Set Up Windows Authentication
Appkit can be used with Integrated Windows Authentication for single sign on (SSO) in your search application using Microsoft Internet Information Services.
This article includes all the necessary steps to configure the IIS component on the Windows server. These instructions assume that your Appkit application is managed as a Maven project with all project dependencies described in a Maven POM file.
| All screen shots and references to IIS configuration below were obtained from IIS 8.0 on a Windows Server 2012 VM. These might differ if using a different version of Windows or IIS. |
1 Prerequisites
1.1 Make sure IIS is installed on your Windows server
Install IIS on your Windows server.
1.3 Install Tomcat
Tomcat versions 7 and 8 are both supported. In this, we assume you are using Tomcat 8.0.21.
-
Download the Tomcat installer (Windows Service Installer
.exe) and follow the installation instructions. After installation is complete, do not start the Tomcat service just yet.Install Tomcat at a whitespace-free path (for example, D:\tomcat8). This path will be referred to asCATALINA_HOMEhereafter. All the screenshots that follow assume you installed Tomcat inD:\Tomcat8.
-
After the installation is complete, change Tomcat memory settings as follows:
-
Run
%CATALINA_HOME%\bin\Tomcat8w.exe -
On the Java tab, set Java Options to include:
-Xms512m -Xmx2048m -XX:PermSize=128m -XX:MaxPermSize=1024m
-
-
Repeat these settings in the input boxes below:
Initial memory pool: 512 Maximum memory pool: 2048
1.4 Verify the Tomcat installation
Start up Tomcat via Windows Services and go to http://localhost:8080. You should be presented with the default Tomcat manager application.
2 Configure and deploy the Appkit application
2.1 Configure the security provider
Authentication against IIS requires the "generic" Appkit security provider module. This is a thin layer which integrates with the standard Java servlet API to pick up the user’s credentials for authentication. To enable this module first remove any existing security provider dependency from the pom.xml under the root of the project and add this within the dependencies tag:
<dependency>
<groupId>twigkit</groupId>
<artifactId>twigkit.security.core</artifactId>
<version>${project.parent.version}</version>
</dependency>Then to configure Appkit to invoke this module on startup change the security.conf file in src/main/resources/conf/security/ to contain:
type: genericMake sure to remove any existing security provider configuration if there is one including the 'Spring Security' XML file and Spring related entries in the web.xml file if Spring was previously being used in the application.
2.2 Deploy the application to Tomcat
After these steps are completed, package your Appkit web application as a WAR file and deploy into Tomcat. Hereafter we assume you package the application as myapp.war so that the application can be accessed as http://localhost:8080/myapp/.
3 Configure the Tomcat-ISAPI connector
The Tomcat ISAPI connector is a DLL file that you can download from the Apache Tomcat website.
Below, we assume that you have downloaded the ZIP file relevant to your OS type and extracted isapi_redirect.dll from the archive.
3.1 Configure Tomcat for ISAPI
-
Add isapi_redirect.dll to
%CATALINA_HOME%\bin. -
Create
%CATALINA_HOME%\conf\workers.properties.minimalwith:worker.list=worker1 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 worker.worker1.type=ajp13
-
Create
%CATALINA_HOME%\conf\uriworkermap.propertieswith:/*=worker1
-
(Important) In
%CATALINA_HOME%\conf\server.xml, you must puttomcatAuthentication="false"on the AJP connector:<Ajp13Connector port="8009" tomcatAuthentication="false" />
From now on, we assume you installed Tomcat in D:\Tomcat8 as noted above.
|
3.2 Configure Windows registry settings
This key needs to be modified in the registry with the specified properties:
HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0
-
Add a string value with the name
extension_uriand a value of/jakarta/isapi_redirect.dll -
Add a string value with the name
log_fileand a value pointing to where you want your log file to be (for example,D:\Tomcat8\logs\isapi.log). -
Add a string value with the name
log_leveland a value for your log level (can bedebug,info,errororemerg). -
Add a string value with the name
worker_fileand a value which is the full path to yourworkers.propertiesfile (for example,D:\Tomcat8\conf\workers.properties.minimal) -
Add a string value with the name
worker_mount_fileand a value which is the full path to youruriworkermap.propertiesfile (for example,D:\Tomcat8\conf\uriworkermap.properties)To save trouble, you can create a file named
tomcat_iis_settings.regthat includes this (replacingD:\Tomcat8with your ownCATALINA_HOME):Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0] @="" "extension_uri"="/jakarta/isapi_redirect.dll" "log_file"="D:\\Tomcat8\\logs\\isapi_redirect.log" "log_level"="error" "worker_file"="D:\\Tomcat8\\conf\\workers.properties.minimal" "worker_mount_file"="D:\\Tomcat8\\conf\\uriworkermap.properties"
-
On the Windows server, double-click the
tomcat_iis_settings.regfile to import the settings.
4 Configure the IIS
This assumes that IIS is already installed on the Windows server.
4.4 Configure the virtual directory and website on IIS
-
Using the IIS management console, add a new virtual directory to your IIS/PWS web site. The name of the virtual directory must be
jakarta. Its physical path should be the directory where you placedisapi_redirect.dll(in our example, it isD:\Tomcat8\bin). While creating this new virtual directory assign it with execute access.
-
Using the IIS management console, add
isapi_redirect.dllas a filter in your IIS/PWS web site. The name of the filter should reflect its task (here we use the namejakarta). Its executable must beD:\Tomcat8\bin\isapi_redirect.dll.
-
Enable Windows authentication for your IIS website:
-
On IIS Admin, select the server, and click ISAPI and CGI Restrictions. Then open it and Add… with the correct
isapi_redirect.dllpath:
-
Restart IIS and Tomcat.
5 Verify the installation
If all goes well, you should be able to visit http://localhost/myapp/, which should present the authenticated Windows user to the Appkit application.
At this point, Tomcat would still be accessible on port 8080, so if you visit http://localhost:8080/myapp/, you should see the same interface, except that your user is not authenticated.
|
6 Troubleshooting
Users receive the error 'the request entity is too large' in the browser
This is usually due to an issue with the Tomcat-ISAPI communication and the settings of the AJP connector in Tomcat must be modified to increase the maximum packet size:
-
In the
workers.propertiesfile referenced by the tomcat-connection definition, set the packet size to the maximum:worker.<worker name>.max_packet_size=65536 -
Set
packetSizein the AJP Connector definition:<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" packetSize="65536" tomcatAuthentication="false" />