Log message - APR Error -70014
Hello, For Tomcat 8.0.24 and jre 1.8.0_60. I have seen this stack trace in catalina.out and I have not found anything using google search to discover the cause. The error is intermittent and only shows up after pretty significant load: 17-Sep-2015 13:04:54.941 INFO [http-apr-8443-exec-3082] org.apache.coyote.AbstractProcessor.setErrorState An error occurred in processing while on a non-container thread. The connection will be closed immediately java.io.IOException: APR error: -70014 at org.apache.coyote.http11.InternalAprOutputBuffer.writeToSocket(InternalAprOutputBuffer.java:291) at org.apache.coyote.http11.InternalAprOutputBuffer.writeToSocket(InternalAprOutputBuffer.java:244) at org.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalAprOutputBuffer.java:213) at org.apache.coyote.http11.AbstractOutputBuffer.flush(AbstractOutputBuffer.java:305) at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:765) at org.apache.coyote.Response.action(Response.java:179) at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:349) at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:317) at org.apache.catalina.connector.CoyoteWriter.flush(CoyoteWriter.java:94) at MyServlet.doGet(MyServlet.java:55) The code at this line is: response.getWriter().flush(); What does this error mean? Thanks! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat thread locking question
Hello again, Sorry for another question, I'm fighting issues on multiple fronts. For Tomcat 8.0.24 and jre 1.8.0_60. I need a little insight on what is happening inside Tomcat so I can hopefully understand how I am occasionally getting thread deadlocks. This is thread #1, the code is trying to close an AsyncContext but it is waiting on a Tomcat thread. Name: http-apr-8443-exec-27576 State: BLOCKED on org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@d0ec341 owned by: http-apr-8443-exec-24603 Total blocked: 1 Total waited: 73 Stack trace: org.apache.tomcat.util.net.AprEndpoint.processSocket(AprEndpoint.java:964) org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:850) org.apache.coyote.Request.action(Request.java:378) org.apache.catalina.core.AsyncContextImpl.complete(AsyncContextImpl.java:86) MyServlet._completeAsync(MyServlet.java:478) This is thread #2, it came in through doGet, and is locked waiting for thread #1 to finish MyServlet.doGet(MyServlet.java:251) javax.servlet.http.HttpServlet.service(HttpServlet.java:622) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658) org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2503) org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2492) - locked org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@d0ec341 java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Unknown Source) My question is, what is AprEndpoint$AprSocketWrapper really locking here? Thanks (Again)! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IIS-Tomcat Integration
A side question: why are you doing this IIS + Tomcat integration? Thx dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: sbpdvlpr [mailto:shubh...@yahoo.com] Sent: Wednesday, November 03, 2010 9:39 AM To: users@tomcat.apache.org Subject: IIS-Tomcat Integration We are trying to integrate IIS and Tomcat. We get the Service temporarily unavailable or Bad Gateway message. isapi_redirect.properties extension_uri=/tomcat/isapi_redirect.dll log_file=C:\apps\Tomcat 6.0\logs\jk_iis.log log_level=trace worker_file=C:\apps\Tomcat 6.0\conf\workers.properties worker_mount_file=C:\apps\Tomcat 6.0\conf\uriworkermap.properties workers.properties worker.list=testWorker worker.testWorker.type=ajp13 worker.testWorker.host=localhost worker.testWorker.port=8009 worker.testWorker.ping_mode=A worker.testWorker.socket_timeout=60 worker.testWorker.prepost_timeout=1 worker.testWorker.socket_connect_timeout=1 worker.testWorker.connection_pool_size=200 worker.testWorker.connection_pool_timeout=300 worker.testWorker.retries=20 worker.testWorker.socket_keepalive=1 worker.testWorker.socket_timeout=10 worker.testWorker.cachesize=10 worker.testWorker.cache_timeout=600 Error: 2): (testWorker) cping/cpong after connecting to the backend server failed (errno=60) [Tue Nov 02 15:59:57.941 2010] [2000:2584] [trace] jk_ajp_common.c (996): exit [Tue Nov 02 15:59:57.941 2010] [2000:2584] [error] jk_ajp_common.c (1585): (testWorker) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=60) [Tue Nov 02 15:59:57.941 2010] [2000:2584] [trace] jk_ajp_common.c (1589): exit [Tue Nov 02 15:59:57.941 2010] [2000:2584] [info] jk_ajp_common.c (2540): (testWorker) sending request to tomcat failed (recoverable), because of error during request sending (attempt=17) [Tue Nov 02 15:59:57.941 2010] [2000:2584] [trace] jk_ajp_common.c (801): enter Any help would be greatly appreciated. I can do a screen share if that will help resolve the issue. Thanks! -- View this message in context: http://old.nabble.com/IIS-Tomcat-Integration-tp30122863p30122863.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 5.5: how doesone configure an authenticator valve?
I am trying to help someone with a Tomcat 5.5 implementation of waffle (waffle.codeplex.com). It has authenticator valve that works well with tc6. I declare a valve inside the web app: Context.xml ?xml version='1.0' encoding='utf-8'? Context Valve className=waffle.apache.NegotiateAuthenticator principalFormat=fqn roleFormat=both / Realm className=waffle.apache.WindowsRealm / /Context Web.xml security-constraint display-nameWaffle Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameEveryone/role-name /auth-constraint /security-constraint security-role role-nameEveryone/role-name /security-role I didn't modify anything in Tomcat's conf, but placed the JARs in the right place(s). The Valve starts, but any request to the protected area doesn't invoke it. I get a 401 Access Denied, but no headers added by the valve. Any suggestions? Is this supposed to work with tc5.5 at all? Thx dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York
RE: Tomcat 5.5: how doesone configure an authenticator valve?
Thanks for your help. I should have done this (logging) in the first place, sorry. The filter is invoked properly. The new problem is that the headers aren't added (or sent to the client). The code looks like this: response.addHeader(WWW-Authenticate, Negotiate); response.addHeader(WWW-Authenticate, NTLM); response.setHeader(Connection, close); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); response.flushBuffer(); This is executed for sure (put a logging statement in front of it) but has no effect, the response looks like a boilerplate 401. Where did my WWW-Authenticate headers and Connection: close go? (Maybe it helps, it does work in 6.x). Thx dB. PS: you're looking at some intermediate waffle check-in, the namespace was renamed at some point, it's waffle.apache. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Tuesday, November 02, 2010 8:39 AM To: Tomcat Users List Subject: Re: Tomcat 5.5: how doesone configure an authenticator valve? 2010/11/2 dB. dbl...@dblock.org: I am trying to help someone with a Tomcat 5.5 implementation of waffle (waffle.codeplex.com). It has authenticator valve that works well with tc6. I declare a valve inside the web app: Context.xml ?xml version='1.0' encoding='utf-8'? Context Valve className=waffle.apache.NegotiateAuthenticator principalFormat=fqn roleFormat=both / Realm className=waffle.apache.WindowsRealm / /Context Note, that META-INF/context.xml (case matters!) is copied to $CATALINA_BASE\conf\Catalina\localhost\yourapp.xml when the webappication starts for the first time. You can have a stale copy there. I would suggest you to enable more detailed logging. Something like adding the following line to conf/logging.properties: waffle.apache.NegotiateAuthenticator.level=FINE BTW, the waffle docs say waffle.apache.NegotiateAuthenticator, but in the source code it is waffle.tomcat.NegotiateAuthenticator, i.e. a different package http://waffle.codeplex.com/SourceControl/changeset/view/52761#1097376 Are there any interesting messages in the log filess already? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5: how doesone configure an authenticator valve?
