Check the log of Tomcat, you may find more information. On Mon, Nov 10, 2008 at 5:56 AM, Vickey <[EMAIL PROTECTED]> wrote:
> > I can use the same username and password to authenticate on IIS and active > directory, and it also work, if IIS is integrated with Tomcat, but just > Tomcat standardalone with Active directory still not work. > > > Vickey wrote: > > > > I am trying to authenticate web users with Active Directory on Windows > > Server 2003 R2 with sp2 and tomcat 6.18, but get an "HTTP Status 403 - > > Access to the requested resource has been denied" error, don't know why, > > my steps and configuration as below and post as attachment: > > > > 1. create test group and user in Active Directory: > > domain name: test > > domain controller host: 172.20.2.13 > > TestGroup: a global security group > > testuser1, tomcat: member of TestGroup > > screen capture is available in attachment > > http://www.nabble.com/file/p20375746/ad.jpg > > > > 2. ${catalina.home}/conf/server.xml: > > > > <Server ......> > > ...... > > <Engine name="Catalina" defaultHost="localhost"> > > <!-- have to comment this out to use ldap authentication realm > > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > > resourceName="UserDatabase"/> > > --> > > > > <!--I have also tried to put the ldap realm here, but not work > > yet--> > > > > <Host name="localhost" appBase="webapps" > > unpackWARs="true" autoDeploy="true" > > xmlValidation="false" xmlNamespaceAware="false"> > > > > <!--ad integration--> > > <!--the servers are all in my local network, can't access them > > from internet--> > > <Realm > > className="org.apache.catalina.realm.JNDIRealm" > > debug="99" > > connectionURL="ldap://172.20.2.13:389"; > > connectionName="[EMAIL PROTECTED]" > > connectionPassword="tomcat1" > > authentication="simple" > > referrals="follow" > > userRoleName="member" > > userBase="DC=test" > > userSearch="(sAMAccountName={0})" > > userSubtree="true" > > roleBase="DC=test" > > roleName="TestGroup" > > roleSubtree="true" > > roleSearch="(member={0})" > > /> > > > > </Host> > > </Engine> > > ...... > > </Server> > > 3. create test web application, and modify the web.xml: > > <web-app xmlns="http://java.sun.com/xml/ns/javaee"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"; > > version="2.5"> > > > > <display-name>ad test</display-name> > > <description>ad test</description> > > > > <!--ad integration--> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>Authenticated area</web-resource-name> > > <url-pattern>/session.jsp</url-pattern> > > <url-pattern>*.xml</url-pattern> > > <!--more url patterns and http methods here--> > > <http-method>DELETE</http-method> > > <http-method>GET</http-method> > > <http-method>HEAD</http-method> > > <http-method>POST</http-method> > > <http-method>PUT</http-method> > > </web-resource-collection> > > > > <!--more web resource collection nodes here--> > > <auth-constraint> > > <role-name>TestGroup</role-name> > > <!--more role name nodes here--> > > </auth-constraint> > > > > </security-constraint> > > > > <login-config> > > <auth-method>FORM</auth-method> > > <role-name>TestGroup</role-name> > > <form-login-config> > > <form-login-page>/login.jsp</form-login-page> > > <form-error-page>/error.jsp</form-error-page> > > </form-login-config> > > </login-config> > > > > <security-role> > > <description>ad test group</description> > > <role-name>TestGroup</role-name> > > </security-role> > > > > <!--I have also try another login method > > <login-config> > > <auth-method>BASIC</auth-method> > > </login-config> > > --> > > </web-app> > > > > 4. problem description: > > when resources in "Authenticated area" defined above are accessed, > > login.jsp will appear, if wrong username/password is entered, error.jsp > > will appear, but after correct user/password is entered, I can still get > > error message as below: > > > > HTTP Status 403 - Access to the requested resource has been denied > > > > > -------------------------------------------------------------------------------- > > > > type Status report > > > > message Access to the requested resource has been denied > > > > description Access to the specified resource (Access to the requested > > resource has been denied) has been forbidden. > > > > > > > -------------------------------------------------------------------------------- > > > > Apache Tomcat/6.0.18 > > > > no exception or error is thrown in the console > > > > 5. after log4j is configured to debug on tomcat, errors are found in the > > debug log: > > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > > Failed authenticate() test > > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > > Failed authenticate() test > > ...... > > > > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > > Authenticating username 'testuser1' > > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > > Authenticating username 'testuser1' > > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > > Authentication of 'testuser1' was successful > > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > > Authentication of 'testuser1' was successful > > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > > Redirecting to original '/adtest/session.jsp' > > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > > Redirecting to original '/adtest/session.jsp' > > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > > Failed authenticate() test ??/adtest/j_security_check > > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > > Failed authenticate() test ??/adtest/j_security_check > > ...... > > > > DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username > > testuser1 does NOT have role TestGroup > > DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username > > testuser1 does NOT have role TestGroup > > DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: > > TestGroup > > DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: > > TestGroup > > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > > Failed accessControl() test > > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > > Failed accessControl() test > > > > I feel quite strange, as you can see in the attachment, the testuser1 is > > member of TestGroup, and TestGroup is already defined in web.xml, I > wonder > > any further configuration or debug I shoule do? > > > > http://www.nabble.com/file/p20375746/adtest.rar adtest.rar > > > > -- > View this message in context: > http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20413691.html > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Hisham Farahat
