Folks, I have found that if Windows authentication (NTLM) is enabled for a site (or folder) in IIS, such authentication does apply (and is honored) for static files (html, images) but NOT dynamic ones (servlets, JSPs). Is that intended?
To be clear, this is the latest Tomcat 8 (8.5.31) and the latest IIS connector (1.2.43). The uriworkermap.properties is configured to pass all requests to Tomcat (not just JSPs, for instance). What I’m referring to in particular is this: consider that I set the security properties for one of the JSP example folders: C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat8_5_31\webapps\examples\jsp\jsp2\el such that my user had been denied access to that folder. And let’s say I have configured a site in IIS that listens on port 91 to pass to Tomcat. If I open a new browser window (so as to not have any caching of previous authentication), and I visit this URL: http://localhost:91/examples/jsp/jsp2/el/basic-arithmetic.html I get a prompt in the browser to login, and if I login with the user whose permissions had been denied, I get a rejection from IIS. (In my case, I am running my Tomcat test site on port 91 in IIS. It’s not at all pertinent if there is a non-std port or port 80 used.) The key issue is that if I then visit a JSP or servlet, that IS ALLOWED to run, even though a static file is rejected: http://localhost:91/examples/jsp/jsp2/el/basic-arithmetic.jsp I have found nothing in the docs to indicate that this is expected behavior. Can anyone offer any thoughts? I am happy to do any tests or shared any needed diagnostics to help resolve this. Thanks. /charlie