After some more code-reading I found the problem. Looking at the implementation of response.sendError in TC5, it's clear that it dumps whatever headers you added prior to the call. Changing this to setStatus fixed the problem. I assume this means that Tomcat doesn't get a chance to render it's custom 401 page, but I might be speculating. I'd appreciate if someone shed some light on which way the code below should be implemented (setStatus/sendError/something else?) in various versions of Tomcat. Thx dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Tuesday, November 02, 2010 4:55 PM To: Tomcat Users List Subject: RE: Tomcat 5.5: how doesone configure an authenticator valve? Thanks for your help. I should have done this (logging) in the first place, sorry. The filter is invoked properly. The new problem is that the headers aren't added (or sent to the client). The code looks like this: response.addHeader(WWW-Authenticate, Negotiate); response.addHeader(WWW-Authenticate, NTLM); response.setHeader(Connection, close); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); response.flushBuffer(); This is executed for sure (put a logging statement in front of it) but has no effect, the response looks like a boilerplate 401. Where did my WWW-Authenticate headers and Connection: close go? (Maybe it helps, it does work in 6.x). Thx dB. PS: you're looking at some intermediate waffle check-in, the namespace was renamed at some point, it's waffle.apache. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Tuesday, November 02, 2010 8:39 AM To: Tomcat Users List Subject: Re: Tomcat 5.5: how doesone configure an authenticator valve? 2010/11/2 dB. dbl...@dblock.org: I am trying to help someone with a Tomcat 5.5 implementation of waffle (waffle.codeplex.com). It has authenticator valve that works well with tc6. I declare a valve inside the web app: Context.xml ?xml version='1.0' encoding='utf-8'? Context Valve className=waffle.apache.NegotiateAuthenticator principalFormat=fqn roleFormat=both / Realm className=waffle.apache.WindowsRealm / /Context Note, that META-INF/context.xml (case matters!) is copied to $CATALINA_BASE\conf\Catalina\localhost\yourapp.xml when the webappication starts for the first time. You can have a stale copy there. I would suggest you to enable more detailed logging. Something like adding the following line to conf/logging.properties: waffle.apache.NegotiateAuthenticator.level=FINE BTW, the waffle docs say waffle.apache.NegotiateAuthenticator, but in the source code it is waffle.tomcat.NegotiateAuthenticator, i.e. a different package http://waffle.codeplex.com/SourceControl/changeset/view/52761#1097376 Are there any interesting messages in the log filess already? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 LifecycleBase.init
I have some unit test code that mocks a lot of Tomcat classes so that I can test a Tomcat Valve (code in http://waffle.codeplex.com). Switching to Tomcat 7 is giving me some grief. I used to be able to do this: SimpleContext ctx = new SimpleContext(); // my class Realm realm = new SimpleRealm(); // an empty realm ctx.setRealm(realm); _somevalve.setContainer(ctx); // valve container _somevalve.start(); Now I am getting this java.lang.NullPointerException at org.apache.catalina.mbeans.MBeanUtils.getContainerKeyProperties(MBeanUtils.java:1698) at org.apache.catalina.valves.ValveBase.getObjectNameKeyProperties(ValveBase.java:281) at org.apache.catalina.util.LifecycleMBeanBase.initInternal(LifecycleMBeanBase.java:61) at org.apache.catalina.valves.ValveBase.initInternal(ValveBase.java:223) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:100) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:131) at waffle.apache.NegotiateAuthenticatorTests.setUp(NegotiateAuthenticatorTests.java:44) at junit.framework.TestCase.runBare(TestCase.java:128) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:120) at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:130) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197) The problem is in MBeanUtils that assumes that a valid container object is passed into it (from ValveBase.getObjectNameKeyProperties). I tried to walk this code and I don't understand how I am supposed to setup container (and possible its parent(s)) to not get this exception. What am I missing? Any help is appreciated, Thx dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York
RE: Tomcat 7 LifecycleBase.init
Sorry for the noise. Once I got the right source code, it was pretty easy to track under a debugger. I needed to implement Context.getName(), getPath, an Engine and a Pipeline. _authenticator = new NegotiateAuthenticator(); SimpleContext ctx = new SimpleContext(); Realm realm = new SimpleRealm(); ctx.setRealm(realm); SimpleEngine engine = new SimpleEngine(); ctx.setParent(engine); SimplePipeline pipeline = new SimplePipeline(); engine.setPipeline(pipeline); ctx.setPipeline(pipeline); _authenticator.setContainer(ctx); _authenticator.start(); It would be nice if Tomcat's code was a bit more defensive in terms of nulls. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Monday, November 01, 2010 11:51 AM To: Tomcat Users List (users@tomcat.apache.org) Subject: Tomcat 7 LifecycleBase.init I have some unit test code that mocks a lot of Tomcat classes so that I can test a Tomcat Valve (code in http://waffle.codeplex.com). Switching to Tomcat 7 is giving me some grief. I used to be able to do this: SimpleContext ctx = new SimpleContext(); // my class Realm realm = new SimpleRealm(); // an empty realm ctx.setRealm(realm); _somevalve.setContainer(ctx); // valve container _somevalve.start(); Now I am getting this java.lang.NullPointerException at org.apache.catalina.mbeans.MBeanUtils.getContainerKeyProperties(MBeanUtils.java:1698) at org.apache.catalina.valves.ValveBase.getObjectNameKeyProperties(ValveBase.java:281) at org.apache.catalina.util.LifecycleMBeanBase.initInternal(LifecycleMBeanBase.java:61) at org.apache.catalina.valves.ValveBase.initInternal(ValveBase.java:223) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:100) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:131) at waffle.apache.NegotiateAuthenticatorTests.setUp(NegotiateAuthenticatorTests.java:44) at junit.framework.TestCase.runBare(TestCase.java:128) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:120) at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:130) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197) The problem is in MBeanUtils that assumes that a valid container object is passed into it (from ValveBase.getObjectNameKeyProperties). I tried to walk this code and I don't understand how I am supposed to setup container (and possible its parent(s)) to not get this exception. What am I missing? Any help is appreciated, Thx dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Starting/Stopping Tomcat from Java program
