Marcel Stör wrote:
Requirement:
a) /myapp authenticated against AD for all users with Windows
authentication
b) /myapp/API authenticated against AD for /one/ user with basic-auth
The plan was to have two sites in IIS with appropriate authentication
schemes. They both have a 'jakarata' virtual directory pointing to one
and the same physical path (DLL etc.).
Then we wanted to alter the security settings on the directory excluding
all but one user for requirement b). Since this modifies the security
settings of the physical folder we'd have to install the IIS Tomcat
connector a second time pointing to the same AJP port (one Tomcat
instance).
Should this work in general?
Are there better alternatives to implement the given requirements?
You are not really saying at which level you are doing this authentication (IIS or
Tomcat), but I will assume you do it at the IIS level, and set
tomcatAuthentication="false" in the Tomcat AJP Connector.
The first thing I would like to point out is that your (b) mechanism may not be applicable
in some environments, as it may not be allowed by the network security policies, and the
browsers may not even be /allowed/ to do Basic authentication. You should maybe check
that first with the network admins.
My second question would be "why 2 sites ?". Does IIS not allow you to specify
authentication requirements on a per-location base inside the same "site" ?
Normally, in decent webservers (like Apache httpd and Tomcat ;-)), the longest matching
path "wins", so for a request pointing to "/myapp/API", the specification in "/myapp/API"
should be applied, and not the one for "/myapp".
You should not need 2 sites, nor two connectors, for this.
You have also not really explained why you want to do Basic auth for "/myapp/API". I
suspect that it is because this URL would be accessed by some client other than a browser,
and this client is not able to do NTLM auth. It may help to confirm this.
In a spirit of widening your scope of investigation, you may also want to have a look at
having your client access Tomcat's "/myapp/API" directly (bypassing IIS), and in that case
do the AD authentication at the Tomcat level, using Tomcat's SPNEGO authentication Valve,
or Waffle or Jespa (commercial). Jespa for instance provides ample possibilities to try
NTLM/SPNEGO first, and if it doesn't work fall back to Basic auth (still with an AD back-end).
This scheme would even work via IIS and AJP, if you tell IIS to not authenticate for
"/myapp/API" and proxy the call to Tomcat anyway, letting Tomcat do the authentication.
In summary, there are probably several ways to do this, depending on your exact
circumstances/requirements. The more details you provide though, the better people on
this list may be able to help you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
