I can use the same username and password to authenticate on IIS and active directory, and it also work, if IIS is integrated with Tomcat, but just Tomcat standardalone with Active directory still not work.
Vickey wrote: > > I am trying to authenticate web users with Active Directory on Windows > Server 2003 R2 with sp2 and tomcat 6.18, but get an "HTTP Status 403 - > Access to the requested resource has been denied" error, don't know why, > my steps and configuration as below and post as attachment: > > 1. create test group and user in Active Directory: > domain name: test > domain controller host: 172.20.2.13 > TestGroup: a global security group > testuser1, tomcat: member of TestGroup > screen capture is available in attachment > http://www.nabble.com/file/p20375746/ad.jpg > > 2. ${catalina.home}/conf/server.xml: > > <Server ......> > ...... > <Engine name="Catalina" defaultHost="localhost"> > <!-- have to comment this out to use ldap authentication realm > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> > --> > > <!--I have also tried to put the ldap realm here, but not work > yet--> > > <Host name="localhost" appBase="webapps" > unpackWARs="true" autoDeploy="true" > xmlValidation="false" xmlNamespaceAware="false"> > > <!--ad integration--> > <!--the servers are all in my local network, can't access them > from internet--> > <Realm > className="org.apache.catalina.realm.JNDIRealm" > debug="99" > connectionURL="ldap://172.20.2.13:389"; > connectionName="[EMAIL PROTECTED]" > connectionPassword="tomcat1" > authentication="simple" > referrals="follow" > userRoleName="member" > userBase="DC=test" > userSearch="(sAMAccountName={0})" > userSubtree="true" > roleBase="DC=test" > roleName="TestGroup" > roleSubtree="true" > roleSearch="(member={0})" > /> > > </Host> > </Engine> > ...... > </Server> > 3. create test web application, and modify the web.xml: > <web-app xmlns="http://java.sun.com/xml/ns/javaee"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"; > version="2.5"> > > <display-name>ad test</display-name> > <description>ad test</description> > > <!--ad integration--> > <security-constraint> > <web-resource-collection> > <web-resource-name>Authenticated area</web-resource-name> > <url-pattern>/session.jsp</url-pattern> > <url-pattern>*.xml</url-pattern> > <!--more url patterns and http methods here--> > <http-method>DELETE</http-method> > <http-method>GET</http-method> > <http-method>HEAD</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > > <!--more web resource collection nodes here--> > <auth-constraint> > <role-name>TestGroup</role-name> > <!--more role name nodes here--> > </auth-constraint> > > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <role-name>TestGroup</role-name> > <form-login-config> > <form-login-page>/login.jsp</form-login-page> > <form-error-page>/error.jsp</form-error-page> > </form-login-config> > </login-config> > > <security-role> > <description>ad test group</description> > <role-name>TestGroup</role-name> > </security-role> > > <!--I have also try another login method > <login-config> > <auth-method>BASIC</auth-method> > </login-config> > --> > </web-app> > > 4. problem description: > when resources in "Authenticated area" defined above are accessed, > login.jsp will appear, if wrong username/password is entered, error.jsp > will appear, but after correct user/password is entered, I can still get > error message as below: > > HTTP Status 403 - Access to the requested resource has been denied > > -------------------------------------------------------------------------------- > > type Status report > > message Access to the requested resource has been denied > > description Access to the specified resource (Access to the requested > resource has been denied) has been forbidden. > > > -------------------------------------------------------------------------------- > > Apache Tomcat/6.0.18 > > no exception or error is thrown in the console > > 5. after log4j is configured to debug on tomcat, errors are found in the > debug log: > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > Failed authenticate() test > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > Failed authenticate() test > ...... > > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > Authenticating username 'testuser1' > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > Authenticating username 'testuser1' > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > Authentication of 'testuser1' was successful > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > Authentication of 'testuser1' was successful > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > Redirecting to original '/adtest/session.jsp' > DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - > Redirecting to original '/adtest/session.jsp' > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > Failed authenticate() test ??/adtest/j_security_check > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > Failed authenticate() test ??/adtest/j_security_check > ...... > > DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username > testuser1 does NOT have role TestGroup > DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username > testuser1 does NOT have role TestGroup > DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: > TestGroup > DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: > TestGroup > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > Failed accessControl() test > DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - > Failed accessControl() test > > I feel quite strange, as you can see in the attachment, the testuser1 is > member of TestGroup, and TestGroup is already defined in web.xml, I wonder > any further configuration or debug I shoule do? > > http://www.nabble.com/file/p20375746/adtest.rar adtest.rar > -- View this message in context: http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20413691.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
