FAQ
I am trying to authenticate web users with Active Directory on Windows Server
2003 R2 with sp2 and tomcat 6.18, but get an "HTTP Status 403 - Access to
the requested resource has been denied" error, don't know why, my steps and
configuration as below and post as attachment:

1. create test group and user in Active Directory:
domain name: test
domain controller host: 172.20.2.13
TestGroup: a global security group
testuser1, tomcat: member of TestGroup
screen capture is available in attachment

2. ${catalina.home}/conf/server.xml:

<Server ......>
......
<Engine name="Catalina" defaultHost="localhost">
<!-- have to comment this out to use ldap authentication realm
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
-->

<!--I have also tried to put the ldap realm here, but not work
yet-->

<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">

<!--ad integration-->
<!--the servers are all in my local network, can't access them
from internet-->
<Realm
className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://172.20.2.13:389"
connectionName="tomcat@test"
connectionPassword="tomcat1"
authentication="simple"
referrals="follow"
userRoleName="member"
userBase="DC=test"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="DC=test"
roleName="TestGroup"
roleSubtree="true"
roleSearch="(member={0})"
/>

</Host>
</Engine>
......
</Server> http://www.nabble.com/file/p20375746/ad.jpg

3. create test web application, and modify the web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">

<display-name>ad test</display-name>
<description>ad test</description>

<!--ad integration-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-name>
<url-pattern>/session.jsp</url-pattern>
<url-pattern>*.xml</url-pattern>
<!--more url patterns and http methods here-->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<!--more web resource collection nodes here-->
<auth-constraint>
<role-name>TestGroup</role-name>
<!--more role name nodes here-->
</auth-constraint>

</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<role-name>TestGroup</role-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<description>ad test group</description>
<role-name>TestGroup</role-name>
</security-role>

<!--I have also try another login method
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
-->
</web-app>

4. problem description:
when resources in "Authenticated area" defined above are accessed, login.jsp
will appear, if wrong username/password is entered, error.jsp will appear,
but after correct user/password is entered, I can still get error message as
below:

HTTP Status 403 - Access to the requested resource has been denied

--------------------------------------------------------------------------------

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.


--------------------------------------------------------------------------------

Apache Tomcat/6.0.18

no exception or error is thrown in the console

5. after log4j is configured to debug on tomcat, errors are found in the
debug log:
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed authenticate() test
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed authenticate() test
......

DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authenticating username 'testuser1'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authenticating username 'testuser1'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authentication of 'testuser1' was successful
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Authentication of 'testuser1' was successful
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Redirecting to original '/adtest/session.jsp'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
Redirecting to original '/adtest/session.jsp'
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed authenticate() test ??/adtest/j_security_check
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed authenticate() test ??/adtest/j_security_check
......

DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1
does NOT have role TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1
does NOT have role TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found:
TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found:
TestGroup
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed accessControl() test
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
Failed accessControl() test

I feel quite strange, as you can see in the attachment, the testuser1 is
member of TestGroup, and TestGroup is already defined in web.xml, I wonder
any further configuration or debug I shoule do?
http://www.nabble.com/file/p20375746/ad.JPG ad.JPG
http://www.nabble.com/file/p20375746/adtest.rar adtest.rar
--
View this message in context: http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20375746.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Search Discussions

  • Vickey at Nov 7, 2008 at 7:32 am
    another thing, authentication on IIS and Active Directory with the same users
    and groups is successfully passed.
    --
    View this message in context: http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20375888.html
    Sent from the Tomcat - User mailing list archive at Nabble.com.


    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Vickey at Nov 10, 2008 at 2:56 am
    I can use the same username and password to authenticate on IIS and active
    directory, and it also work, if IIS is integrated with Tomcat, but just
    Tomcat standardalone with Active directory still not work.


