Thanks Pid. That is what I'm working on right now. I am in the middle of the Decoder part of the code again.
My apologies to this list as I understood I could get that directly from the ISAPI filter as it would decrypt it for me, which it does per the ISAPI log, and then pass it on to me via the HttpServletRequest getRemoteUser() which it does not do. Thanks again, Pid. Your help is much appreciated. Regards. -----Original Message----- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, June 22, 2010 9:06 AM To: Tomcat Users List Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication On 22/06/2010 14:45, Savoy, Melinda wrote: > We had been working with JCIFS and chose the Tomcat Connector for IIS because > we're primarily a MS shop and already had IIS in place here. The team lead > who had written this custom code is no longer with the company and I've had > to try and figure out what all he did and then try to implement this Tomcat > connector. > > I've been able to talk to this former team lead and he basically told me the > following on the filter: > > The filter basically takes the request/response and does create an auth value > using the Base64Decoder and Base64Encoder from Sun and we populate a User > object that is then used throughout the session for authentication purposes > within the application as well as initially getting to the index.jsp page. I > was testing, by commenting out the filter in my web.xml, to see if I could > just get to a vanilla index.jsp page that only contained: > <%=getRemoteUser()%> so that I could make certain that I could get that value > which I understood I should be able to without setting up REALM's or auth in > the config. But after getting IIS to talk to Tomcat last week I've been > trying to get this to work and to no avail as of today and therefore the > reason for my post this morning. > > I understood that the ISAPI filter provided the decrypted info that JCIFS had > un decrypting and that is why we chose this route. But it seems like it is a > lot more involved that what I read about and what I've understood from others > on this list - which is fine but it was not as simple as I understood or > misunderstood as the case may be. > > Sorry I cannot be more specific. Hope this helps. So I'm reading this to mean that the Filter you have commented out is doing the work required to parse the auth header & set the relevant object values. One of the things a Servlet Filter can do is wrap the current request/response objects (see Servlet HttpServletRequestWrapper, HttpServletResponseWrapper interfaces), the wrappers provide methods which override certain request/response methods providing alternative return values. So your custom filter could be decoding the header and overriding the getRemoteUser and getUserPrincipal methods; your app accesses the methods and gets values that are not supplied by Tomcat auth/realm support. (Meaning the JavaRanch advice isn't applicable). So you need to look inside the execute(req, res) method you mentioned earlier to find out what it does, and re-enable the filter. p > -----Original Message----- > From: Pid [mailto:p...@pidster.com] > Sent: Tuesday, June 22, 2010 8:13 AM > To: Tomcat Users List > Subject: Re: Still having problem retrieving user value from ISAPI > Filter for authentication > > On 22/06/2010 13:59, Savoy, Melinda wrote: >> We have a custom filter that we're using because after we get the request >> and response info then I need to use the user value info and get the user >> also authenticated against a legacy system. >> >> But right now I have that commented out in my web.xml so that I can go >> directly to a test index.jsp page and verify that the getRemoteUser() is >> acquiring the user info from ISAPI but ISAPI is not providing that info to >> me via this method. I'm not sure, again, why it shows the info in the log >> but I cannot get to it directly. I'm not sure how Ranier was able to get to >> it as he stated awhile back. > > If there's no auth defined in web.xml then Tomcat isn't going to do anything > - AFAIK the auth valves don't trigger unless the config puts them in the > pipeline. > > If your auth is performed by a custom filter, that is currently commented > out, then you're not going to get very far there either. > > Do you know exactly what the filter does? > Does it decode the header itself and wrap the request/response objects? > > > p > > >> Thanks again. >> >> -----Original Message----- >> From: Pid [mailto:p...@pidster.com] >> Sent: Tuesday, June 22, 2010 7:53 AM >> To: 'Tomcat Users List' >> Subject: Re: Still having problem retrieving user value from ISAPI >> Filter for authentication >> >> On 22/06/2010 13:36, Savoy, Melinda wrote: >>> Thanks Pid, I did do that as well, but I did not see the user value there >>> either. >>> >>> Here is what I got when I did issue the getHeaderNames() and as you can see >>> the authorization shows the encrypted NTLM value but it is not decrypted >>> and I cannot get to the info though the ISAPI log shows the decrypted value >>> which I cannot get to: >>> >>> === MimeHeaders === >>> accept = */* >>> accept-language = en-us >>> connection = Keep-Alive >>> host = localhost >>> user-agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; >>> Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR >>> 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR >>> 3.5.30729; MS-RTC LM 8; MS-RTC EA 2) cookie = >>> JSESSIONID=969AE176A965514B845A6E3A9E83A21E >>> authorization = NTLM >>> TlRMTVNTUAADAAAAAAAAAEgAAAAAAAAASAAAAAAAAABIAAAAAAAAAEgAAAAAAAAASAAA >>> A >>> A >>> AAAABIAAAABcKIogUBKAoAAAAP >>> accept-encoding = gzip, deflate >>> content-length = 0 >>> >>> I don't know what I'm doing wrong here. Again, any help is appreciated. >> >> What do you have defined in web.xml for security-config etc? >> >> >> p >> >> >>> Thanks. >>> >>> -----Original Message----- >>> From: Pid [mailto:p...@pidster.com] >>> Sent: Tuesday, June 22, 2010 7:11 AM >>> To: Tomcat Users List >>> Subject: Re: Still having problem retrieving user value from ISAPI >>> Filter for authentication >>> >>> On 22/06/2010 13:05, Marc Boorshtein wrote: >>>> I haven't tried this with IIS, but we had quite the discussion on >>>> this last week with Apache & tomcat with JK. In your server.xml >>>> file add tomcatAuthentication="false" to the AJP connector object. >>>> If you look in the archives of this list for JK_REMOTE_USER there >>>> is a very interesting discussion on the topic. >>> >>> Also, you could iterate through the headers in request.getHeaderNames() to >>> see what's being passed across to Tomcat. >>> >>> >>> p >>> >>> >>>> Marc >>>> >>>> ------------------------------------------------------------------- >>>> - >>>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>> >>> >>> >>> >>> The information contained in this message and any attachments is intended >>> only for the use of the individual or entity to which it is addressed, and >>> may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from >>> disclosure under applicable law. If you are not the intended recipient, >>> you are prohibited from copying, distributing, or using the information. >>> Please contact the sender immediately by return e-mail and delete the >>> original message from your system. >> >> >> >> >> The information contained in this message and any attachments is intended >> only for the use of the individual or entity to which it is addressed, and >> may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from >> disclosure under applicable law. If you are not the intended recipient, you >> are prohibited from copying, distributing, or using the information. Please >> contact the sender immediately by return e-mail and delete the original >> message from your system. > > > > > The information contained in this message and any attachments is intended > only for the use of the individual or entity to which it is addressed, and > may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from > disclosure under applicable law. If you are not the intended recipient, you > are prohibited from copying, distributing, or using the information. Please > contact the sender immediately by return e-mail and delete the original > message from your system. The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
