« Tomcat and SSL redirectionNothing to do with IT... »


Comment from: Sameer [Visitor]  

Hi Mathias,

Thanks for this well explained blog. I was wondering how tomcat would check the password without specifying any information about where to find the passwords in the LDAP drectory?

I tried using the above configuration, but I cannot get the user to get authenticated.

07/17/08 @ 17:32
Comment from: thias [Member]  

Hi Sameer,

Well, make sure that you’ve replaced the generic parameters in the <Realm /> definition by some that match your ldap server.
You’re right about the password. I’ve been using Sun Directory as a LDAP server. I’ve never had to mention a specific field for the password…

Thanks for your comment. Do not hesitate to come back to me with more information ;-)

07/17/08 @ 21:46
Comment from: Robert Rowland [Visitor]  
Robert Rowland

Is there a way for the webapp to know what username was used to authenticate with? For example if you wanted to display somwhere on the webpage what user you are currently logged in as?

10/07/08 @ 17:54
Comment from: thias [Member]  

Hi Robert,

Once logged in, the user name can be fetch using the following:

<%= request.getRemoteUser() %>

I’m using this to display a “Welcome username” message on the tomcat app pages.

Hope this helps!

10/07/08 @ 18:21
Comment from: Ravindra [Visitor]


We are migrating our applicaton from Tomcat5 to tomcat-6.0.18. In our applicaton we are verifying users with LDAP. But when we tried to login we are getting following error:

HTTP Status 403 - Access to the requested resource has been denied.

Can someine please help us.


02/05/09 @ 11:59
Comment from: Raivndra [Visitor]

JNDIRealm[Catalina]: lookupUser(ravindra.paliwal)
JNDIRealm[Catalina]: dn=uid=ravindra.paliwal,ou=Equant ,ou=People,o=globalone.net
JNDIRealm[Catalina]: validating credentials by binding as the user
JNDIRealm[Catalina]: binding as uid=ravindra.paliwal,ou=Equant ,ou=People,o=globalone.net
JNDIRealm[Catalina]: Exception performing authentication
javax.naming.ServiceUnavailableException: cod.dc.iad.equant.com:389; socket closed; remaining name ‘’
at com.sun.jndi.ldap.Connection.readReply(Connection.java:410)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:340)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:193)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2640)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2549)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2523)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1904)
at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1896)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1289)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:121)
at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:1231)
at org.apache.catalina.realm.JNDIRealm.checkCredentials(JNDIRealm.java:1122)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:868)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:782)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:229)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:417)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:793)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:702)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:571)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:644)
at java.lang.Thread.run(Thread.java:534)

JNDIRealm[Catalina]: Closing directory context

02/06/09 @ 11:01
Comment from: marveen [Visitor]

tried with tomcat 5.5 and tomcat 6.0.18 on a server windows 2003 and it returns always an error when identificating

02/16/09 @ 15:14
Comment from: thias [Member]  

Hi Marveen,

What kind of error do you have?
Do you have any logs?

02/16/09 @ 22:01
Comment from: ambar [Visitor]  

I am on Tomcat 5.0.28 on Linux, and Sun Iplanet Directory Server 5.2.

I have configured the realm according to this example, and also followed the tomcat docs supplied in the installation.

I have made modifications to the web.xml file in webapps/jsp-examples/WEB-INF/.

In the LDAP directory, I have created a group whose cn=tomcat and role1.

What I see is: When I access the /security/protected
page from the browser, I get HTTP Status 403 - Forbidden.

Which means that the authentication succeeded (if I enter a wrong password, it says so), but the authorization failed.

Please let me know where to look to resolve this issue.

02/26/09 @ 10:38
Comment from: thias [Member]  


You mean that you have to enter your login, and whatever login you enter, you just get the Forbidden status page?
Did I miss something?
Otherwise, make sure that you have access to the index.jsp page…

02/26/09 @ 12:17
Comment from: timo [Visitor]


Try adding


inside the realm-tag.