Since the question is how to do this from Java, don't go shelling out net start/stop on Windows :) Use JNA (http://jna.dev.java.net) , someone just recently committed complete support for Windows services. Stopping a service looks like this: W32ServiceManager serviceManager = new W32ServiceManager(); W32Service service = serviceManager.openService(tomcat, Winsvc.SERVICE_ALL_ACCESS); service.stopService(); service.close(); -dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, October 11, 2010 9:34 AM To: Tomcat Users List Subject: Re: Starting/Stopping Tomcat from Java program Hi. I do not really understand the issue here. If you are under Windows, with Tomcat running as a Service, then you can just run the commands net start tomcat6 / net stop tomcat6 to start/stop tomcat. If you are under Linux, then you can just issue the command /etc/init.d/tomcat6 (start|stop). Under most Unixes, the procedure is similar. So where is the problem ? Rob Gregory wrote: I call the scripts via code to both stop and start Tomcat. There is a problem with even calling these scripts via Unix unless you change (cd) into the bin directory before running startup.sh as the log paths are generated relative to the startup.sh location. String strCatalinaBin = System.getenv(CATALINA_HOME) + \\bin\\; File objDir = new File(strCatalinaBin); r = Runtime.getRuntime(); p = r.exec(new String[] { cmd.exe, /C, start, strCatalinaBin + catalina.bat, start }, null, objDir); p.waitFor(); p.destroy(); Hope this helps. Rob -Original Message- From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Sent: 11 October 2010 13:26 To: Tomcat Users List Subject: RE: Starting/Stopping Tomcat from Java program Hi Probably u may need to use Embedded version of TOMCAT to do this activity... With regards karthik -Original Message- From: kshitij chandrasen [mailto:kshtjchnd...@gmail.com] Sent: Monday, October 11, 2010 2:49 PM To: users@tomcat.apache.org Subject: Starting/Stopping Tomcat from Java program Hi, I've to write methods on calling which i'd be able to start and stop the tomcat app server. I tried this - I'm using Tomcat 6.0.26. String[] command = new String[4]; command[0] = cmd; command[1] = /C; command[2] = startup.bat; command[3] = C:\\; String x[] = {PATH=C:\\Program Files\\Apache Software Foundation\\Apache Tomcat 6.0.26\\bin,CATALINA_HOME=C:\\Program Files\\Apache Software Foundation\\Apache Tomcat 6.0.26,JAVA_HOME=C:\\Program Files\\Java\\jdk1.6.0_21,JRE_HOME=C:\\Program Files\\Java\\jre6}; Process p = Runtime.getRuntime().exec(command,x); This gives me a strange windows error saying - The system cannot find the file -Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Apache Tomcat 6.0.26\conf\logging.properties, while it actually exists. If instead of setting the path, I give the absolute path of startup.bat in command[3], it works fine - Process p = Runtime.getRuntime().exec(cmd /C start C:\\broadway\\bat\\startup.bat); //I copied the startup.bat to a folder and ran it from there, it worked fine. Please give me pointers to the right direction! -- Kshitij Chandrasen Engineer, Software Engineering, Cisco Systems, CBSBU Engineering. -- Kshitij Chandrasen Engineer, Software Engineering, Cisco Systems, CBSBU Engineering. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Kerberos authentication
Jump :) Waffle is windows-only and it seems like this is a Solaris implementation. I have some good news though. Someone just uploaded a big patch for a windows authentication provider that uses JCIFs (which does Kerberos and more), which works on top of Samba on *nix. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Monday, October 11, 2010 3:27 AM To: Tomcat Users List Subject: Re: Kerberos authentication On 11/10/2010 07:45, Igor Galić wrote: Hello Happy people, I'm cross-posting this to tomcat and archiva. In our company we have a well established Active Directory infrastructure, I'm running an Apache Archiva 1.3.1 installation in Tomcat 6, on Solaris 10. The OS has been Kerberos enabled and I would very much like to make use of this for Tomcat/Archiva in order to provide secure authenticated access to it. We need to provide secure and scalable authentication. Thus, everything else has been ruled out: * No authentication -- not good, because we need some form of auditing on who uploaded/deployed what (i.e.: who broke it) * SSH/SCP doesn't scale from an administration point of view (i.e.: we'd have to do something. That could be done wrong, forgotten about or any number of things when people have to do mundane tasks) * Basic authentication -- not so good from an admin's point of view, because clear-text passwords are stored in a Developer's settings.xml. Not so good from a developer's point of view, because s/he has to change their password in settings.xml every month or so. (sic) Given the lack of (official) documentation: http://www.google.com/search?hl=ensitesearch=tomcat.apache.orgq=kerb eros+OR+krbaq=faqi=aql=oq=gs_rfai= http://wiki.apache.org/tomcat/FrontPage?action=fullsearchcontext=180; value=kerberos+krbfullsearch=Text http://www.google.at/search?client=operarls=enq=site:archiva.apache. org+kerberos+OR+krbsourceid=operaie=utf-8oe=utf-8 http://www.google.com/search?hl=endomains=cwiki.apache.org%2FARCHIVA; sitesearch=cwiki.apache.org%2FARCHIVAq=kerberos+OR+krbsitesearch=cwi ki.apache.org%2FARCHIVAaq=faqi=aql=oq=gs_rfai= I was wondering if that's even in remotely in scope of either Project. It seems fairly simple to integrate Tomcat into a Kerberos Infrastructure (although I haven't had the time to do this so far), the question that remains unanswered to me is how to make Archiva profit from such integration. I appreciate any kind of feedback from people who similarily are stuck between a rock and a hard place, and even more so from those who have a sensible solution :) So long, i Try http://waffle.codeplex.com/. The author lurks hereabouts will jump in shortly, no doubt. p
RE: How to authenticate user against ldap grouper / role
I don't think you can with JNDIRealm. If you're on Windows, you might want to try http://waffle.codeplex.com and then use regular security constraints for groups. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Manish Kashikar -X (mkashika - Zensar at Cisco) [mailto:mkash...@cisco.com] Sent: Thursday, September 30, 2010 4:38 PM To: users@tomcat.apache.org Subject: How to authenticate user against ldap grouper / role Hi Team, We are able to do tomcat + ldap configuration for authentication. But our requirement is to allow only set of users who are part of ldap grouper/role. How to do this setup. Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL=ldap URL contextFactory=com.sun.jndi.ldap.LdapCtxFactory userPattern=uid={0},ou=active,ou=employees,ou=people,o=cisco.com / Thanks Manish K - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need Help configuring IIS 6.0/SSL/Tomcat 6.0.18
If the only reason you're using IIS is authentication, take a look at Waffle: http://waffle.codeplex.com. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Sent: Monday, August 02, 2010 3:08 PM To: users@tomcat.apache.org Subject: Need Help configuring IIS 6.0/SSL/Tomcat 6.0.18 Hi, I am a Tomcat newbie and am seeking some help with configuring tomcat (6.0.18) to use SSL. We are running Windows 2003 (64 Bit) and IIS 6.0. Our webserver is secure (SSL) and requires Single Sign On when accessing from outside network using a PKI. I am trying to deploy a web application that must be accessed over 443 ONLY. I've read about creating a .keystore etc., but am not sure if I need to do this since we already have our Webserver configured. Any help would be greatly appreciated. Thanks, Jason.