    Vickey wrote:
    I am trying to authenticate web users with Active Directory on Windows
    Server 2003 R2 with sp2 and tomcat 6.18, but get an "HTTP Status 403 -
    Access to the requested resource has been denied" error, don't know why,
    my steps and configuration as below and post as attachment:

    1. create test group and user in Active Directory:
    domain name: test
    domain controller host: 172.20.2.13
    TestGroup: a global security group
    testuser1, tomcat: member of TestGroup
    screen capture is available in attachment
    http://www.nabble.com/file/p20375746/ad.jpg

    2. ${catalina.home}/conf/server.xml:

    <Server ......>
    ......
    <Engine name="Catalina" defaultHost="localhost">
    <!-- have to comment this out to use ldap authentication realm
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
    resourceName="UserDatabase"/>
    -->

    <!--I have also tried to put the ldap realm here, but not work
    yet-->

    <Host name="localhost" appBase="webapps"
    unpackWARs="true" autoDeploy="true"
    xmlValidation="false" xmlNamespaceAware="false">

    <!--ad integration-->
    <!--the servers are all in my local network, can't access them
    from internet-->
    <Realm
    className="org.apache.catalina.realm.JNDIRealm"
    debug="99"
    connectionURL="ldap://172.20.2.13:389"
    connectionName="tomcat@test"
    connectionPassword="tomcat1"
    authentication="simple"
    referrals="follow"
    userRoleName="member"
    userBase="DC=test"
    userSearch="(sAMAccountName={0})"
    userSubtree="true"
    roleBase="DC=test"
    roleName="TestGroup"
    roleSubtree="true"
    roleSearch="(member={0})"
    />

    </Host>
    </Engine>
    ......
    </Server>
    3. create test web application, and modify the web.xml:
    <web-app xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
    http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">

    <display-name>ad test</display-name>
    <description>ad test</description>

    <!--ad integration-->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Authenticated area</web-resource-name>
    <url-pattern>/session.jsp</url-pattern>
    <url-pattern>*.xml</url-pattern>
    <!--more url patterns and http methods here-->
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>HEAD</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
    </web-resource-collection>

    <!--more web resource collection nodes here-->
    <auth-constraint>
    <role-name>TestGroup</role-name>
    <!--more role name nodes here-->
    </auth-constraint>

    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <role-name>TestGroup</role-name>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
    </login-config>

    <security-role>
    <description>ad test group</description>
    <role-name>TestGroup</role-name>
    </security-role>

    <!--I have also try another login method
    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>
    -->
    </web-app>

    4. problem description:
    when resources in "Authenticated area" defined above are accessed,
    login.jsp will appear, if wrong username/password is entered, error.jsp
    will appear, but after correct user/password is entered, I can still get
    error message as below:

    HTTP Status 403 - Access to the requested resource has been denied

    --------------------------------------------------------------------------------

    type Status report

    message Access to the requested resource has been denied

    description Access to the specified resource (Access to the requested
    resource has been denied) has been forbidden.


    --------------------------------------------------------------------------------

    Apache Tomcat/6.0.18

    no exception or error is thrown in the console

    5. after log4j is configured to debug on tomcat, errors are found in the
    debug log:
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed authenticate() test
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed authenticate() test
    ......

    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Authenticating username 'testuser1'
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Authenticating username 'testuser1'
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Authentication of 'testuser1' was successful
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Authentication of 'testuser1' was successful
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Redirecting to original '/adtest/session.jsp'
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Redirecting to original '/adtest/session.jsp'
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed authenticate() test ??/adtest/j_security_check
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed authenticate() test ??/adtest/j_security_check
    ......

    DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username
    testuser1 does NOT have role TestGroup
    DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username
    testuser1 does NOT have role TestGroup
    DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found:
    TestGroup
    DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found:
    TestGroup
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed accessControl() test
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed accessControl() test

    I feel quite strange, as you can see in the attachment, the testuser1 is
    member of TestGroup, and TestGroup is already defined in web.xml, I wonder
    any further configuration or debug I shoule do?

    http://www.nabble.com/file/p20375746/adtest.rar adtest.rar
    --
    View this message in context: http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20413691.html
    Sent from the Tomcat - User mailing list archive at Nabble.com.


    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Hisham Farahat at Nov 10, 2008 at 6:07 am
    Check the log of Tomcat, you may find more information.
    On Mon, Nov 10, 2008 at 5:56 AM, Vickey wrote:


    I can use the same username and password to authenticate on IIS and active
    directory, and it also work, if IIS is integrated with Tomcat, but just
    Tomcat standardalone with Active directory still not work.