03/12/09 @ 08:42
Comment from: ev [Visitor]

thanks timo…you made my day.
allRolesMode="authOnly” fixed all my problems

04/24/09 @ 07:05
Comment from: Melvin Thompson [Visitor]
Melvin Thompson

I’m new to Java; I have a question that may sound stupid. Where exactly is the coding for “j_security_check” that’s displayed in the “action” of the form tag.

06/22/09 @ 16:05
Comment from: Java User [Visitor]
Java User

thanks for providing such a great tutorial. I followed your tutorial, and getting work some how. After authenticating is success then how to redirect to the success page? And in success page I want to display the user name and his roles from LDAP. So can you suggest me the code snippet to get the roles of an authenticated user and redirecting to the sucess page.

09/18/09 @ 11:30
Comment from: thias [Member]  

Hi “Java User",

First, thank you for your kind comment…
Well, let try to get a little more technical now…
It’s been a long time since I’ve done this tomcat thing, but as far as I remember, the success page is simply the index.jsp page from your webapp:


In order to display the user name, you can use the following in your index.jsp page:

<%= request.getRemoteUser() %>

I’m not sure there are other built-in functions you can use to access LDAP information about the logged in user. I guess that you have to implement an LDAP request to get whatever LDAP field you want and display it in your webapp, once you have the user name…

Hope this helps…

09/22/09 @ 05:43
Comment from: suresh [Member]  

I am trying to do LDAP Authentication from Tomcat.When I am accessing the web page am getting pop-up for username and password and after pressed the OK button. Tomcat console displaying following error message.

Error Details :

SEVERE: Exception performing authentication
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09
062B, comment: In order to perform this operation a successful bind must be comp
leted on the connection., data 0, vece ]; remaining name ‘TestUser@SoftphoneAD.c
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Unknown
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Unk
nown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Unk
nown Source)
at javax.naming.directory.InitialDirContext.getAttributes(Unknown Source
at org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:973)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:899)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:810)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(Bas
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.ja
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.p
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpo
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFol
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
at java.lang.Thread.run(Unknown Source)
Dec 22, 2009 4:33:28 PM org.apache.catalina.realm.JNDIRealm authenticate

Please tell me where I made the mistakes.

Thanks and Regards,
SureshKumar K

12/22/09 @ 13:22
Comment from: Stephen [Visitor]

Hi there. I know it’s been a long time since you wrote this article, but I’m hoping you’re still around. I’ve been trying to get my Tomcat and LDAP server to talk for a few days now, but just keep running into problems. Your tutorial is the first I’ve found that is actually good , so thanks for that to start!

I’ve managed to get the index.jsp page to show, and I believe it is hitting the LDAP server okay - if you use an invalid password it spits you to error.jsp like it should - but when you hit “okay” with a valid password it gives a 403 error. Do you have any idea what might be the cause for this? As far as I know I simply followed your instructions to the letter.

I can post my web.xml, server.xml, etc if needs be. I hope you are still around, and I hope you can help me!

06/16/10 @ 15:45
Comment from: siva [Visitor]

I am also facing the same issue right now.

I’ve been trying to get my Tomcat and LDAP server to talk for a few days now, but just keep running into problems.

Please try to help it out to start!
I’ve managed to get the index.jsp page to show, and I believe it is hitting the LDAP server okay - if you use an invalid password it spits you to error.jsp like it should - but when you hit “okay” with a valid password it gives a 403 error. Do you have any idea what might be the cause for this? As far as I know I simply followed your instructions to the letter.

I hope you are still around, and can help me!

08/05/10 @ 12:10
Comment from: Newie [Visitor]

Hello, nice tutorial. In order to understand LDAP, It would be great if you could highlight in bold the generic parameters in the “Realm” definition that need to be matched from the real ldap server.
Thank you.

