[Problem]Tomcat 6.x with Active Directory on Windows Server 2003

Thu, 06 Nov 2008 23:15:09 -0800 

I am trying to authenticate web users with Active Directory on Windows Server
2003 R2 with sp2 and tomcat 6.18, but get an "HTTP Status 403 - Access to
the requested resource has been denied" error, don't know why, my steps and
configuration as below and post as attachment:

1. create test group and user in Active Directory:
domain name: test
domain controller host: 172.20.2.13
TestGroup: a global security group
testuser1, tomcat: member of TestGroup
screen capture is available in attachment

2. ${catalina.home}/conf/server.xml: 

<Server ......>
......
    <Engine name="Catalina" defaultHost="localhost">
          <!-- have to comment this out to use ldap authentication realm
          <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
            resourceName="UserDatabase"/>
          -->
          
          <!--I have also tried to put the ldap realm here, but not work
yet-->          

          <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">
            
           <!--ad integration-->
           <!--the servers are all in my local network, can't access them
from internet-->           
           <Realm 
        className="org.apache.catalina.realm.JNDIRealm" 
        debug="99"
        connectionURL="ldap://172.20.2.13:389";
        connectionName="[EMAIL PROTECTED]"
        connectionPassword="tomcat1"
        authentication="simple"
        referrals="follow"
        userRoleName="member"
        userBase="DC=test"
        userSearch="(sAMAccountName={0})"
        userSubtree="true"
        roleBase="DC=test"
        roleName="TestGroup"
        roleSubtree="true"
        roleSearch="(member={0})"
            />

          </Host>       
    </Engine>
......
</Server> http://www.nabble.com/file/p20375746/ad.jpg 

3. create test web application, and modify the web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee";
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd";
   version="2.5">

  <display-name>ad test</display-name>
  <description>ad test</description>

  <!--ad integration-->     
  <security-constraint>
       <web-resource-collection>
           <web-resource-name>Authenticated area</web-resource-name>
           <url-pattern>/session.jsp</url-pattern>
           <url-pattern>*.xml</url-pattern>
           <!--more url patterns and http methods here-->
           <http-method>DELETE</http-method>
           <http-method>GET</http-method>
           <http-method>HEAD</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <!--more web resource collection nodes here-->
       <auth-constraint>
           <role-name>TestGroup</role-name>
           <!--more role name nodes here-->
       </auth-constraint>
   
   </security-constraint>
        
   <login-config>
      <auth-method>FORM</auth-method>
          <role-name>TestGroup</role-name>
          <form-login-config>
               <form-login-page>/login.jsp</form-login-page>
          <form-error-page>/error.jsp</form-error-page>
          </form-login-config>
    </login-config>
        
    <security-role>
        <description>ad test group</description>
        <role-name>TestGroup</role-name>
    </security-role>    

    <!--I have also try another login method
    <login-config>      
          <auth-method>BASIC</auth-method>
    </login-config>
    -->
</web-app>

4. problem description: 
when resources in "Authenticated area" defined above are accessed, login.jsp
will appear, if wrong username/password is entered, error.jsp will appear,
but after correct user/password is entered, I can still get error message as
below:

HTTP Status 403 - Access to the requested resource has been denied

--------------------------------------------------------------------------------

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.


--------------------------------------------------------------------------------

Apache Tomcat/6.0.18 

no exception or error is thrown in the console

5. after log4j is configured to debug on tomcat, errors are found in the
debug log:
 DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - 
Failed authenticate() test
 DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - 
Failed authenticate() test
......

 DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authenticating username 'testuser1'
 DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authenticating username 'testuser1'
 DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authentication of 'testuser1' was successful
 DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authentication of 'testuser1' was successful
 DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Redirecting to original '/adtest/session.jsp'
 DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Redirecting to original '/adtest/session.jsp'
 DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - 
Failed authenticate() test ??/adtest/j_security_check
 DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - 
Failed authenticate() test ??/adtest/j_security_check
......

 DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1
does NOT have role TestGroup
 DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1
does NOT have role TestGroup
 DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: 
TestGroup
 DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: 
TestGroup
 DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - 
Failed accessControl() test
 DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - 
Failed accessControl() test

I feel quite strange, as you can see in the attachment, the testuser1 is
member of TestGroup, and TestGroup is already defined in web.xml, I wonder
any further configuration or debug I shoule do?
http://www.nabble.com/file/p20375746/ad.JPG ad.JPG 
http://www.nabble.com/file/p20375746/adtest.rar adtest.rar 
-- 
View this message in context: 
http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20375746.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to