I am trying to authenticate web users with Active Directory on Windows Server 2003 R2 with sp2 and
tomcat 6.18, but get an "HTTP Status 403 - Access to the requested resource has been denied" error, don't know why, my steps and configuration as below:
1. create
test group and user in Active Directory:
domain name: test
domain controller host: 172.20.2.13
TestGroup: a global security group
testuser1, tomcat: member of TestGroup
screen capture is available in attachment
ad.JPG 2. ${catalina.home}/conf/server.xml:
<Server ......>
......
<Engine name="Catalina" defaultHost="localhost">
<!-- have to comment this out to use ldap authentication realm
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
-->
<!--I have also tried to put the ldap realm here, but not work yet-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<!--ad integration-->
<Realm
className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://172.20.2.13:389"
connectionName="tomcat@test"
connectionPassword="tomcat1"
authentication="simple"
referrals="follow"
userRoleName="member"
userBase="DC=test"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="DC=test"
roleName="TestGroup"
roleSubtree="true"
roleSearch="(member={0})"
/>
</Host>
</Engine>
......
</Server><nabble_img src="ad.jpg" border="0" />
3. create test web application, and modify the web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
<display-name>ad test</display-name>
<description>ad test</description>
<!--ad integration-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-name>
<url-pattern>/session.jsp</url-pattern>
<url-pattern>*.xml</url-pattern>
<!--more url
patterns and http methods here-->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<!--more web resource collection nodes here-->
<auth-constraint>
<role-name>TestGroup</role-name>
<!--more role name nodes here-->
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<role-name>TestGroup</role-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>ad test group</description>
<role-name>TestGroup</role-name>
</security-role>
<!--I have also try another login method
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
-->
</web-app>
4. problem description:
when resources in "Authenticated area" defined above are accessed, login.jsp will appear, if wrong username/password is entered, error.jsp will appear, but after correct user/password is entered, I can still get error message as below:
HTTP Status 403 - Access to the requested resource has been denied
--------------------------------------------------------------------------------
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
--------------------------------------------------------------------------------
Apache Tomcat/6.0.18
no exception or error is thrown in the console
5. after log4j is configured to debug on tomcat, errors are found in the debug log:
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test
......
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp'
DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp'
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check
......
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup
DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test
DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test
I feel quite strange, as you can see in the attachment, the testuser1 is member of TestGroup, and TestGroup is already defined in web.xml, I wonder any further configuration or debug I shoule do?
adtest.rar using the same user and password to authenticate with IIS and Active directory is successfully passed, that means configuration in Active Directory should be correct.
