On 27.04.2016 13:57, Stéphane Thibaudeau wrote:
Hi.
On this list, it is preferred if you respond *below* the previous part.
It just makes it easier to follow the conversation later, for people who
search the archives.
See : http://tomcat.apache.org/lists.html -> tomcat users -> important
See below.
My bad. I'll be careful about that now :)
You are not the only one.
Welcome to the delights of Windows Domain authentication.
I do not know how Waffle works, but I would guess that the problemn is
that now Waffle tries to use your new Tomcat user-id, as the user-id under
which it "logs in" to the Domain, to authenticate /other/ web users.
And that user-id (the one which it now uses), does not have the correct
privileges to do this, /as a server/.
Maybe you should consult the Waffle FAQ, to see if that kind of issue is
not already solved :
http://waffle.codeplex.com/wikipage?title=Frequently%20Asked%20Questions&referringTitle=Documentation
I think that before that, you also have to decide between conflicting
scenarios :
- your webapp should authenticate to the external server with the same
user-id as the current authenticated webapp user
- your webapp should authenticate to the external server under the user-id
under which Tomcat runs as a Service
- your webapp should authenticate to the external server under some
arbitrary and fixed user-id from some configuration file (or web.xml of
your webapp).
One last tip : generally-speaking, in any kind of Windows-Domain-based
authentication scenario, when a browser login dialog appears, it means that
the authentication has reverted to HTTP Basic authentication, and that is
usually a sign that something is not working as it should.
I'll follow your suggestions and look at the Waffle FAQ. I have already
read it to get Waffle working, but was'nt yet aware that it would prevent
me from connecting to the external server.
Between the conflicting scenarios, my choice would go to the third one
(configuration file) or the first one if it's not possible.
Here is something that might interest you :
https://github.com/dblock/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md
and look for "impersonate".
It is however NOT what you want, because if I understand this correctly, the
"impersonation" of the webapp user only applies to /local/ actions done by the servlet on
the local (server) machine (such as creating a file on disk for example).
(So I am just providing this, to avoid you looking in the wrong places).
The crucial element is how your webapp needs to login to the external
webservices server.
Does that webservices server *require* a Windows Domain login ?
Or does it only require a HTTP Basic authentication e.g. ?
And if only a HTTP Basic authentication, is that going to remain so in all cases where you
will deploy your webapp ?
Is that webservices server under your control ?
If that server requires only HTTP Basic authentication, and this is going to remain so for
any foreseeable future in any place where you would install your webapp, then it should be
possible, when out of your webapp you issue the HTTP request to this webserver, to specify
that it should use Basic authentication, with a provided user X / password Y.
(Thus your solution #3). And this should not require having to override the standard java
Authenticator class.
See this for example : http://hc.apache.org/httpclient-3.x/authentication.html
If that server may (now or in the future) require Windows Domain authentication, then your
webapp has to be able to do that (and I am sure that there are standard Java classes for
that)(see above, it also provides NTLM and Kerberos).
But the only valid Windows Domain authentication it could then provide (I believe)(*),
would be for the user-id under which Tomcat itself is running (which must then be a valid
Domain account, including for that webservices webserver).
Now this last seems to conflict with Waffle.
But I think that this is then a Waffle issue, not an issue of Tomcat or of your
webapp.
(Or maybe just an issue because you have overridden the java class).
(*) but maybe not :
http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html#spnego
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
