>Hi,
 >
 >I'm hoping that one of you Tomcat experts out there may be able to give
 >me a hint as to what to try next:
 >
 >I've got my IdP looking up attributes using ldap just fine (thanks to
 >Jon Warbrick and Adrian Barker for their resolver.xml samples) and have
 >moved on to getting Tomcat to do the authentication by LDAP.
 >
 >The authentication bit seems to be working, when I go to Testshib it
 >redirects me to the sample login page.  If I put in duff credentials it
 >says so and keeps me at the username and password page but if I put in
 >the right credentials instead of sending me jubilantly back to
 >testship.org for a glass of champagne I get a Tomcat slap on the wrist
 >page:
 >
 >"HTTP Status 403 - Access to the requested resource has been denied
 >
 >type Status report
 >
 >message Access to the requested resource has been denied
 >
 >description Access to the specified resource (Access to the requested
 >resource has been denied) has been forbidden.
 >Apache Tomcat/5.5.23"
 >
 >The URL its using is:
 >
 >https://mgraytemp3.its.dundee.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.testshib.org%2FShibboleth.sso%2FSAML%2FPOST&time=1182154866&target=cookie&providerId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth%2Ftestshib%2Fsp
 >
 >No doubt I've made a boob with my Tomcat config (not really knowing what
 >I'm doing),  I followed the cookbook at:
 >
 >https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/Tomcat%20Authentication%20for%20Shibboleth%20IdP
 >
 >I'm using Tomcat 5.5 and Apache 2.0.59, openssl 0.9.7m all on SUSE (SLED
 >10).
 >
 >Cheers
 >Andy

Here is the recipe that we used for Tomcat authentication. I can't take
any credit for it - it was just copied from other sources. Parts of it
are specific to the configuration here, but these should be obvious.


18. Change the login page to use tomcat


18.1. -


18.2. Change server.xml
cd /usr/local/tomcat/apache-tomcat-5.5.12/conf

cp /nfs/rcs/sysman/pp/shib-conf/server.xml.tomcat-auth  /usr/local/tomcat/apache-tomcat-5.5.12/conf/server.xml


The details of the changes are:
Change the line:
request.tomcatAuthentication="true"

Configure a Tomcat 'realm' (= authentication database)

Use the JNDIRealm for ldap:

    <!-- Define the top level container in our container hierarchy -->
    <Engine name="Catalina" defaultHost="localhost">

...

<Realm  className="org.apache.catalina.realm.JNDIRealm"
  debug="99"
  connectionName="cn=.....,dc=ucl,dc=ac,dc=uk"
  connectionPassword="zzzzzzzz"
  connectionURL="ldap://uclusers-dc1.uclusers.ucl.ac.uk:389"
  alternateURL="ldap://uclusers-dc2.uclusers.ucl.ac.uk:389"
  userBase="ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk"
  userSearch="(cn={0})"
  userSubtree="true"
  />


Note: to use a flat file, use the following:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>


Valve for logging ?
No, skip the following:
#o      Also copy the following block within "Host" element:
#<Context path="/shibboleth-idp" docBase="shibboleth-idp"
#    debug="0"reloadable="true" crossContext="true">
#    <Logger className="org.apache.catalina.logger.FileLogger"
#            prefix="localhost_shibboleth_log." suffix=".txt"
#            timestamp="true"/>
#</Context>


18.3. Change web.xml for shibboleth-idp:

cd /usr/local/tomcat/apache-tomcat-5.5.12/webapps/shibboleth-idp/WEB-INF

Save in /nfs/rcs/sysman/pp/shib-conf:
cp /nfs/rcs/sysman/pp/shib-conf/web.xml  /usr/local/tomcat/apache-tomcat-5.5.12/webapps/shibboleth-idp/WEB-INF/web.xml

Note: this file is overwritten if Shibboleth is upgraded

Add <security-constraint> as follows:

<security-constraint>

  <display-name>Restrict Access to Shibboleth SSO</display-name>

  <web-resource-collection>

        <web-resource-name>Protected Area</web-resource-name>

        <!-- Define the context-relative URL(s) to be protected -->
        <url-pattern>/IdP</url-pattern>
        <url-pattern>/SSO</url-pattern>

        <!-- If you list http methods, only those methods are protected -->
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>

  </web-resource-collection>

  <auth-constraint>

        <!-- Anyone with one of the listed roles may access this area -->
        <role-name>*</role-name>

  </auth-constraint>

</security-constraint>

<login-config>

  <auth-method>FORM</auth-method>
  <realm-name>Example Form-Based Authentication Area</realm-name>
  <form-login-config>

        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/login-error.jsp</form-error-page>

  </form-login-config>

</login-config>


18.4. tomcat-users.xml

cd /usr/local/tomcat/apache-tomcat-5.5.12/conf
No change needed


18.5. Customise the web forms:

These are in the following directory:
cd /usr/local/tomcat/apache-tomcat-5.5.12/webapps/shibboleth-idp

login.jsp
login-error.jsp

Note: these files are overwritten when Shibboleth is upgraded.

The files are saved in /nfs/rcs/sysman/pp/shib-conf
cp /nfs/rcs/sysman/pp/shib-conf/login.jsp login.jsp
cp /nfs/rcs/sysman/pp/shib-conf/login-error.jsp login-error.jsp


To create the login jsp files, do the following:

The template login file is in
/nfs/fs-b/sysman/pp/shib-conf/shib-login.shtml

Copy the file to somewhere in the web tree, eg. as ccaaarb:
cp /nfs/fs-b/sysman/pp/shib-conf/shib-login.shtml  /nfs/rcs/www/webdocs/arbb-test

Use wget to fetch the resolved file to the shib-a/b machines:
cd /usr/local/tomcat/apache-tomcat-5.5.12/webapps/shibboleth-idp
wget http://www.ucl.ac.uk/arbb-test/shib-login.shtml

Edit shib-login.shtml to change any relative links for images to
absolute ones:
<img src="/images/spacer.gif"

to
<img src="http://www.ucl.ac.uk/images/spacer.gif"

cp shib-login.shtml login.jsp
cp shib-login.shtml login-error.jsp

Edit login-error.jsp: after the lines:
<form method=post action="j_security_check">
<table bgcolor="#CDDAEB">

add the line:
<tr><td colspan="2"><span class="text1">Incorrect userid or password. Please try again.</span>


Save these files in /nfs/fs-b/sysman/pp/shib-conf/


Also change the message in the files:
IdP.jsp
IdPError.jsp

cp IdP.jsp IdP-orig.jsp
cp IdPError.jsp IdPError-orig.jsp

cp /nfs/rcs/sysman/pp/shib-conf/IdP.jsp IdP.jsp
cp /nfs/rcs/sysman/pp/shib-conf/IdPError.jsp IdPError.jsp

The changes are:
In IdP.jsp, change:
Shibboleth Authentication Request Processed

to
Redirecting to requested site

and in IdPError.jsp, change:
Shibboleth Identity Provider Failure

to
Authentication Failure

Save these files in /nfs/fs-b/sysman/pp/shib-conf/



18.6. Change httpd.conf

Comment out the entire <Location /shibboleth-idp/SSO> block

cd /usr/local/apache/conf

cp /nfs/rcs/sysman/pp/shib-conf/httpd.conf.tomcat-auth  httpd.conf


Restart Apache and Tomcat.






Adrian Barker, Information Systems
University College London, Gower Street, London WC1E 6BT
External phone: +44 20 7679 5140,  Fax (+44) 20 7388 5406
Internal phone: x 25140
Email: [log in to unmask]