File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes Authentication and re-Authentication for authorization on Tomcat 4.1.24 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Authentication and re-Authentication for authorization on Tomcat 4.1.24" Watch "Authentication and re-Authentication for authorization on Tomcat 4.1.24" New topic
Author

Authentication and re-Authentication for authorization on Tomcat 4.1.24

robyne vaughn
Ranch Hand

Joined: Jun 04, 2003
Posts: 38
In my server.xml, I have a JNDI realm which works for authenticating every user against Microsoft Active Directory.

The user requests a URL which I have set up as an alias in my web.xml for a servlet which authenticates the user against the active directory and then does a dispatcher.forward(request,response) to what is essentially an opening page for the user. (A menu of links to specific programs.)

I am trying to implement further authorization for certain programs for administrators.

If a person tries to open (I�m only testing 1 page at the moment) the protected page, before doing the dispatcher.forward(request,response), I rewrite the http header to be basic authentication in an effort to trick Tomcat into re-authenticating for this page.

response.setStatus(response.SC_UNAUTHORIZED); // Ie 401
response.setHeader("WWW-AUTHENTICATE","BASIC");
dispatcher.forward(request,response);

I have set up a context fragment similar to tomcat_home/webapps/application.xml trying to set up the additional basic authentication.

It wants to use the user database, and in fact, it does pop up the basic login window after the user has cleared the jndi authentication. However, after 3 attempts to login, it neither gives me a �bad password� message, nor a �successful� message, instead after the 3 attempts, it just allows the already authenticated user access whether or not they have been assigned the appropriate role in the tomcat-users.xml.

Any ideas why it doesn�t seem to be actually using the tomcat-users.xml?
It�s a miracle that it�s this close to working. I�m feeling my way through this, I�m not very experienced at Tomcat or Java or Jndi, I only touch on them occasionally. So, please answer in full, rich answers.

Thanks so much
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Authentication and re-Authentication for authorization on Tomcat 4.1.24
 
Similar Threads
Webapp-Security chapter revision notes from HFSJ , may be useful
Pass on HTTP request to external server
Authentication&Authorization
How to configure Tomcat for authentication against Active Directory of Windows Server 2003
Tomcat 6.0.32 HTTP Status 403 - Access to the requested resource has been denied