RE: isapi_redirect.dll fail in SSO on high cpu load
I am going to guess that some policy in Windows rejects the high volume of logons, too many connections or something of that kind. It's most likely not a Tomcat problem. Andre suggestions are pretty good in terms of isolating it. I would start by stressing IIS alone with a static page in it. Since you're running on Windows, you might as well get rid of IIS and replace it with a Waffle filter - http://waffle.codeplex.com. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Yun Feng Chua [mailto:yf_c...@hotmail.com] Sent: Wednesday, July 21, 2010 3:07 AM To: users@tomcat.apache.org Subject: isapi_redirect.dll fail in SSO on high cpu load Hi, Currently using Tomcat 5.5 and isapi_redirect.dll 1.2.14 in IIS 6.0 Configure with IIS integrated authentication for SSO. Notice that under high cpu load in the server, 100% util, the website prompt for authentication. When the cpu load subsided, the SSO is working. Any ideas why it prompt for authentication under heavy cpu load? thank you yun feng, chua - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: connector configuration values - need help to review
Just curious, what are you using this setup for besides authentication? Thx dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Rumpa Giri [mailto:rg...@healthfusion.com] Sent: Monday, June 28, 2010 5:24 PM To: users@tomcat.apache.org Subject: connector configuration values - need help to review We are currently using - Tomcat - 5.5.25 on Windows XP 64bit and 32bit machines JDK 1.5 IIS 6 Trying to upgrade to latest connector, after changing according to the documentation I am able to browse our application behind IIS. Locally the application is behaving fine with the following configuration. So far I have modified the files as follows - for production environment do the values look appropriate? Is there any attribute/properties missing which is crucial for production ready environment? Thank you for reviewing. Worker.properties ps=\ # ps=/ worker.list=loadbalancer worker.template.type=ajp13 worker.template.lbfactor=1 worker.template.socket_keepalive=True worker.template.socket_timeout=300 worker.template.connection_pool_timeout=600 worker.template.connection_pool_size=200 worker.template.connect_timeout=6 worker.server1.port=8009 worker.server1.host=192.168.100.119 worker.server1.reference=worker.template worker.server2.port=8009 worker.server2.host=192.168.100.120 worker.server2.reference=worker.template worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=server1,server2 worker.loadbalancer.method=B --- uriworkermap.properties --- /myjsps/*=loadbalancer - Server.xml AJP connector tag - !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 maxThreads=450 connectionTimeout=60 / To the default I have just added two more attributes - [maxThreads =450 connectionTimeout=60] - what other attributes are essential for production environment? Regards, Rumpa Giri - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Cleartrust RSA integration
This all sounds very unnecessarily complicated. Maybe you want to look at authentication at the Tomcat level alone? Writing an authenticator is rather simple (and there're plenty of examples) provided that ClearTrust has an API, which I am sure it does. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Ron McNulty [mailto:rmcnu...@clear.net.nz] Sent: Tuesday, June 22, 2010 2:45 AM To: Tomcat Users List Subject: Re: Cleartrust RSA integration Hi Martin could you briefly explain the need for 2 apache webservers? I wish I could :) We currently have our secure web apps fronted by an IBM product, which seems to be a munged version of Apache. This has the Cleartrust pluin in place and working fine. In the DMZ we have various web servers, and the system architects are insisting that these servers do an independent Cleartrust authentication. As we want to put a Tomcat machine or three in this zone, it would need to be fronted by Apache to acheive independent Cleartrust authentication. This sounds like overkill to me... Regards Ron - Original Message - From: Martin Gainty mgai...@hotmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Monday, June 21, 2010 11:45 PM Subject: RE: Cleartrust RSA integration could you briefly explain the need for 2 apache webservers? thanks, Martin _ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Mon, 21 Jun 2010 20:22:44 +1200 From: rmcnu...@clear.net.nz Subject: Re: Cleartrust RSA integration To: users@tomcat.apache.org Hi Andre Thanks for the reply. I had a long discussion with our architecture group today. Basically they want Cleartrust authentication at the web gateway (in place now) and again at the web server. The gateway (an Apache instance) and the Tomcat server would not be on the same physical box - they would be in separate security zones. An option is to use yet another Apache instance fronting Tomcat. I'm not sure what sort of performance hit this would be (i.e. Apache - Apache - Tomcat) - do you have any insight? Regards Ron - Original Message - From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, June 20, 2010 9:37 PM Subject: Re: Cleartrust RSA integration Ron McNulty wrote: Hi All We are thinking of bringing some of our apps off proprietary J2EE servers to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and Linux on a VM (not sure of versions). One of the requirements is to authenticate using RSA Cleartrust. From my reading, Tomcat does not support this. The recommended solution is to front Tomcat with Apache, and let Apache do the Cleartrust integration. The links I have found are a bit ancient - are my assumptions still correct? Also, our system architects seem to think this setup is insufficiently secure - comments? Assuming the Apache Cleartrust authentication is secure.. If Apache authenticates a request, and if the Apache/Tomcat connector is mod_jk, then the authenticated user-id is propagated from Apache to Tomcat (*). (Additionals info could be propagated via additional HTTP headers, or request attributes). If the link between Apache and Tomcat is secure (like for example both run on the same machine and the connection is purely internal), then there is no reason why this would be less secure. (*) whether Tomcat actually uses it, is determined by the tomcatAuthentication attribute of the AJP Connector. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat - ADS connection reset - communication exception
It could be that your Active Directory is forcibly closing this connection by some kind of server-side policy. If your goal is authentication and you operate only on Windows, you may want to look at http://waffle.codeplex.com. It does BASIC auth as well as Negotiate using Windows API, so you don't have to deal with configuring LDAP at all and get correct results (supports domain trusts, nested groups, etc.). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Manish Kumar [mailto:man...@oakdeneindia.com] Sent: Monday, June 21, 2010 10:52 AM To: 'Tomcat Users List' Subject: Tomcat - ADS connection reset - communication exception Hi Friends, I'm using tomcat 5.5.28 and ADS on Windows 2003 Server and connecting through realm configuration mentioning in the server.xml. Things are fine but the problem arise when the server use to be idle for a couple of mins(normally 10 to 15 mins). When I saw in the log, I found that connection is closed and throwing exception - javax.naming.CommunicationException: connection closed [Root exception is java.io.IOException: connection closed]; remaining name 'cn=steve,ou=people,dc=processmasterlive,dc=com' at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source) at com.sun.jndi.ldap.LdapCtx.doSearchOnce(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(Unknown Source) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Unknown Source) at javax.naming.directory.InitialDirContext.getAttributes(Unknown Source) at org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1009) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:973) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:899) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:810) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthe nticator.java:181) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:491) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127 ) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117 ) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java: 835) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(H ttp11AprProtocol.java:640) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1286) at java.lang.Thread.run(Unknown Source) Caused by: java.io.IOException: connection closed at com.sun.jndi.ldap.LdapClient.ensureOpen(Unknown Source) at com.sun.jndi.ldap.LdapClient.search(Unknown Source) ... 21 more I tried to find a lot on the web but no luck. Could anybody help me out? Thanking you in advance. Regards Manish - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
how can i configure Tomcat's log4j to log in a separate file for each webapp?
This question is all over the internet, without a satisfactory answer. We have a Tomcat deployment in which we install many web apps. We call this thing a services host. It has a log4j configuration that forwards logs into a file. I'd like to change the file pattern to include the name of the webapp, so that we can get one file per web application. * Is anyone doing that? * Is there a way without writing a custom appender? * If I write a custom appender, how can I fetch the name of the webapp? Thx dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York
RE: how can i configure Tomcat's log4j to log in a separate file for each webapp?
That's exactly what I am trying to avoid :) I have a lot of web apps and developers that stand on their head for logging. My customers end up finding logs all over the place and enforcing it by convention is getting harder and harder. I'd like to configure logging for them rather than leave logging to their discretion. So I want the centralized log4j configuration that can insert the web app name into the file name that belongs to the tomcat installation. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Erik Bertelsen [mailto:bertelsen.e...@gmail.com] Sent: Friday, June 18, 2010 8:37 AM To: Tomcat Users List Subject: Re: how can i configure Tomcat's log4j to log in a separate file for each webapp? 2010/6/18 dB. dbl...@dblock.org: This question is all over the internet, without a satisfactory answer. We have a Tomcat deployment in which we install many web apps. We call this thing a services host. It has a log4j configuration that forwards logs into a file. I'd like to change the file pattern to include the name of the webapp, so that we can get one file per web application. * Is anyone doing that? I do this all the time. For applications using commons-logging, I place commons-logging.jar and log4j.jar in the webapp's WEB-INF/lib directory and log4j.properties in WEB-INF/classes. The same works if slf4j-api and slf4j-log4j12 is used instead of or in addition to commons-logging. I never add jar files used by individual webapps to tomcat's lib or any other directory shared by several webapps. kind regards - Erik - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: how can i configure Tomcat's log4j to log in a separate file for each webapp?
