[Tomcat-users] [Problem]Tomcat 6.x with Active Directory on Windows Server 2003

I am trying to authenticate web users with Active Directory on Windows Server
2003 R2 with sp2 and tomcat 6.18, but get an "HTTP Status 403 - Access to
the requested resource has been denied" error, don't know why, my steps and
configuration as below and post as attachment:

1. create test group and user in Active Directory:
domain name: test
domain controller host: 172.20.2.13
TestGroup: a global security group
testuser1, tomcat: member of TestGroup
screen capture is available in attachment

2. ${catalina.home}/conf/server.xml:

<Server ......>
......
<Engine name="Catalina" defaultHost="localhost">
<!-- have to comment this out to use ldap authentication realm
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
-->

<!--I have also tried to put the ldap realm here, but not work
yet-->

<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">

<!--ad integration-->
<!--the servers are all in my local network, can't access them
from internet-->
<Realm
className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://172.20.2.13:389"
connectionName="[email protected]"
connectionPassword="tomcat1"
authentication="simple"
referrals="follow"
userRoleName="member"
userBase="DC=test"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="DC=test"
roleName="TestGroup"
roleSubtree="true"
roleSearch="(member={0})"
/>

</Host>
</Engine>
......
</Server> http://www.nabble.com/file/p20375746/ad.jpg

3. create test web application, and modify the web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">

<display-name>ad test</display-name>
<description>ad test</description>

<!--ad integration-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-name>
<url-pattern>/session.jsp</url-pattern>
<url-pattern>*.xml</url-pattern>
<!--more url patterns and http methods here-->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<!--more web resource collection nodes here-->
<auth-constraint>
<role-name>TestGroup</role-name>
<!--more role name nodes here-->
</auth-constraint>

</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<role-name>TestGroup</role-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>ad test group</description>
<role-name>TestGroup</role-name>
</security-role>

<!--I have also try another login method
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
-->
</web-app>

4. problem description:
when resources in "Authenticated area" defined above are accessed, login.jsp
will appear, if wrong username/password is entered, error.jsp will appear,
but after correct user/password is entered, I can still get error message as
below:

HTTP Status 403 - Access to the requested resource has been denied

--------------------------------------------------------------------------------

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.


--------------------------------------------------------------------------------

Apache Tomcat/6.0.18

no exception or error is thrown in the console

5. after log4j is configured to debug on tomcat, errors are found in the
debug log:
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed authenticate() test
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed authenticate() test
......

DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authenticating username 'testuser1'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authenticating username 'testuser1'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authentication of 'testuser1' was successful
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authentication of 'testuser1' was successful
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Redirecting to original '/adtest/session.jsp'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Redirecting to original '/adtest/session.jsp'
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed authenticate() test ??/adtest/j_security_check
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed authenticate() test ??/adtest/j_security_check
......

DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1
does NOT have role TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1
does NOT have role TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found:
TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found:
TestGroup
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed accessControl() test
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed accessControl() test

I feel quite strange, as you can see in the attachment, the testuser1 is
member of TestGroup, and TestGroup is already defined in web.xml, I wonder
any further configuration or debug I shoule do?
http://www.nabble.com/file/p20375746/ad.JPG ad.JPG
http://www.nabble.com/file/p20375746/adtest.rar adtest.rar