Hi.
On this list, it is preferred if you respond *below* the previous part.
It just makes it easier to follow the conversation later, for people who search
the archives.
See : http://tomcat.apache.org/lists.html -> tomcat users -> important
See below.
On 27.04.2016 12:03, Stéphane Thibaudeau wrote:
On Wed, Apr 27, 2016 at 10:43 AM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:
On 27.04.2016 10:27, Stéphane Thibaudeau wrote:
Hi,
I'm trying to deploy a webapp on Tomcat 8.0.33 running as a windows
service..
The webapp is based on Spring Boot (not sure if relevant).
The webapp calls external SOAP web services that have been published on
another machine (by Navision, Microsft's ERP).
To authenticate and be able to call these web services I've created a
class
extending java.net.Authenticator. This class overrides
getPasswordAuthentication() to return the domain, user and password to be
used to call the web services. This class is registered using
Authenticator.setDefault().
The problem I'm struggling with is the following :
- when I run my application in Eclipse using Spring boot's main class
everything is working fine.
- when I deploy the application using jetty-runner, everythin's working
fine too
- but when I deploy my war on Tomcat, my custom Authenticator class is
never called to get the required credentials to call the external Web
services.
The authenticator registration is made during the startup. I've checked
this in debug mode.
Using Wireshark I've been comparing the working and failing cases.
The working cases (Eclipse or Jetty) consist in this conversation :
=> POST /url/to/ws HTTP HTTP/1.1
<= HTTP/1.1 401 Unauthorized
=> POST /url/to/ws HTTP HTTP/1.1 , NTLMSSP_NEGOTIATE
<= HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE
=> POST /url/to/ws HTTP HTTP/1.1 , NTLMSSP_AUTH, User : MYDOMAIN\myuser
<= HTTP/1.1 200 OK
The failing case (Tomcat as windows service) consists in this
conversation :
=> GET /url/to/ws HTTP HTTP/1.1
<= HTTP/1.1 401 Unauthorized
=> GET /url/to/ws HTTP HTTP/1.1 , NTLMSSP_NEGOTIATE
<= HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE
=> GET /url/to/ws HTTP HTTP/1.1 , NTLMSSP_AUTH, User : \
<= HTTP/1.1 403 Forbidden
I see 2 differences here. The use of GET instead of POST. I have no clue
why this happens, the code is exactly the same.
And there is no user/password provided, which seems to be consistent as my
authenticator does not get called.
At last, when I try to access the url from my browser I get the same
conversation as with Tomcat, but I can provide my credentials through the
prompt dialog and then access my WSDL.
This leads me to think that the GET vs POST may not be the problem.
Could someone explain what I could do now to be able to call my web
services ?
What other information would be useful ?
Independently of what your Authenticator does (on which I am not qualified
to comment), I do see a big difference above in your testing conditions :
- for the Eclipse and Jetty cases, I presume that you are running these
under the Windows user-id under which you are logged-in (which is a valid
Windows Domain account)
- while for Tomcat, it runs as a Service
A question : under which user-id does the Tomcat Service run ?
If it is anything like "LocalSystem" or "LocalService", then it is no
wonder that a Windows Domain authentication doesn't work. These accounts
are local, and have no access to Window "domain resources".
André, thank you for your answer.
The service was effectively running under "Local System Account".
I've been able to change this and now the calls to web services are
successful.
But the problem is that my SSO with Waffle doesn't work anymore...
I have to admit I'm a bit lost....
You are not the only one.
Welcome to the delights of Windows Domain authentication.
I do not know how Waffle works, but I would guess that the problemn is that now Waffle
tries to use your new Tomcat user-id, as the user-id under which it "logs in" to the
Domain, to authenticate /other/ web users.
And that user-id (the one which it now uses), does not have the correct privileges to do
this, /as a server/.
Maybe you should consult the Waffle FAQ, to see if that kind of issue is not already
solved :
http://waffle.codeplex.com/wikipage?title=Frequently%20Asked%20Questions&referringTitle=Documentation
I think that before that, you also have to decide between conflicting scenarios
:
- your webapp should authenticate to the external server with the same user-id as the
current authenticated webapp user
- your webapp should authenticate to the external server under the user-id under which
Tomcat runs as a Service
- your webapp should authenticate to the external server under some arbitrary and fixed
user-id from some configuration file (or web.xml of your webapp).
One last tip : generally-speaking, in any kind of Windows-Domain-based authentication
scenario, when a browser login dialog appears, it means that the authentication has
reverted to HTTP Basic authentication, and that is usually a sign that something is not
working as it should.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