And can I do this for an application I don't know anything about? I mean all I really want is log4j.appender.R.File=${catalina.base}/logs/${APPLICATION.NAME}.log dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Gurkan Erdogdu [mailto:gurkanerdo...@yahoo.com] Sent: Friday, June 18, 2010 1:49 PM To: Tomcat Users List Subject: Re: how can i configure Tomcat's log4j to log in a separate file for each webapp? Hello dB; This is the step by step actions to configure your log4j logging in one place in Tomcat lib/log4j.properties Actions - 1- Remove logging.properties from conf/logging.properties 2- Remove tomcat-juli.jar from bin/tomcat-juli.jar 3- Get tomcat-juli.jar and tomcat-juli-adapters.jar from http://godel.cs.bilgi.edu.tr/apache/tomcat/tomcat-6/v6.0.26/bin/extras/; or any other place 4- Put tomcat-juli.jar to bin folder 5- Put tomcat-juli-adapters.jar to lib folder 6- Download log4j.jar and put to lib folder 7- Creates a log4j.properties and put it into lib folder. Example Configuration: log4j.rootLogger=INFO, R log4j.appender.R=org.apache.log4j.RollingFileAppender log4j.appender.R.File=${catalina.base}/logs/tomcat.log log4j.appender.R.MaxFileSize=10MB log4j.appender.R.MaxBackupIndex=10 log4j.appender.R.layout=org.apache.log4j.PatternLayout log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n //Manager application log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager]= DEBUG,B log4j.appender.B=org.apache.log4j.RollingFileAppender log4j.appender.B.File=${catalina.base}/logs/gurkan.log -- Its own log file log4j.appender.B.MaxFileSize=10MB log4j.appender.B.MaxBackupIndex=10 log4j.appender.B.layout=org.apache.log4j.PatternLayout log4j.appender.B.layout.ConversionPattern=%p %t %c - %m%n //Example application log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/examples]= DEBUG,C log4j.appender.C=org.apache.log4j.RollingFileAppender log4j.appender.C.File=${catalina.base}/logs/example.log -- Its own log file log4j.appender.C.MaxFileSize=10MB log4j.appender.C.MaxBackupIndex=10 log4j.appender.C.layout=org.apache.log4j.PatternLayout log4j.appender.C.layout.ConversionPattern=%p %t %c - %m%n This will creates a root logger -- INFO and logs message to tomcat.log. Each web application can override ROOT like I did for manager and examples web applications. I hope it helps :))) --Gurkan From: dB. dbl...@dblock.org To: Tomcat Users List users@tomcat.apache.org Sent: Fri, June 18, 2010 3:49:03 PM Subject: RE: how can i configure Tomcat's log4j to log in a separate file for each webapp? That's exactly what I am trying to avoid :) I have a lot of web apps and developers that stand on their head for logging. My customers end up finding logs all over the place and enforcing it by convention is getting harder and harder. I'd like to configure logging for them rather than leave logging to their discretion. So I want the centralized log4j configuration that can insert the web app name into the file name that belongs to the tomcat installation. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Erik Bertelsen [mailto:bertelsen.e...@gmail.com] Sent: Friday, June 18, 2010 8:37 AM To: Tomcat Users List Subject: Re: how can i configure Tomcat's log4j to log in a separate file for each webapp? 2010/6/18 dB. dbl...@dblock.org: This question is all over the internet, without a satisfactory answer. We have a Tomcat deployment in which we install many web apps. We call this thing a services host. It has a log4j configuration that forwards logs into a file. I'd like to change the file pattern to include the name of the webapp, so that we can get one file per web application. * Is anyone doing that? I do this all the time. For applications using commons-logging, I place commons-logging.jar and log4j.jar in the webapp's WEB-INF/lib directory and log4j.properties in WEB-INF/classes. The same works if slf4j-api and slf4j-log4j12 is used instead of or in addition to commons-logging. I never add jar files used by individual webapps to tomcat's lib or any other directory shared by several webapps. kind regards - Erik - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Active Directory authentication
I don't know why it doesn't work, but I think this idea is really bad when it comes to Windows Active Directory, even if you made it work. * This won't work for trusted domains. * This won't work for nested domain groups. * This won't work for local groups. * You're hard-coding a domain user password. * You're asking the user to enter his domain credentials, which forces you to run under SSL (instead of doing single-sign-on). If you are on Windows, you might want to try http://waffle.codeplex.com instead, it's a drop-in solution that just works. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York From: Jill Han [mailto:jill@alverno.edu] Sent: Tuesday, June 15, 2010 9:26 AM To: users@tomcat.apache.org Subject: Active Directory authentication Hi, I tried to configure tomcat to authenticate against active directory. Here is the relevant part in server.xml Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=ad...@tst.mycollege.edu connectionPassword=adminpassword connectionURL=ldap://tst.mycollege.edu:389; userBase=DC=tst,DC=mycollege,DC=edu userSearch=(sAMAccountName={0}) userRoleName=memberof roleBase=DC=tst,DC=mycollege,DC=edu roleName=cn roleSearch=(uniqueMember={0}) userSubtree=true roleSubtree=false / In the web.xml ... security-constraint . auth-constraint role-nameOU=EMP,dc=tst,DC=mycollege,DC=edu/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameNEWS/realm-name /login-config security-role role-nameOU=EMP,dc=tst,DC=mycollege,DC=edu/role-name /security-role ... The login window will prompt when you access the site, however no login/password will be accepted, in the log file, Jun 15, 2010 7:14:53 AM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=tst,DC=mycollege,DC=edu' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737) at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1067) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:958) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:907) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:808) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) I don't know what could go wrong, AD setup on active directory site, or the properties in the server.xml. Thanks for your help as always, Jill
RE: Question on IE zones with Mod_jk
I think your conclusion may be a little too quick. You should post the complete HTTP trace from this session. PS: If you're on Windows and are using Apache for NTLM only, you may want to take a look at http://waffle.codeplex.com. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Robin Diederen [mailto:diede...@nlcom.nl] Sent: Tuesday, June 08, 2010 3:16 AM To: users@tomcat.apache.org Subject: Question on IE zones with Mod_jk Hello all, We're trying to get a combination of Apache (webserver), Tomcat and mod_jk to work flawlessly with NTLM authentication. We're using mod_jk to loadbalance two Tomcat / LifeRay installations. We're using the latest versions of Apache 2.2, Tomcat 6 and mod_jk. Our setup works fine on FireFox, but on IE this gives some troubles. When I bypass mod_jk by connecting directly to a Tomcat node, it all works fine in IE too. The problem appears on IE 6, 7 and 8. The problem: - I surf to http://portal - IE recognizes the site as trusted / in the intranet zone - I click the sign in link and get redirected to http://portal/c/portal/login; IE now thinks I'm in the _internet_zone_ (thus NTLM auth doesn't work) - From the Apache logs, I find that a 401 error occurred My guess would be that IE detects the redirect and concludes the wrong zone. Is there any way to configure this from the server side? Best, Robin - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Request: GET / HTTP/1.1 Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== The browser is trying to get a page, and it sends a Negotiate token (it's short, so looks like NTLM). Response: HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM This already says that the token sent was invalid. The next conversation is just a repeat of that. It's invalid because the browser is not in the domain or because the user logged in doesn't have access to the server. It's possible that the Windows event viewer on the server has an actual error in the Security event log. I would create a dummy website in IIS that has the same authentication mode (Windows Auth, Anonymous disabled) and make sure I can browse successfully to that page, first. Melinda, I think you should hire some external help to fix this problem for you. There're a lot of moving parts. Maybe someone on this list could offer you to resolve this problem for a consulting fee. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Friday, June 04, 2010 8:36 AM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Thanks Andre. Appreciate the explanation. I downloaded Fiddler as you suggested, and meant to send this in the earlier post. In the RAW HEADER I get the following when I enter this URL in my IE browser: http://scmisdev GET / HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: scmisdev Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== In the AUTH window I see the following: No Proxy-Authenticate Header is present. WWW-Authenticate Header is present: Negotiate WWW-Authenticate Header is present: NTLM In the RAW window I see the following: HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Date: Fri, 04 Jun 2010 12:30:03 GMT Proxy-Support: Session-Based-Authentication !