Hello all, I am currently working for a client on a problem concerning authentication on a Tomcat server, by first logging in on a remote ISA-server. The problem is as follows (usernames, passwords and domains are replaced by dummies or blancs, for obvious security concerns :) ):
On the Tomcat server, there is an application of OpenText. For this application, we defined the login-config as: <login-config> <auth-method>BASIC</auth-method> <realm-name>test.dmz</realm-name> </login-config> In the configuration of Tomcat, in the server.xml file, we defined the realm as follows: <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="..." alternateURL="..." connectionName="...<mailto:svc_opentext_p...@isoext.dmz>" connectionPassword="..." referrals="follow" userBase="DC=test,DC=dmz" userSearch="(sAMAccountName={0})" userSubtree="true" roleBase="DC=test,DC=dmz" roleName="cn" roleSearch="(member={0})" roleSubtree="false" \> The problem with this, is that the query for the sAMAccountName on the LDAP-server doesn't return a valid user. In the header of the request, the credentials of the user are specified as: "test.dmz\aelz:123Test" After debugging and packet analysis, we found out that the query was checking if there was a sAMAccountName which equals "test.dmz lz". The problem is that the token {0}, which is filled in automatically by Tomcat using the credentials from the HTTPS-header, contains a backslash after the domain. However, we cannot change the ISA-server settings to prevent this, as other servers depend on this manner of identification. My question now is: Does anybody know if we can "intercept" the token and escape the backslash or even better substring the username from that token? Or are there alternatives to this "{0}" token? Any help would be greatly appreciated! With kind regards, Dries