just click Cancel button will trigger the 401 page. My question is 1. is there a way to customize cancel action? So there will be no error message prompted. No. 2. Is there a way to customize tomcat HTTP Status 401 error message to a more user meaningful one? Yes. See the section of web.xml that has error-page entries. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknwhqwACgkQ9CaO5/Lv0PDMlwCfaUP6+zxHQPeY2aTAfnNg2vPs CGsAn1VpRpeMpCps63lgXkS8nGS1FA61 =6j3U -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: customize HTTP Status 401 error page
The correct tag should be error-page error-code401/error-code location/error401.jsp/location /error-page Thanks, -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, April 23, 2009 10:18 AM To: Tomcat Users List Subject: Re: customize HTTP Status 401 error page -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, You've hijacked your own thread. :( On 4/23/2009 11:09 AM, Jill Han wrote: If using Basic authentication, the unsuccessful login, or just click Cancel button will trigger the 401 page. My question is 1. is there a way to customize cancel action? So there will be no error message prompted. No. 2. Is there a way to customize tomcat HTTP Status 401 error message to a more user meaningful one? Yes. See the section of web.xml that has error-page entries. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknwhqwACgkQ9CaO5/Lv0PDMlwCfaUP6+zxHQPeY2aTAfnNg2vPs CGsAn1VpRpeMpCps63lgXkS8nGS1FA61 =6j3U -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: customize HTTP Status 401 error page
I still need helps. Here is the web.xml ... login-config auth-methodBASIC/auth-method realm-nameTESTING/realm-name /login-config error-page error-code401/error-code location/error.html/location /error-page ... The error.html is replaced the 401 error message, however there will be no authentication window prompted, error.html is somehow loaded all the time. Thanks, Jill -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, April 23, 2009 10:18 AM To: Tomcat Users List Subject: Re: customize HTTP Status 401 error page -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, You've hijacked your own thread. :( On 4/23/2009 11:09 AM, Jill Han wrote: If using Basic authentication, the unsuccessful login, or just click Cancel button will trigger the 401 page. My question is 1. is there a way to customize cancel action? So there will be no error message prompted. No. 2. Is there a way to customize tomcat HTTP Status 401 error message to a more user meaningful one? Yes. See the section of web.xml that has error-page entries. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknwhqwACgkQ9CaO5/Lv0PDMlwCfaUP6+zxHQPeY2aTAfnNg2vPs CGsAn1VpRpeMpCps63lgXkS8nGS1FA61 =6j3U -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: customize HTTP Status 401 error page
Here is web.xml web-app display-nameFaculty Resources/display-name security-constraint web-resource-collection web-resource-nameFACRES/web-resource-name url-pattern*/url-pattern /web-resource-collection auth-constraint role-nameCN=FacultyStaff,OU=Groups,OU=EMP,DC=AC/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameTESTING/realm-name /login-config error-page error-code401/error-code location/error.html/location /error-page security-role role-nameCN=FacultyStaff,OU=Groups,OU=EMP,DC=AC/role-name /security-role session-config session-timeout2/session-timeout /session-config /web-app Yes, if it is run on Window, no credential window was prompted, but instead, the error.html However, if it is run on Linux, credential window was prompted, but, if unsuccessful, or clicking Cancel, 401 error message still show up. error-page was ignored. Jill -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, April 23, 2009 2:55 PM To: Tomcat Users List Subject: Re: customize HTTP Status 401 error page -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, On 4/23/2009 1:20 PM, Jill Han wrote: I still need helps. Here is the web.xml ... login-config auth-methodBASIC/auth-method realm-nameTESTING/realm-name /login-config error-page error-code401/error-code location/error.html/location /error-page ... The error.html is replaced the 401 error message, however there will be no authentication window prompted, error.html is somehow loaded all the time. What do your security-constraint elements look like? Are you saying you are getting a 401 response but never being asked for your credentials? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknwx6UACgkQ9CaO5/Lv0PBfLACfU2OGHvHDUX0qeCeaIVoRoJz9 rO4AoK5hbI7c96Dz31J0ZCaOhLzgPcaS =xKJK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
form based authentication
I tried to use form based authentication with JNDIRealm. What I want to accomplish is to have the two applications with the same realm be authenticated once. It seems the tomcat ignored the realm. I have to login twice. For example: when I login to http://localhost:8080/app1 successfully, then change the url to http://localhost:8080/app2, the login page will be prompted again. I hope I describe my issue clearly. Here is the snippet of web.xml for the app1 and app2 .. login-config auth-methodFORM/auth-method realm-nameFACRES/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.html/form-error-page /form-login-config /login-config security-role role-nameCN=FacultyStaff,OU=Groups,OU=EMP,DC=AC/role-name /security-role .. Here is the login.jsp html head meta http-equiv=Content-Type content=text/html; charset=UTF-8 titleLogin Page/title /head body form method=POST action=j_security_check input type=text name=j_username br input type=password name=j_password br input type=submit /form /body /html Your help will be appreciated very much as always. Jill
RE: form based authentication
Thanks, I commented off SingleSignOn as instructed on the link. Host name=localhost ... ... Valve className=org.apache.catalina.authenticator.SingleSignOn debug=0/ ... /Host However, this makes authentication activated only once although the applications have different realms. For example, App1 and app2 have the same realm in web.xml, I just need to login once which is what I want to see. however app3 has different realm in web.xml. when I change the url from app1 to app3, it didn't trigger the login page and allowed me in. is there anything else missing? Jill -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, April 22, 2009 11:11 AM To: Tomcat Users List Subject: Re: form based authentication -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jill, On 4/22/2009 10:46 AM, Jill Han wrote: I tried to use form based authentication with JNDIRealm. What I want to accomplish is to have the two applications with the same realm be authenticated once. It seems the tomcat ignored the realm. I have to login twice. You're looking for SSI (Single Sign-On): http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvQXYACgkQ9CaO5/Lv0PCwYgCdE1SF1t1FR4NLwZ+VqcHWftQl XE0AoLwID8h7EN052aW0eS2ifmSfeOBN =Nkum -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: form based authentication
There is single Host in server.xml
Engine name=Catalina defaultHost=localhost
...
