1.1 What is apache tomcat?
Tomcat is a Java Servlet container and web server from the Jakarta project of the Apache software foundation. A web server dishes out web pages in response to requests from a user sitting at a web browser. But web servers are not limited to serving up static HTML pages; they can also run programs in response to user requests and return the dynamic results to the user’s browser. Tomcat is very good at this because it provides both Java servlet and JavaServerPages (JSP) technologies (in addition to traditional static pages and external CGI programming). The result is that Tomcat is good choice for use as a web server for many applications; also if you want a free servlet and JSP engine. It can be used standalone or used behind traditional web servers such as Apache httpd, with the traditional server serving static pages and Tomcat serving dynamic servlet and JSP requests.
1.2 What is active directory?
An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online. An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory. An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.
2. Preparing active directory
2.1 Set the permission
- Create a user in the active directory (This is the user we are going to configure in the tomcat server.xml).
- Write click on the Users and select “Delegate Control”.
- Click next then click Add.
- In the pop-up window type the name of the user you want to add -> Check Names -> OK.
- Click Next -> In the Delegate the following common tasks select “Read all user information”, Next -> Finish.
Now this user has the permission to read information.
3 Configuring tomcat
3.1 Server.xml
- For the configuration between the tomcat and active directory you need to edit the server.xml file in tomcat. The path of the server.xml file is Tomcat_installation_directory\Tomcat 6.0\conf\server.xml.
- Comment the previous Realm tag already exists in your server.xml.
- The new Realm tag
\< classname="org.apache.catalina.realm.JNDIRealm">
debug="99"
connectionName="cn=shanaka,cn=Users,dc=test,dc=lk"
connectionPassword="qer23EWED"
connectionURL="ldap://192.168.15.9:389"
userRoleName="member"
userBase="cn=Users,dc=test,dc=lk"
userPattern="cn={0},cn=Users,dc=test,dc=lk"
roleBase="cn=Users,dc=test,dc=lk"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="false"
userSubtree="true"
/>
3.2 Definition
3.3 Login to tomcat manager
The user needs to be a member of the manager as well as admin groups in the active directory to access the tomcat manager. By creating two groups named “manager”, “admin” and assigning a user as the member of both these group you can acess it. So in here the manager and admin are the two roles of that particular user.
3.4 How to add a user to a group
4 Authenticate according to the role
4.1 Using JSP
Suppose you need to create an application that contains two JSPs named “employee.jsp” and “manager.jsp”. The employees can’t access the manager.jsp and managers can access both jsp s. The role name of the manager is manager and employee is employee. So we need to create two groups named manager and employee (role names and group names must be equal). To access both the employee and manager pages. The manager must be a member of both groups.
4.2 Edit web.xml
debug="99"
connectionName="cn=shanaka,cn=Users,dc=test,dc=lk"
connectionPassword="qer23EWED"
connectionURL="ldap://192.168.15.9:389"
userRoleName="member"
userBase="cn=Users,dc=test,dc=lk"
userPattern="cn={0},cn=Users,dc=test,dc=lk"
roleBase="cn=Users,dc=test,dc=lk"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="false"
userSubtree="true"
/>
3.2 Definition
- className : This is used to query ldap directories for user information. You need not to change the existing value of the className for this configuration.
- Debug :
- connectionName : By using this tomcat will be able to bind the active directory and gather the information about the users.
- cn = Windows domain username that can read the Active Directory. Here, the user “shanaka” which I have created in the active directory.
- Test.lk is the domain.
- connectionPassword : Password of the user. Here, password of the user “shanaka”.
- connectionURL : URL to the ldap host (an accessible domain server). Here, the URL of the active directory.
- userRoleName : Attribute of the group that is used to specify the name, typically “cn”. NOTE: The value of the name attribute for any roles you are going to use needs to be identical with what you later set in your web.xml file for the web applications that are going to use container authentication.
- userBase : Base location to start searching for users in the LDAP (Active Directory) tree.
- userPattern : Each user element has a distinguished name that can be formed by substituting the presented username into a pattern configured by the userPattern property. The value “0” substitiues the value of the usename and using that userPattern it will be querying the active directory.
- roleBase : Base location to start searching for roles in the LDAP (Active Directory) tree. A role is just a group that you create and add a user to in the Active Directory.
- roleName : Attribute of the group that is used to specify the name, typically “cn”. NOTE: The value of the name attribute for any roles you are going to use needs to be identical with what you later set in your web.xml file for the web applications that are going to use container authentication.
- roleSearch : Member is an attribute on the role (group) that lists of all of the members. NOTE: A user will only be found if they are listed directly as members. If a group they are in is listed here instead of the user name, they will not be found to be in this role. In other words, do NOT list any groups in here because the role search will not look into any groups that are listed. It just does an exact comparison. NOTE2: {0} is a token that is replaced with the fully qualified name of the user once bound to JNDI. {1} is also valid in this parameter and will be replaced with the string that the user typed in the username field to log in to the application: e.g. "username". If you are talking to Active Directory, you will most likely want to use {0}.
- roleSubtree : Searches for a role will descend into other directories.
- userSubtree : Searches for a user will descend into other directories.
After doing these changes save the server.xml and restart the tomcat.
3.3 Login to tomcat manager
The user needs to be a member of the manager as well as admin groups in the active directory to access the tomcat manager. By creating two groups named “manager”, “admin” and assigning a user as the member of both these group you can acess it. So in here the manager and admin are the two roles of that particular user.
3.4 How to add a user to a group
- Click on the group u need to add the user ->Properties
- Click the Members tab ->Add
- Type the username of the user and click Check Names ->OK.
- Now you should be able to login to the Tomcat Manager by using the credentials of the authenticated user. Here I have made “Administrator” as the member of both manager and admin groups.
- Type the default URL of the tomcat (Here http://localhost:8080) in your browser and click Tomcat Manager and type the user name and the password of the user.
- If your configuration is successful you must be able to login to the Tomcat Manager using the credentials of the authenticated user.
4 Authenticate according to the role
4.1 Using JSP
Suppose you need to create an application that contains two JSPs named “employee.jsp” and “manager.jsp”. The employees can’t access the manager.jsp and managers can access both jsp s. The role name of the manager is manager and employee is employee. So we need to create two groups named manager and employee (role names and group names must be equal). To access both the employee and manager pages. The manager must be a member of both groups.
4.2 Edit web.xml