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01//EN http://www.w3.org/TR/html4/strict.dtd; HTMLHEADTITLEYou are not authorized to view this page/TITLE META HTTP-EQUIV=Content-Type Content=text/html; charset=Windows-1252 STYLE type=text/css BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } /STYLE /HEADBODYTABLE width=500 border=0 cellspacing=10TRTD h1You are not authorized to view this page/h1 You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. hr pPlease try the following:/p ul liContact the Web site administrator if you believe you should be able to view this directory or page./li liClick the a href=javascript:location.reload()Refresh/a button to try again with different credentials./li /ul h2HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.brInternet Information Services (IIS)/h2 hr pTechnical Information (for support personnel)/p ul liGo to a href=http://go.microsoft.com/fwlink/?linkid=8180;Microsoft Product Support Services/a and perform a title search for the words bHTTP/b and b401/b./li liOpen bIIS Help/b, which is accessible in IIS Manager (inetmgr), and search for topics titled bAbout Security/b, bAuthentication/b, and bAbout Custom Error Messages/b./li /ul /TD/TR/TABLE/BODY/HTML Do you see anything here? I was about to call the engineer on our network staff that might be able to help me but what to ask this last question before I did that. Thanks again for all your help!!! -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, June 04, 2010 7:26 AM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Savoy, Melinda wrote: 2 - questions (just because I'm not knowledgeable about IP address or TCP/IP ports etc or networking functionality). 1. Before moving to IIS, the Tomcat server was setup on port 80 but because IIS uses port
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Yep. Let's see (using Waffle code - http://waffle.codeplex.com). String message = TlRMTVNTUAABB4IIogAFASgKDw==; byte[] messageBytes = Base64.decode(message); System.out.println(new String(messageBytes)); System.out.println(NtlmMessage.getMessageType(messageBytes)); NTLMSSP ... (this is an NTLM message) 1 (type 1) dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, June 04, 2010 3:07 PM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? dB. wrote: Request: GET / HTTP/1.1 Authorization: Negotiate TlRMTVNTUAABB4IIogAFASgKDw== The browser is trying to get a page, and it sends a Negotiate token (it's short, so looks like NTLM). Do you mean that the encoded portion of the header actually contains an NTLM Type-1 message ? (I browsed through the relevant RFCs, but they are a bit cryptic to get a quick clear idea of what happens here.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: JAAS Realm Authentication with Kerberos
Yes. You can (and should) have a list of roles - everything the user that just logged in has access to / every role he has. cheers dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: geofrey rainey [mailto:geofr...@gmail.com] Sent: Tuesday, June 01, 2010 10:13 PM To: Tomcat Users List Subject: Re: JAAS Realm Authentication with Kerberos Right, so let me get this straight; Presently the KerberosLoginModule saves the role information (defined as u...@realm) as a Principal which is then compared against the literal string defined in web.xml. So what you're suggesting is modify the KerberosLoginModule so that, essentially, the credentials saved in the (Role) Principal should reflect exactly what's in (under the Role) web.xml? thank you for your help. On Tue, Jun 1, 2010 at 11:56 PM, dB. dbl...@dblock.org wrote: If you look at the KerberosLoginModule code, it wants to be modified to retrieve roles from somewhere in your system. For example a user database that says that u...@realm is manager. Then you can say auth-constraint ... manager / in web.xml rather than u...@realm. Listing individual users clearly isn't practical. Any authenticated user will be a member of Everyone or DOMAIN\Authenticated Users or DOMAIN\Users, etc. If you are using Active Directory on Windows, you're probably not getting what you want with Kerberos alone. To use web.xml for authorization, you want something like roles = AD groups (and local groups). Retrieving user groups by name from AD is going to yield the wrong result in any kind of real world deployment - you will have hard time getting nested groups or anything from trusted domains. If you're running on Windows and your goal is single sign-on, you may want to try http://waffle.codeplex.com. There're several options, including a login filter and a JAAS authenticator. All use SSPI to login (will do Kerberos and NTLM) and will return not just the user identity, but the user local and domain groups. Hope this helps, -dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: geofrey rainey [mailto:geofr...@gmail.com] Sent: Tuesday, June 01, 2010 4:05 AM To: users@tomcat.apache.org Subject: JAAS Realm Authentication with Kerberos Hello, I've been following this fairly self-explanatory document on Kerberos authentication against an AD. If I hard-code the u...@realm in the web.xml file, authentication is successful. However obviously what one really wants is the actual user credentials as stored in the Principals class, javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each Subject authenticating, but I'm a bit lost as to how to get that information from the class into the web.xml. Any ideas would be appreciated? ( http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browsediff=1id=TomcatKerberosConfigOnly ) auth-constraint role-nameu...@realm/role-name /auth-constraint Regards, Geofrey. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TC security/impersonation question
Tomcat doesn't do this, but on Windows it would certainly be possible to emulate the behavior that IIS provides in a Tomcat security filter. Upon return from doFilter it would RevertToSelf. I don't know what it means to do this on unix. If you want to tell me more about your story/scenario and if it's worth it/interesting enough, I'd be glad to prototype something for Waffle (http://waffle.codeplex.com). cheers dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Timothy Taylor [mailto:securityaddi...@hotmail.com] Sent: Wednesday, May 26, 2010 7:06 PM To: users@tomcat.apache.org Subject: RE: TC security/impersonation question Hi, Just a dumb question from a newbe but if I implement any type of security with TC then under what identity will the invoked WS stack object execute the request? Specifically, if I enable Kerberos authentication between the requesting application and TC does this guarantee the WS stack executes the requestor's request under the identity of the actual originating requestor? Much appreciated, Tim. The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. Get busy. _ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2899 - Release Date: 05/27/10 02:25:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
IMHO the IIS redirection is a total hack. It's a lot of additional load, a whole other web server to deal with, configure and administer. Because you're merely hiding Tomcat behind IIS you're not really getting rid of your tomcat server, you're just masking the problem. I'll allow myself to theorize that Jakarta redirector was a stop gap solution because people didn't want a Windows-only valve to do NTLM or because they couldn't write one. If you end up using waffle, please do let me know. Good luck. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Monday, May 24, 2010 8:30 PM To: Tomcat Users List Subject: RE: Question on workers.properties file Yes. dB, we are a microsoft shop for all practical purposes. We were the first Java web app that was created here at our company and now since JCIFS is not NTLMv2 compliant we had thought we'd go ahead and use IIS that is being used for everything else internet and intranet wise. Thanks for the info again. I had actually emailed you last week asking if the web.xml setting were required and you stated they were not. I think I'm very close to getting this IIS-Tomcat integration resolved but if I cannot get it to work by the end of the week I'll probably try Waffle. There does not seem to be a lot of documentation on the IIS side to make this work so it seems to be more complicated than I had anticipated. I'm trying to recheck, as Andre suggested, again tomorrow and hope that I can get this to work. Regards. From: dB. [dbl...@dblock.org] Sent: Monday, May 24, 2010 18:09 To: Tomcat Users List Subject: RE: Question on workers.properties file I am curious whether you're using IIS for anything other than single sign-on / authentication? If you're not, check out http://waffle.codeplex.com - there's a new Negotiate (Kerberos + NTLM) authenticator. This could remove IIS from your entire picture. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Monday, May 24, 2010 7:03 PM To: Tomcat Users List; Tomcat Users List Subject: RE: Question on workers.properties file Andre, Sorry for creating confusion on the other post. I will stick with this post as well. I made changes to the setting here: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker to /*=scmisWorker /*.jsp=scmisWorker /servlet/*=scmisWorker That is why in the log that I had sent stated it as such. I have looked on the Apache Tomcat website to find documentation on the setup of IIS with Tomcat. I made the change above because I had forgotten to change it from the example that I found in the documentation, again my apologies for that. Given the settings that I identified in IIS I can not get authenticated. That is why I think it is an authentication issue. I have gone back and checked each setting but cannot find a problem. That is why I sent my setting so that perhaps someone on this list might see something that I have overlooked. I'll keep trying. Thanks. From: André Warnier [...@ice-sa.com] Sent: Monday, May 24, 2010 15:49 To: Tomcat Users List Subject: Re: Question on workers.properties file Savoy, Melinda wrote: Andre, Thanks for the reply. I was finally able to get my the LOG file created. I had NOT setup my virtual website, SCMIS, in addition to the JAKARTA virtual website in IIS and consequently I kept using Tomcat to authenticate instead of using IIS to do so and it was never hitting my website I think it has something to do with the settings in my IIS setting. I still cannot get the value from getRemoteUser() because the user is blank as is indicated in the log below. ANY help/direction would be greatly appreciated. The URL that I am using to access my SCMIS virtual website is: http://localhost/SCMIS/index.jsp In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I have attached the entries in the log file that just happened: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker Now in your logfile, you have : [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/servlet/*=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c
