I have added in a <security-constraint> to the sample application web.xml
(shown below) and modified the hello.jsp to show a request.getRemoteUser().
This has shown to successfully invoke an authentication process. Now when
browsing to the http: //server/sample I receive a Windows prompt for user
logon. This is with IE9 and the browser is configured for autologon for the
Intranet zone and the server is in the Intranet zone. And there are 401 errors
in the localhost_access.log: 10.208.101.129 - - [05/Mar/2013:16:25:21
+0000] "GET /sample/ HTTP/1.1" 401 951 Perhaps there is something wrong with
the security-constraint xml code. I wish to allow any authenticated domain
user but not certain as to how to best implement this in the security
constraint and role methods to achieve this. <security-constraint>
<web-resource-collection>
<web-resource-name>Hello World App</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
In the Tomcat7-stdout.log i see:2013-03-05 16:24:22 Commons Daemon procrun
stdout initialized
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is C:/Program Files/Apache
Software Foundation/Tomcat 7.0/conf/krb5.keytab refreshKrb5Config is false
principal is svctomca...@itlab.int tryFirstPass is false useFirstPass is false
storePass is false clearPass is false
principal is svctomca...@itlab.int
Will use keytab
Commit Succeeded [Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
Any suggestions? Thanks,
Chris Fors
> Date: Mon, 4 Mar 2013 18:48:24 -0600
> From: ch...@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: Tomcat Built-in WinAuth - NEW THREAD
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 3/4/13 4:54 PM, Chris Fors wrote:
> >> Date: Mon, 4 Mar 2013 23:32:34 +0100 From: a...@ice-sa.com To:
> >> users@tomcat.apache.org Subject: Re: Tomcat Built-in WinAuth -
> >> NEW THREAD
> >>
> >> Mark Thomas wrote:
> >>> On 04/03/2013 21:47, Chris Fors wrote:
> >>>> Could you please expand on what constraints you were
> >>>> referring to
> >>>
> >>> Security constraints in web.xml
> >>>
> >>>> and how they are best implemented, where, and in what syntax
> >>>> e.g. if implemented in web.xml what are the correct tags.
> >>>
> >>> All defined in the Servlet spec.
> >>>
> >>>> If implemented in web.xml what are the correct tags. I have
> >>>> not found this clarified anywhere, yet.
> >>>
> >>> Again, see the servlet spec.
> >>
> >> You will find an example in the "manager" webapp that comes with
> >> Tomcat. Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts
> >> like this :
> >>
> >> <security-constraint> <web-resource-collection>
> >> <web-resource-name>HTML Manager interface (for
> >> humans)</web-resource-name> <url-pattern>/html/*</url-pattern>
> >> </web-resource-collection> <auth-constraint>
> >> <role-name>manager-gui</role-name> </auth-constraint>
> >> </security-constraint>
> >>
> >> In not-quite-technical terms :
> >>
> >> The above, present at the level of the webapp, specifies a "role"
> >> which the authenticated user must have, in order to be able to
> >> access this part of the webapp. To determine if the user has that
> >> role, Tomcat must first know the user. This is what "triggers"
> >> the authentication mechanism. If nothing forces Tomcat to
> >> authenticate the user of this webapp, the authentication method
> >> may well be specified, but it will not be invoked.
> >>
> > Was hoping to not have to hunt through the complete JSR 315
> > specification. I will give the constraint model above a shot
> > tomorrow. Thanks, Chris
>
> Honestly, it's like 3 pages of reading, most of which is tables and
> examples. Reading the servlet spec (it's not your average spec: mere
> mortals *can* read and understand it) should be required in order to
> develop web applications.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEAREIAAYFAlE1QNgACgkQ9CaO5/Lv0PC80ACdF7zjHS4wi+fsY42e1bKsFPCJ
> kD4An3cF7A2CFc+1su5M/a9tejx6zlIC
> =QoqH
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