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=
connectionPassword=
connectionURL=ldap://url:389;
alternateURL=ldap://url:389;
userBase=DC=AC
userSearch=(sAMAccountName={0})
userRoleName=memberof
roleBase=DC=AC
roleName=cn
roleSearch=(uniqueMember={0})
userSubtree=true
roleSubtree=false
/
...
Host name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
xmlValidation=false xmlNamespaceAware=false
Valve className=org.apache.catalina.authenticator.SingleSignOn
debug=0/
/Host
/Engine
What I want to do is all the applications have the same realm config in
server.xml. When it comes to the different
Applications, the authentication will be performed based on application very
own web.xml.
If the applications in the web.xml have the same realm-name, those
applications just need to be authenticated once.
If the applications in the web.xml have different realm-name, those
applications need to be authenticated separately.
Those tasks can be achieved if basic authentication as
login-config
auth-methodBASIC/auth-method
realm-nameTEST/realm-name
/login-config
is used.
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Wednesday, April 22, 2009 12:12 PM
To: Tomcat Users List
Subject: RE: form based authentication
From: Jill Han [mailto:jill@alverno.edu]
Subject: RE: form based authentication
However, this makes authentication activated only once although the
applications have different realms.
To quote from the SSO doc:
All web applications configured for this virtual host must share the same
Realm.
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On
Can you separate the various Realms by Host? Or are you stuck with a
single Host?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
RE: form based authentication
Some corrections on the previous email.
I should say
When singleSignOn is commented, those tasks can be achieved if basic
authentication as
login-config
auth-methodBASIC/auth-method
realm-nameTEST/realm-name
/login-config
is used.
-Original Message-
From: Jill Han
Sent: Wednesday, April 22, 2009 2:12 PM
To: 'Tomcat Users List'
Subject: RE: form based authentication
There is single Host in server.xml
Engine name=Catalina defaultHost=localhost
...
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName=
connectionPassword=
connectionURL=ldap://url:389;
alternateURL=ldap://url:389;
userBase=DC=AC
userSearch=(sAMAccountName={0})
userRoleName=memberof
roleBase=DC=AC
roleName=cn
roleSearch=(uniqueMember={0})
userSubtree=true
roleSubtree=false
/
...
Host name=localhost appBase=webapps
unpackWARs=true autoDeploy=true
xmlValidation=false xmlNamespaceAware=false
Valve className=org.apache.catalina.authenticator.SingleSignOn
debug=0/
/Host
/Engine
What I want to do is all the applications have the same realm config in
server.xml. When it comes to the different
Applications, the authentication will be performed based on application very
own web.xml.
If the applications in the web.xml have the same realm-name, those
applications just need to be authenticated once.
If the applications in the web.xml have different realm-name, those
applications need to be authenticated separately.
Those tasks can be achieved if basic authentication as
login-config
auth-methodBASIC/auth-method
realm-nameTEST/realm-name
/login-config
is used.
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Wednesday, April 22, 2009 12:12 PM
To: Tomcat Users List
Subject: RE: form based authentication
From: Jill Han [mailto:jill@alverno.edu]
Subject: RE: form based authentication
However, this makes authentication activated only once although the
applications have different realms.
To quote from the SSO doc:
All web applications configured for this virtual host must share the same
Realm.
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On
Can you separate the various Realms by Host? Or are you stuck with a
single Host?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
