André, thank you for your answer. The service was effectively running under "Local System Account". I've been able to change this and now the calls to web services are successful. But the problem is that my SSO with Waffle doesn't work anymore...
I have to admit I'm a bit lost.... On Wed, Apr 27, 2016 at 10:43 AM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 27.04.2016 10:27, Stéphane Thibaudeau wrote: > >> Hi, >> >> I'm trying to deploy a webapp on Tomcat 8.0.33 running as a windows >> service.. >> >> The webapp is based on Spring Boot (not sure if relevant). >> >> The webapp calls external SOAP web services that have been published on >> another machine (by Navision, Microsft's ERP). >> To authenticate and be able to call these web services I've created a >> class >> extending java.net.Authenticator. This class overrides >> getPasswordAuthentication() to return the domain, user and password to be >> used to call the web services. This class is registered using >> Authenticator.setDefault(). >> >> The problem I'm struggling with is the following : >> - when I run my application in Eclipse using Spring boot's main class >> everything is working fine. >> - when I deploy the application using jetty-runner, everythin's working >> fine too >> - but when I deploy my war on Tomcat, my custom Authenticator class is >> never called to get the required credentials to call the external Web >> services. >> >> The authenticator registration is made during the startup. I've checked >> this in debug mode. >> >> Using Wireshark I've been comparing the working and failing cases. >> >> The working cases (Eclipse or Jetty) consist in this conversation : >> => POST /url/to/ws HTTP HTTP/1.1 >> <= HTTP/1.1 401 Unauthorized >> => POST /url/to/ws HTTP HTTP/1.1 , NTLMSSP_NEGOTIATE >> <= HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE >> => POST /url/to/ws HTTP HTTP/1.1 , NTLMSSP_AUTH, User : MYDOMAIN\myuser >> <= HTTP/1.1 200 OK >> >> The failing case (Tomcat as windows service) consists in this >> conversation : >> => GET /url/to/ws HTTP HTTP/1.1 >> <= HTTP/1.1 401 Unauthorized >> => GET /url/to/ws HTTP HTTP/1.1 , NTLMSSP_NEGOTIATE >> <= HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE >> => GET /url/to/ws HTTP HTTP/1.1 , NTLMSSP_AUTH, User : \ >> <= HTTP/1.1 403 Forbidden >> >> I see 2 differences here. The use of GET instead of POST. I have no clue >> why this happens, the code is exactly the same. >> And there is no user/password provided, which seems to be consistent as my >> authenticator does not get called. >> >> At last, when I try to access the url from my browser I get the same >> conversation as with Tomcat, but I can provide my credentials through the >> prompt dialog and then access my WSDL. >> This leads me to think that the GET vs POST may not be the problem. >> >> Could someone explain what I could do now to be able to call my web >> services ? >> What other information would be useful ? >> >> > Independently of what your Authenticator does (on which I am not qualified > to comment), I do see a big difference above in your testing conditions : > - for the Eclipse and Jetty cases, I presume that you are running these > under the Windows user-id under which you are logged-in (which is a valid > Windows Domain account) > - while for Tomcat, it runs as a Service > > A question : under which user-id does the Tomcat Service run ? > If it is anything like "LocalSystem" or "LocalService", then it is no > wonder that a Windows Domain authentication doesn't work. These accounts > are local, and have no access to Window "domain resources". > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
