> Date: Tue, 24 Feb 2015 20:45:09 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: Active Directory User Authentication Apache Tomcat 5.5 Struts
> Servlets JSP
>
> Seema Patel wrote:
> > Hi,
> >
> > We are using Apache Tomcat 5.5, JDK 1.5 and have a internal portal on our
> > intranet which is written in java jsp struts and jsp.
> > I know that the tomcat and Java versions are old, but upgrading isn't a
> > quick thing to do without lots of testing.
> >
> > The issue we have is that the users keep getting the authentication box
> > popping up asking for username and password when using the portal in
> > Internet Explorer.
> > One of the users has noticed that when they use Chrome, they don't seem to
> > get this popup constantly. Authentication is against the Active Directory
> > using JCIFS (I know it's discontinued, but to re-write and test is not
> > feasible at the moment). The users are meant to be using Internet Explorer
> > as not everything works in Chrome.
> >
> > We have been trying to work out this issue for some time, with no success.
> > The user saying that it works in Chrome makes us wonder if there's
> > something within Internet Explorer that is possibly dropping the connection
> > or something for it to keep asking the user for username and password. Or
> > is there something that Internet Explorer doesn't like with Apache Tomcat?
> >
> >
> > Any help/guidance on this issue is greatly appreciated.
> >
> Hi.
>
> Tomcat 5.5 is old.
> The JCIFS http/NTLM authentication filter is old and deprecated and does not
> work anymore
> in any recent Windows Domain setup, because it only works with NTLM v1.
> Please read the first paragraph in blue here :
> http://jcifs.samba.org/src/docs/ntlmhttpauth.html
> and *believe what it says, it is true*.
> (Look at Jespa @ www.ioplex.com for a painless replacement)
> (look at a more recent version of Tomcat and the SPNEGO authentication valve
> for another
> possible replacement)
>
> A login dialog that pops up in the browser when it should not, indicates one
> thing for
> sure : /something/ is not working in the WIA (Windows Integrated
> Authentication).
> But what that something is in your case, is impossible to say from outside of
> your network.
> It is almost certainly not a browser problem.
> It may be things like :
> - some of the clients are running newer versions of Windows and/or browsers
> which will not
> accept NTLMv1 authentication anymore
> - in your network, there are multiple Domain Controllers, some of which
> younger than
> others. Some still accept to do NTLMv1 authentication, some do not. As your
> clients get
> one or the other (quasi randomly) it sometimes works, and sometimes not.
> - and a large number of possible other reasons
>
> The one certainty is : you are using obsolete software and solutions, and
> nobody will be
> able to give you any miracle solution for that. The sooner you accept that,
> the less
> time you will lose in the end.
>
Thanks Andre. I think we do use NTLM v2, so that could be why we're getting
the issues.
I have been looking into upgrading, on and off, so not sure if what I have done
is right or not as I've not looked at it in a while.
I do remember looking into Jespa and SPNEGO but I don't think we want to go
down those routes.
I have been looking at and trying to get traditional LDAP authentication, but I
don't know much about this (previous developers have said to use this method
but are no longer available to assist).
I am hoping if you could guide/assist me in knowing if what I have done and am
trying to do is right.
So in my server.xml I now have:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="xxx@xxx.local"
connectionPassword="xxx" connectionURL="xxx" referrals="follow"
roleBase="dc=xxx,dc=local" roleName="cn" roleSearch="(member={0})"
roleSubtree="true" userBase="dc=vtlwavenet,dc=local"
userSearch="(sAMAccountName={0})" userSubtree="true"/>
</Realm>
I have also removed all JCIFS and NTLM filters etc from my web.xml, I now have:
<filter>
<filter-name>ADGroupFilter</filter-name>
<filter-class>com.xxx.xxx.ADGroupFilter</filter-class>
<init-param>
<param-name>AllowedGroups</param-name>
<param-value>xxx,xxx,xxx</param-value>
</init-param>
</filter>
<filter>
<filter-name>Auth Filter</filter-name>
<filter-class>com.xxx.xxx.RequestFilter</filter-class>
<init-param>
<param-name>LogonPage</param-name>
<param-value>xxx.do</param-value>
</init-param>
<init-param>
<param-name>UnsecuredPages</param-name>
<param-value>xxx.do,UnauthorisedAccess.jsp</param-value> <!--
separated by commas -->
</init-param>
</filter>
<filter>
<filter-name>NoCacheFilter</filter-name>
<filter-class>com.xxx.xxx.NoCacheFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>NoCacheFilter</filter-name>
<url-pattern>/includes/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>NoCacheFilter</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ADGroupFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ADGroupFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Auth Filter</filter-name>
<!-- <url-pattern>*.jsp</url-pattern> -->
<url-pattern>*.do</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<security-constraint>
<display-name>your web app display name</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>G-MIS</role-name>
<role-name>G-PORTAL-FINANCE</role-name>
<role-name>G-PORTAL-LEGAL</role-name>
<role-name>G-PORTAL-SALES-DIRECT</role-name>
<role-name>G-PORTAL-SALES-DIRECT-N</role-name>
<role-name>G-PORTAL-SALES-INDIRECT</role-name>
<role-name>G-PORTAL-SALES-WHOLESALE</role-name>
<role-name>G-PORTAL-SDPM</role-name>
<role-name>G-PORTAL-SERVICE</role-name>
<role-name>G-PORTAL-SRV</role-name>
<role-name>G-PORTAL-SRV-MGMT</role-name>
<role-name>G-PORTAL-SUPPORT-RETAIL</role-name>
<role-name>G-PORTAL-SUPPORT-WHOLESALE</role-name>
<role-name>G-PORTAL-TESTER</role-name>
<role-name>G-PORTAL-COMMERCIAL</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>org.apache.catalina.realm.JNDIRealm</realm-name>
</login-config>
<security-role>
<role-name>xxx</role-name>
</security-role>
<security-role>
<role-name>xxx</role-name>
</security-role>
<security-role>
<role-name>xxx</role-name>
</security-role>
I then have some servlet configurations in there too.
Having looked at the application, I get the login box once, which is when I
first go to the application page. It is also upgraded to Java 1.6 and Tomcat
7.0.52.
Further assistance on if I'm doing the authentication correctly would be a
great help.
Thanks
Seema