RE: Question on workers.properties file
Thank you, I really meant that using IIS for authentication only is a hack. Now Tomcat can do Integrated Auth as well as IIS, if not better (with a lot more granularity). IIS and/or Apache do things that Tomcat does not, or not well. For my personal education, do you have any production-type examples? Thx dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, May 25, 2010 4:10 PM To: Tomcat Users List Subject: Re: Question on workers.properties file dB. wrote: IMHO the IIS redirection is a total hack. It's a lot of additional load, a whole other web server to deal with, configure and administer. Because you're merely hiding Tomcat behind IIS you're not really getting rid of your tomcat server, you're just masking the problem. I'll allow myself to theorize that Jakarta redirector was a stop gap solution because people didn't want a Windows-only valve to do NTLM or because they couldn't write one. dB, I believe that you are missing the point. Tomcat does things that Apache and/or IIS do not, running Java webapps being the main one. IIS and/or Apache do things that Tomcat does not, or not well. There are legitimate cases for using an Apache or IIS front-end to Tomcat, most of which having nothing to do with authentication. And that is where one uses the Jk redirector. You are right that using an IIS front-end /only/ to do authentication is a bit of a hack, but that is the express purpose here. Basically, the OP is just trying to retrieve in Tomcat the user-id that should be there anyway at the IIS level, because in the OP's particular case it was the easiest path to follow, application-wise. That it turns out to be such a difficult birth is mainly because of the OP's lack of familiarity with the IIS/JKRedirector/Tomcat configuration, not because of any flaw in the redirector or in the OP's basic plan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2894 - Release Date: 05/25/10 02:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JAAS: why would I be getting a 403 after a Successfully passed all security constraints
I am trying to implement JAAS. I got a custom module written and it seems to work. FINE: Checking roles GenericPrincipal[dblock(Everyone,)] May 24, 2010 7:56:45 AM org.apache.catalina.realm.RealmBase hasRole FINE: Username dblock has role Everyone May 24, 2010 7:56:45 AM org.apache.catalina.realm.RealmBase hasResourcePermission FINE: Role found: Everyone May 24, 2010 7:56:45 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Successfully passed all security constraints Nevertheless, I am still getting a 403 - Access to the specified resource (...) has been forbidden. Any ideas? Thx dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York
RE: JAAS: why would I be getting a 403 after a Successfully passed all security constraints
Thanks. The problem was between the computer and the chair. I forgot to remove a security filter I was testing earlier that had an unfortunate side effect of eating an error. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, May 24, 2010 8:46 AM To: Tomcat Users List Subject: Re: JAAS: why would I be getting a 403 after a Successfully passed all security constraints On 24/05/2010 13:00, dB. wrote: I am trying to implement JAAS. I got a custom module written and it seems to work. FINE: Checking roles GenericPrincipal[dblock(Everyone,)] May 24, 2010 7:56:45 AM org.apache.catalina.realm.RealmBase hasRole FINE: Username dblock has role Everyone May 24, 2010 7:56:45 AM org.apache.catalina.realm.RealmBase hasResourcePermission FINE: Role found: Everyone May 24, 2010 7:56:45 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Successfully passed all security constraints Nevertheless, I am still getting a 403 - Access to the specified resource (...) has been forbidden. Any ideas? At this point I would fire up your IDE's debugger and step through the Tomcat source code to see what is going on. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2892 - Release Date: 05/23/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question on workers.properties file
I am curious whether you're using IIS for anything other than single sign-on / authentication? If you're not, check out http://waffle.codeplex.com - there's a new Negotiate (Kerberos + NTLM) authenticator. This could remove IIS from your entire picture. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Monday, May 24, 2010 7:03 PM To: Tomcat Users List; Tomcat Users List Subject: RE: Question on workers.properties file Andre, Sorry for creating confusion on the other post. I will stick with this post as well. I made changes to the setting here: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker to /*=scmisWorker /*.jsp=scmisWorker /servlet/*=scmisWorker That is why in the log that I had sent stated it as such. I have looked on the Apache Tomcat website to find documentation on the setup of IIS with Tomcat. I made the change above because I had forgotten to change it from the example that I found in the documentation, again my apologies for that. Given the settings that I identified in IIS I can not get authenticated. That is why I think it is an authentication issue. I have gone back and checked each setting but cannot find a problem. That is why I sent my setting so that perhaps someone on this list might see something that I have overlooked. I'll keep trying. Thanks. From: André Warnier [...@ice-sa.com] Sent: Monday, May 24, 2010 15:49 To: Tomcat Users List Subject: Re: Question on workers.properties file Savoy, Melinda wrote: Andre, Thanks for the reply. I was finally able to get my the LOG file created. I had NOT setup my virtual website, SCMIS, in addition to the JAKARTA virtual website in IIS and consequently I kept using Tomcat to authenticate instead of using IIS to do so and it was never hitting my website I think it has something to do with the settings in my IIS setting. I still cannot get the value from getRemoteUser() because the user is blank as is indicated in the log below. ANY help/direction would be greatly appreciated. The URL that I am using to access my SCMIS virtual website is: http://localhost/SCMIS/index.jsp In IIS I have the following: Default Web Site - Anonymous access checked and Integrated Windows authentication unchecked Jakarta - virtual web site and Anonymous access checked and Integrated Windows authentication unchecked SCMIS - virtual web site and Anonymous access unchecked and Integrated Windows authentication checked I have attached the entries in the log file that just happened: I think the problem is right there, and in the worker mappings you mentioned earlier : /examples/*=scmisWorker /examples/*.jsp=scmisWorker /examples/servlet/*=scmisWorker Now in your logfile, you have : [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/servlet/*=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/*.jsp=scmisWorker' source 'uriworkermap' [Mon May 24 10:10:02.781 2010] [8124:7912] [debug] jk_uri_worker_map.c (863): Found a wildchar match '/*.jsp=scmisWorker' Assuming the mappings above, then why is it trying to match '/servlet/*=scmisWorker' and '/*.jsp=scmisWorker' ? That does not fit. Those mappings are not in your list above. Again, I am no expert on IIS or on the Jk redirector in conjunction with it, but my little finger tells me that there is something very wrong somewhere. I have the feeling that your problem is not really related to authentication (or the lack of it). It is that there is some confusion as to the proper setup of IIS and Tomcat together, and how IIS handles virtual websites. Maybe we should restart from the beginning, like here : When you look at the ...\Tomcat 6.0\webapps directory, what are the sub-directories located just below it ? And , just to gain time, out of these, which is the one that corresponds to the application which /should/ be authenticated ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system
Tomcat NTLM authentication
Forgive me for shameless advertising. This should be useful to lots of people. We've published a free Tomcat 6 Negotiate authenticator based on JNA that supports the Negotiate protocol, including Kerberos and the much requested NTLM. This is equivalent to checking the Integrated Authentication box in IIS, enabling single sign-on for windows servers that are both joined or not to an Active Directory domain. The authenticator is part of project Waffle. Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 Download Waffle: http://waffle.codeplex.com/ Hope this helps, your feedback is much appreciated, -dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York
RE: Tomcat NTLM authentication