    Vickey wrote:
    I am trying to authenticate web users with Active Directory on Windows
    Server 2003 R2 with sp2 and tomcat 6.18, but get an "HTTP Status 403 -
    Access to the requested resource has been denied" error, don't know why,
    my steps and configuration as below and post as attachment:

    1. create test group and user in Active Directory:
    domain name: test
    domain controller host: 172.20.2.13
    TestGroup: a global security group
    testuser1, tomcat: member of TestGroup
    screen capture is available in attachment
    http://www.nabble.com/file/p20375746/ad.jpg

    2. ${catalina.home}/conf/server.xml:

    <Server ......>
    ......
    <Engine name="Catalina" defaultHost="localhost">
    <!-- have to comment this out to use ldap authentication realm
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
    resourceName="UserDatabase"/>
    -->

    <!--I have also tried to put the ldap realm here, but not work
    yet-->

    <Host name="localhost" appBase="webapps"
    unpackWARs="true" autoDeploy="true"
    xmlValidation="false" xmlNamespaceAware="false">

    <!--ad integration-->
    <!--the servers are all in my local network, can't access them
    from internet-->
    <Realm
    className="org.apache.catalina.realm.JNDIRealm"
    debug="99"
    connectionURL="ldap://172.20.2.13:389"
    connectionName="tomcat@test"
    connectionPassword="tomcat1"
    authentication="simple"
    referrals="follow"
    userRoleName="member"
    userBase="DC=test"
    userSearch="(sAMAccountName={0})"
    userSubtree="true"
    roleBase="DC=test"
    roleName="TestGroup"
    roleSubtree="true"
    roleSearch="(member={0})"
    />

    </Host>
    </Engine>
    ......
    </Server>
    3. create test web application, and modify the web.xml:
    <web-app xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
    http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">

    <display-name>ad test</display-name>
    <description>ad test</description>

    <!--ad integration-->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Authenticated area</web-resource-name>
    <url-pattern>/session.jsp</url-pattern>
    <url-pattern>*.xml</url-pattern>
    <!--more url patterns and http methods here-->
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>HEAD</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
    </web-resource-collection>

    <!--more web resource collection nodes here-->
    <auth-constraint>
    <role-name>TestGroup</role-name>
    <!--more role name nodes here-->
    </auth-constraint>

    </security-constraint>

    <login-config>
    <auth-method>FORM</auth-method>
    <role-name>TestGroup</role-name>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
    </login-config>

    <security-role>
    <description>ad test group</description>
    <role-name>TestGroup</role-name>
    </security-role>

    <!--I have also try another login method
    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>
    -->
    </web-app>

    4. problem description:
    when resources in "Authenticated area" defined above are accessed,
    login.jsp will appear, if wrong username/password is entered, error.jsp
    will appear, but after correct user/password is entered, I can still get
    error message as below:

    HTTP Status 403 - Access to the requested resource has been denied

    --------------------------------------------------------------------------------
    type Status report

    message Access to the requested resource has been denied

    description Access to the specified resource (Access to the requested
    resource has been denied) has been forbidden.


    --------------------------------------------------------------------------------
    Apache Tomcat/6.0.18

    no exception or error is thrown in the console

    5. after log4j is configured to debug on tomcat, errors are found in the
    debug log:
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed authenticate() test
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed authenticate() test
    ......

    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Authenticating username 'testuser1'
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Authenticating username 'testuser1'
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Authentication of 'testuser1' was successful
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Authentication of 'testuser1' was successful
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Redirecting to original '/adtest/session.jsp'
    DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator -
    Redirecting to original '/adtest/session.jsp'
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed authenticate() test ??/adtest/j_security_check
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed authenticate() test ??/adtest/j_security_check
    ......

    DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username
    testuser1 does NOT have role TestGroup
    DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username
    testuser1 does NOT have role TestGroup
    DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found:
    TestGroup
    DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found:
    TestGroup
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed accessControl() test
    DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase -
    Failed accessControl() test

    I feel quite strange, as you can see in the attachment, the testuser1 is
    member of TestGroup, and TestGroup is already defined in web.xml, I wonder
    any further configuration or debug I shoule do?

    http://www.nabble.com/file/p20375746/adtest.rar adtest.rar
    --
    View this message in context:
    http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20413691.html
    Sent from the Tomcat - User mailing list archive at Nabble.com.


    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

    --
    Hisham Farahat

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriestomcat
postedNov 7, '08 at 7:15a
activeNov 10, '08 at 6:07a
posts4
users2
websitetomcat.apache.org
irc#tomcat

2 users in discussion

Vickey: 3 posts Hisham Farahat: 1 post

People

Translate

site design / logo © 2022 Grokbase