aspose file tools*
The moose likes Tomcat and the fly likes [Problem]Tomcat 6.x with Active Directory on Windows Server 2003 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "[Problem]Tomcat 6.x with Active Directory on Windows Server 2003" Watch "[Problem]Tomcat 6.x with Active Directory on Windows Server 2003" New topic
Author

[Problem]Tomcat 6.x with Active Directory on Windows Server 2003

Vickey Kool
Greenhorn

Joined: Nov 09, 2008
Posts: 1
I am trying to authenticate web users with Active Directory on Windows Server 2003 R2 with sp2 and tomcat 6.18, but get an "HTTP Status 403 - Access to the requested resource has been denied" error, don't know why, my steps and configuration as below:

1. create test group and user in Active Directory:
domain name: test
domain controller host: 172.20.2.13
TestGroup: a global security group
testuser1, tomcat: member of TestGroup
screen capture is available in attachment
ad.JPG

2. ${catalina.home}/conf/server.xml:

<Server ......>
......
<Engine name="Catalina" defaultHost="localhost">
<!-- have to comment this out to use ldap authentication realm
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
-->

<!--I have also tried to put the ldap realm here, but not work yet-->

<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">

<!--ad integration-->
<Realm
className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://172.20.2.13:389"
connectionName="tomcat@test"
connectionPassword="tomcat1"
authentication="simple"
referrals="follow"
userRoleName="member"
userBase="DC=test"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="DC=test"
roleName="TestGroup"
roleSubtree="true"
roleSearch="(member={0})"
/>

</Host>
</Engine>
......
</Server><nabble_img src="ad.jpg" border="0" />

3. create test web application, and modify the web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">

<display-name>ad test</display-name>
<description>ad test</description>

<!--ad integration-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-name>
<url-pattern>/session.jsp</url-pattern>
<url-pattern>*.xml</url-pattern>
<!--more url patterns and http methods here-->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<!--more web resource collection nodes here-->
<auth-constraint>
<role-name>TestGroup</role-name>
<!--more role name nodes here-->
</auth-constraint>

</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<role-name>TestGroup</role-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>ad test group</description>
<role-name>TestGroup</role-name>
</security-role>

<!--I have also try another login method
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
-->
</web-app>

4. problem description:
when resources in "Authenticated area" defined above are accessed, login.jsp will appear, if wrong username/password is entered, error.jsp will appear, but after correct user/password is entered, I can still get error message as below:

HTTP Status 403 - Access to the requested resource has been denied

--------------------------------------------------------------------------------

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.


--------------------------------------------------------------------------------

Apache Tomcat/6.0.18

no exception or error is thrown in the console

5. after log4j is configured to debug on tomcat, errors are found in the debug log:
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test
......

DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp'
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check
......

DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test

I feel quite strange, as you can see in the attachment, the testuser1 is member of TestGroup, and TestGroup is already defined in web.xml, I wonder any further configuration or debug I shoule do?

adtest.rar

using the same user and password to authenticate with IIS and Active directory is successfully passed, that means configuration in Active Directory should be correct.
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2716
    
    6

"vickey kool " please check your private messages for an important administrative matter.
Thanks.


SCJP, SCWCD.
|Asking Good Questions|
Amit Ghorpade
Bartender

Joined: Jun 06, 2007
Posts: 2716
    
    6

"vickey " please check your private messages for an important administrative matter again.
Thanks.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: [Problem]Tomcat 6.x with Active Directory on Windows Server 2003