A short follow up question here which is not Tomcat related: When you use request.getRemoteUser() to do your authentication it is very unsecure isn't it: You just can send your "bad" HTTP request which containts the administrator name as the remote user HTTP header field and your authenticated as administrator without any password. Am I right here, does SSL ssolve this problem?
> -----Ursprungliche Nachricht----- > Von: Allistair Crossley [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 26. Oktober 2005 12:42 > An: Tomcat Users List; tomcat-user@jakarta.apache.org > Betreff: RE: jCIFS Jboss Tomcat IIS NTLM Authentication > > > if you're using IIS in front of your application you don't > need to use jCIFs. All you do is set the directory > permissions on your website to Integrated Windows > Authentication, then configure your Tomcat AJP Connector > element with tomcatAuthentication="false". Then > request.getRemoteUser() will return the Windows username. > > > -----Original Message----- > > From: Scott Shaver [mailto:[EMAIL PROTECTED] > > Sent: 25 October 2005 22:10 > > To: tomcat-user@jakarta.apache.org > > Subject: jCIFS Jboss Tomcat IIS NTLM Authentication > > > > > > > > Okay I've spent the last several days going over everything I > > could find on the web about setting this up and I still can't > > get it to work. I have the following setup: > > > > jCIFS 1.2.6 > > > > JBoss 4.0.3 with Tomcat 5 > > > > Jakarta isapi_redirect 1.2.14 > > > > IIS 5.0 > > > > IE 6 > > > > Windows 2003 Domain Controller > > > > > > A win2k machine running a small web app, on Jboss, with the > > jcifs.http.NtlmHttpFilter set up. An IIS box fronting the app > > server using the isapi redirector to pass the requests > > through to jboss. If I hit the app server directly with IE I > > see the following output from jboss: > > > > 14:06:24,692 INFO [STDOUT] Transport1: connect: state=0 > > > > 14:06:24,692 INFO [STDOUT] New data read: > > Transport1[MC4DC01<00>/999.16.11.10:0] > > > > 14:06:24,692 INFO [STDOUT] 00000: FF 53 4D 42 72 00 00 00 00 > > 98 03 C0 00 00 00 00 | SMBr......└....| > > > > 00010: 00 00 00 00 00 00 00 00 00 00 73 59 00 00 06 00 > > |..........sY....| > > > > 14:06:24,692 INFO [STDOUT] byteCount=50 but > > readBytesWireFormat returned 32 > > > > 14:06:24,692 INFO [STDOUT] Transport1: run connected > > > > 14:06:24,708 INFO [STDOUT] Transport1: connected: state=3 > > > > 14:06:24,724 INFO [STDOUT] treeConnect: > > unc=\\MC4DCA01\IPC$,service=????? > > > > 14:06:24,739 INFO [STDOUT] New data read: > > Transport1[MC4DC01<00>/999.16.11.10:0] > > > > 14:06:24,739 INFO [STDOUT] 00000: FF 53 4D 42 73 00 00 00 00 > > 98 03 C0 00 00 00 00 | SMBs......└....| > > > > 00010: 00 00 00 00 00 00 00 00 07 20 73 59 00 40 07 00 > > |......... [EMAIL PROTECTED]| > > > > 14:06:24,755 INFO [STDOUT] NtlmHttpFilter: > > MCDATACORPNT\sas1a780c successfully authenticated against > > 0.0.0.0<00>/172.16.11.10 > > > > which is great, that is extacly what I wanted it to do. I was > > authenticated against our domain controller. So it appears > > jCIFS is working. However when I then go to the application > > via the IIS server this happens: > > > > 12:32:17,115 INFO [STDOUT] treeConnect: > > unc=\\MC4DCA01\IPC$,service=????? > > > > 12:32:17,130 INFO [STDOUT] New data read: > > Transport1[MC4DCA01<00>/999.16.11.10:0] > > > > 12:32:17,130 INFO [STDOUT] 00000: FF 53 4D 42 73 6D 00 00 C0 > > 98 03 C0 00 00 00 00 | SMBsm..└..└....| > > > > 00010: 00 00 00 00 00 00 00 00 00 00 73 59 00 00 05 00 > > |..........sY....| > > > > 12:32:17,130 INFO [STDOUT] NtlmHttpFilter: > > MCDATACORPNT\sas1a780c: 0xC000006D: > > jcifs.smb.SmbAuthException: Logon failure: unknown user name > > or bad password. > > > > 12:32:17,146 INFO [JkCoyoteHandler] Response already committed > > > > > > So the question is: What is causing it to fail when going > through IIS? > > > > > > I'm only using the jcifs.http.domainController and > > jcifs.smb.client.domain settings in the web.xml for the filter. > > > > > > Is it IIS? Is it the isapi_redirect ISAPI filter on IIS? Is > > it the AJP13 worker threads on the Jboss side? Is it > > something happening between the worker threads and the > > request hand-off to the tomcat server? > > > > I have the entire list of instructions written down for how I > > have set all of this up if anyone needs to see it. I can get > > the logs from the ISAPI filter if that would help. I've seen > > many many thread about people having issues with this but no > > real answers and no configurations exactly like this. Any > > help is greatly appreciated. > > > > > > > > > > > > SPECIAL NOTICE > > > > > > All information transmitted hereby is intended only for the > use of the > > addressee(s) named above and may contain confidential and privileged > > information. Any unauthorized review, use, disclosure or > distribution > > of confidential and privileged information is prohibited. If > > the reader > > of this message is not the intended recipient(s) or the > > employee or agent > > responsible for delivering the message to the intended > > recipient, you are > > hereby notified that you must not read this transmission and > > that disclosure, > > copying, printing, distribution or use of any of the > > information contained > > in or attached to this transmission is STRICTLY PROHIBITED. > > > > Anyone who receives confidential and privileged information > > in error should > > notify us immediately by telephone and mail the original > > message to us at > > the above address and destroy all copies. To the extent any > > portion of this > > communication contains public information, no such > > restrictions apply to that > > information. (gate01) > > > > > <FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLUE> > ------------------------------------------------------- > QAS Ltd. > Registered in England: No 2582055 > Registered in Australia: No 082 851 474 > ------------------------------------------------------- > </FONT> <FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLACK> > Disclaimer: The information contained within this e-mail is > confidential and may be privileged. This email is intended > solely for the named recipient only; if you are not > authorised you must not disclose, copy, distribute, or retain > this message or any part of it. If you have received this > message in error please contact the sender at once so that we > may take the appropriate action and avoid troubling you > further. Any views expressed in this message are those of > the individual sender. QAS Limited has the right lawfully to > record, monitor and inspect messages between its employees > and any third party. Your messages shall be subject to such > lawful supervision as QAS Limited deems to be necessary in > order to protect its information, its interests and its reputation. > > Whilst all efforts are made to safeguard Inbound and Outbound > emails, QAS Limited cannot guarantee that attachments are > virus free or compatible with your systems and does not > accept any liability in respect of viruses or computer > problems experienced. > </FONT> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
