-----Original Message----- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: woensdag 30 januari 2013 12:01 To: Tomcat Users List Subject: Re: ISA-server authentication on Tomcat: problem with escape character
2013/1/30 Vlaeminck, Dries <dries.vlaemi...@delawareconsulting.com>: > Hello all, > > I am currently working for a client on a problem concerning authentication on > a Tomcat server, by first logging in on a remote ISA-server. 1. What is your exact version of Tomcat, x.y.z? > The problem is as follows (usernames, passwords and domains are replaced by > dummies or blancs, for obvious security concerns :) ): > > On the Tomcat server, there is an application of OpenText. For this > application, we defined the login-config as: > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>test.dmz</realm-name> 2. Is it written as above, or you have extra new lines in the "realm-name" value above? > </login-config> > > In the configuration of Tomcat, in the server.xml file, we defined the realm > as follows: > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" > connectionURL="..." > alternateURL="..." > connectionName="...<mailto:svc_opentext_p...@isoext.dmz>" 3. The above is strange. XML does not allow to use "<", ">" (or at least one of those two) in an attribute value. > connectionPassword="..." > referrals="follow" > userBase="DC=test,DC=dmz" > userSearch="(sAMAccountName={0})" > userSubtree="true" > roleBase="DC=test,DC=dmz" > roleName="cn" > roleSearch="(member={0})" > roleSubtree="false" > \> > > The problem with this, is that the query for the sAMAccountName on the > LDAP-server doesn't return a valid user. > > In the header of the request, the credentials of the user are specified as: > "test.dmz\aelz:123Test" > After debugging and packet analysis, we found out that the query was checking > if there was a sAMAccountName which equals "test.dmz lz". > > The problem is that the token {0}, which is filled in automatically by Tomcat > using the credentials from the HTTPS-header, contains a backslash after the > domain. 4. You mean an HTTP header. Why such a value? The BASIC authentication is a well-known protocol. What is your browser? > However, we cannot change the ISA-server settings to prevent this, as other > servers depend on this manner of identification. > > My question now is: > Does anybody know if we can "intercept" the token and escape the backslash or > even better substring the username from that token? 5. If you wouldn't find a better way, a Valve can do it. > Or are there alternatives to this "{0}" token? > > Any help would be greatly appreciated! > Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hello Konstantin, Thank you for your reaction. Here is the info you requested: 1. The installation is: Apache Tomcat 6.0.33 Server 2. Writen as mentioned, but just changed the name to test.dmz (dummy-data) <login-config> <auth-method>BASIC</auth-method> <realm-name>test.dmz</realm-name> </login-config> 3. Sorry, hyperlink should not have been there. Outlook added that on it's own. So in the original data this is not an issue 4. indeed from the HTTP header Browser is Internet Explorer or Chrome, but I do not think this matters. The credentials are sent from ISA-server to the Tomcat server using the GET. They are specified on the ISA-server as test.dmz\aelz:123Test (ie <domain>\<username>:<password>) 5. What do you mean by "Valve"? I think I just need to find a way to specify for example userSearch="(sAMAccountName=$username)" where $username is some other value containing the username. If I use ADexplorer on the ISA-server and use search criterion "sAMAccountName=aelz", it works just fine. Thanks for your assistance! With kind regards, Dries --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