Eclipse Public License http://waffle.codeplex.com/license I am happy to attach another license to this if there're any real issues with it. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Jason Pyeron [mailto:jpye...@pdinc.us] Sent: Thursday, May 20, 2010 8:50 AM To: 'Tomcat Users List' Subject: RE: Tomcat NTLM authentication -Original Message- From: dB. Sent: Thursday, May 20, 2010 8:42 Subject: Tomcat NTLM authentication Forgive me for shameless advertising. This should be useful to lots of people. We've published a free Tomcat 6 Negotiate authenticator based Apache License? on JNA that supports the Negotiate protocol, including Kerberos and the much requested NTLM. This is equivalent to checking the Integrated Authentication box in IIS, enabling single sign-on for windows servers that are both joined or not to an Active Directory domain. The authenticator is part of project Waffle. Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 Download Waffle: http://waffle.codeplex.com/ Hope this helps, your feedback is much appreciated, -dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question regarding IIS Windows Authentication using Tomcat Connector
I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question regarding IIS Windows Authentication using Tomcat Connector
FQN = fully qualified name (it's unambiguous, usually machine-name\username or domain-name\username). It's there and returned by the Waffle tomcat authenticator. But names may change (people get married, groups renamed), so Windows has a concept of SID, it's a binary identifier (S-xyz), that never changes and is unique. So permissions are typically done with that rather than with fully qualified names. There's a bit of work left in Waffle to expose SIDs in the principal object(s). I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat seems like a suboptimal way to go, to say the least. Waffle theoretically should resolve this, but your specific application is what really matters. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 9:16 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does NOT provide the information, from a Java perspective, on how to retrieve from the request the userid info. I have tried the HttpServletRequest object but when I use the getRemoteUser() method I get a NULL value. I realize I must be doing something wrong but I have no idea what. If anyone has accomplished this or can provide information on this it would be greatly appreciated. I've posted on a number of Tomcat forums but cannot get a response to this issue. Any help/direction, again, would be appreciated. I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 in the event that info is needed to answer my question. Thanks so much. Melinda Savoy Sr. Programmer Analyst, ERP Systems Innovative Technology Solutions Texas Health Resources 600 E. Lamar Blvd, Ste 301, Arlington TX 76011 melindasa...@texashealth.orgmailto:melindasa...@texashealth.org Texas Health Resources: Arlington Memorial, Harris Methodist and Presbyterian Hospitals A shared mission and now a shared name. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original
RE: Tomcat NTLM authentication
You have my explicit +1 to take this code and use/include it in Tomcat. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, May 20, 2010 9:29 AM To: Tomcat Users List Subject: Re: Tomcat NTLM authentication On 20/05/2010 13:48, dB. wrote: Eclipse Public License http://waffle.codeplex.com/license I am happy to attach another license to this if there're any real issues with it. There are. Sort of. The ASF can't include source code that is EPL licensed in Apache products. However, the bugzilla issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=49318 when read with the terms of creating a bugzilla account: https://issues.apache.org/bugzilla/createaccount.cgi and section 5 of the Apache License: http://www.apache.org/licenses/LICENSE-2.0.html is legally sufficient for us to include this code in Tomcat. Despite that, we (the ASF) would rather an explicit Yes we're fine with you doing that rather than relying on the legalese since we don't want to do do something you don't like, even if legally we could. If you are happy for this to be included then a +1 here is all that is required. Mark dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Jason Pyeron [mailto:jpye...@pdinc.us] Sent: Thursday, May 20, 2010 8:50 AM To: 'Tomcat Users List' Subject: RE: Tomcat NTLM authentication -Original Message- From: dB. Sent: Thursday, May 20, 2010 8:42 Subject: Tomcat NTLM authentication Forgive me for shameless advertising. This should be useful to lots of people. We've published a free Tomcat 6 Negotiate authenticator based Apache License? on JNA that supports the Negotiate protocol, including Kerberos and the much requested NTLM. This is equivalent to checking the Integrated Authentication box in IIS, enabling single sign-on for windows servers that are both joined or not to an Active Directory domain. The authenticator is part of project Waffle. Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 Download Waffle: http://waffle.codeplex.com/ Hope this helps, your feedback is much appreciated, -dB. dB. @ dblock.orghttp://www.dblock.org/ Moscow|Geneva|Seattle|New York -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 14:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2885 - Release Date: 05/20/10 02:26:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question regarding IIS Windows Authentication using Tomcat Connector
1. Yes. It will support whatever your Windows box supports since it calls the native Windows API. Smartcards, retinal scans, etc. 2. They are not, your code should be fine. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 10:34 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector Thanks for the reply. 2 more questions if you don't mind: 1. Just wanted to confirm that Waffle does support NTLMv2? We do not use Kerberos on our network. 2. Are the web.xml settings required? Again, we have our own custom security package and it is defined in the web.xml file. As stated previously, I do not have time to rewrite the security code in order to accommodate a product that requires that we use their setting in web.xml. Just an FYI, in JCIFS, we are able to acquire the domain and user from the Type3Message class. JCIFS uses the challenge-response paradigm. Thanks for the work that you're doing. More and more java web teams will need something like this as their companies move over to products like Windows 7 where NTLMv1 is no longer acceptable. Regards. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 9:10 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector FQN = fully qualified name (it's unambiguous, usually machine-name\username or domain-name\username). It's there and returned by the Waffle tomcat authenticator. But names may change (people get married, groups renamed), so Windows has a concept of SID, it's a binary identifier (S-xyz), that never changes and is unique. So permissions are typically done with that rather than with fully qualified names. There's a bit of work left in Waffle to expose SIDs in the principal object(s). I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat seems like a suboptimal way to go, to say the least. Waffle theoretically should resolve this, but your specific application is what really matters. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 9:16 AM To: 'Tomcat Users List' Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I did see your post from Nabble and I appreciate it. I will hopefully get an opp to try it today if I cannot get an answer to my issue. A few questions on your post below, and pardon my ignorance, but what is a user's FQN, are you stating that Waffle does NOT provide a user id from the request, are the WEB.XML settings required? Why I ask about the web.xml settings is because our former team lead created an underlying SECURITY package that is the foundation of our web app. Unfortunately, he is no longer here and I do not have time to re-write our app. He wrote this to do multiple things: 1. Used as a wrapper around JCIFS. 2. Used for other security layers to acquire security info from our legacy system. I just setup the Apache Tomcat Connector setup on Tuesday and are you stating that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could not get the userid info either from the client request? Thanks again for your post. -Original Message- From: dB. [mailto:dbl...@dblock.org] Sent: Thursday, May 20, 2010 7:53 AM To: Tomcat Users List Subject: RE: Question regarding IIS Windows Authentication using Tomcat Connector I just posted about this :) Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator (http://waffle.codeplex.com). Currently it stores a Generic principal with the user's FQN and all local/domain groups, but that can certainly be extended to a much richer principal with all kinds of information that Windows provides (such as SID). dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, May 20, 2010 8:45 AM To: 'users@tomcat.apache.org' Subject: Question regarding IIS Windows Authentication using Tomcat Connector I have a Java web app whereby we have been using the JCIFS open source authentication package that uses NTLMv1 over the past 5 years and it's been working great. However, some of our users are now using Windows 7 that does not accept NTLMv1 authentication and now I'm looking at IIS in order to authenticate our users. I used the Apache Tomcat Connector and got that setup however, I am having issues in retrieving the authentication property for the USERID of the client making the request which I understood IIS provides. On the Apache Tomcat Connector documentation it only states how to setup the IIS Tomcat integration which is working great but it does