> -----Original Message----- > From: Igal @ Lucee.org <i...@lucee.org> > Sent: Monday, June 11, 2018 04:55 PM > To: users@tomcat.apache.org > Subject: Re: IIS authentication applies to static but not dynamic requests > (servlets, JSPs). Any way to control that? > > Charlie, > > Are you sure that the static requests are passed to Tomcat? Can you verify > that in the response headers? > > The logical explanation that I can think of is that IIS still serves the > static content, but passes the JSP stuff to Tomcat without checking the > security permissions. > > HTH, > > Igal Sapir
Thanks, Igal. No, I agree the static files are NOT passed to Tomcat. I wasn't saying that they were. :-) I was implying rather that they do NOT go to Tomcat, and are NOT processed by the Tomcat connector/ISAPI Filter (because they are not in the uriworkermap.properties list of processed URLs). This was to confirm that they WERE therefore being handled CORRECTLY by IIS, in that a user trying to run the request who did NOT have access to the files (per Windows on the server) would find the request rejected (per the Windows Authentication feature in IIS). The problem is that jsps and servlets, which ARE passed to Tomcat by the connector (are in the uriworkermap.properties mappings) are NOT being properly rejected by IIS (or the connector, whichever should have control). Now, I should add that I had in mind at one time a test to change the order of the modules in IIS, to put the ISAPIFilterModule below the WindowsAuthentication and FileAuthorization module, to see if that would "help'. But really, that should not be needed (even if it would help). Users of Tomcat (who want to implement web server file security like this) shouldn't (I'd think) have to know of such a low-level tweak. I would think that the connector (the Tomcat isapifilter.dll) could/should implement such a security for the user. I suppose someone may quibble with that. I had also meant to test things out in pure asp.net, to see if an aspx page got honored this way (was protected by Windows Auth and file security, like a static file). I forgot to do these before writing. (Someone wanting me to get this to the Tomcat folks for attention pressed me about it, and I forgot these were 2 things I wanted to check before writing in.) But perhaps someone familiar with all this may have a thought based simply on what has been shared so far. /charlie --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org