08/27/10 @ 13:58
Comment from: David [Visitor]

Hallo again,
Do I need to change the pairs ou=people, dc=domain, uid=(0) to the equivalentes in my LDAP server. I mean both sides (Strings) of the comparison? Or maybe just the right side value of the comparison? Are the keywords uid, ou, dc, cn, memberUid standard keywords for all posible configurations? And by configurations also mean not only in Tomcat, but also Spring Security, etc. I know this is an exhaustive question, I am having problems finding documntation. Thank you for the tutorial.

08/27/10 @ 15:23
Comment from: thias [Member]  


The entry userPattern="uid={0},ou=people,dc=domain,dc=com” should match your LDAP server.
In my case, users are stored in LDAP (I’m running Sun Directory Server here - but I could have been OpenLDAP or any other one) following this schema:
The user name is known by the uid.
Users entries are stored in the “people” ou, for the “domain.com” domain.

uid, ou, dc, cn, … are quite standard, but the LDAP schema may vary depending on the LDAP server you’re using…

Well, that’s a really short answer to your long question, but anyone who wants to add more is welcome! ;-)

08/27/10 @ 16:04
Comment from: James [Visitor]

what do uid={0} and memberUid={1} mean? I a mean the numbers between curly brackets. Great tutorial.

08/29/10 @ 03:17
Comment from: David [Visitor]


Thankyou for the article and the help comments. I have got the following info from an apache server. I have change the domain, group and company names. I do not know how to map this info to the tomcat configuration.
AuthLdapUrl ldap://ldap02.domain.com:389/o=company,c=com?uid?sub?(objectClass=*)

Require ldap-group cn=thegroup,o=company,c=com

08/29/10 @ 17:36
Comment from: Prad [Visitor]

hi, where we arfe definining j_security_check ? is it predefined ?

02/03/11 @ 13:47
Comment from: Jon [Visitor]

What do you do in the case you’re using roleOccupant from organizationalRole class instead of memberUid?


Does that work? because the roleOccupant is a DN and not a UID so I don’t think it works.

03/30/11 @ 20:21
Comment from: Pushkar [Visitor]  

Thanks. After banging my head, I finally got it working.

For folks who are asking about j_security_check, in my case it points nowhere. The idea is that when a restricted resource is requested, tomcat will redirect to the login page. On successful login, the page is redirected to restricted page which was originally requested. On failed login, it redirects to error.jsp.

My requirement is plain - authenticate all users regardless of their group. So I got rid of the roles. Finally my web.xml looks like this




<display-name>Security Constraint</display-name>
<web-resource-name>Protected Area</web-resource-name>
<!– Define the context-relative URL(s) to be protected –>
<!– If you list http methods, only those methods are protected –>

<!– Anyone with one of the listed roles may access this area –>

As for the servlet hello -

protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
// TODO Auto-generated method stub

resp.getWriter().write("GET username=” + req.getUserPrincipal().getName());

Finally my request is HTTP GET - http://localhost:8080/jnditry1/restricted/hello

which asks for login and once I do shows my username. Hope that helps.

08/26/11 @ 11:01
Comment from: Filipe Vieira [Visitor]  
Filipe Vieira


I’ve found this article very useful for my project, I just have one question.

Is it possible to select x users from a single role to gain access?

For example, my AD have a role named “users” with the user “u1″,"u2″ and “u3″.

And after i define the role name:


I just want u1 and u3 to gain access.


11/28/11 @ 15:27
Comment from: Dave Godbey [Visitor]  
Dave Godbey

Great stuff. I have this working fine. Now downstream I want to use site minder to sso auto login.

How can I tell tomcat to populate http headers with info from the ldap record, eg. first name, last name, user name.

The authorization header is there, but what I really want is a header with the remote user in it, eg. the username I logged in with.

02/10/12 @ 19:10
Comment from: Mika [Visitor]

Hi Mathias,

Thank you for this very good example.

- Mika

09/18/12 @ 12:35
Comment from: Ken M [Visitor]
Ken M

Dave– probably solved by now, but if you want to set various custom HTTP headers, you should create a Servlet Filter that will wrap HTTPRequest and return those headers. If I recall correctly, the headers are read-only and the only way to change them is to insert a filter into servlet processing chain. [Sounds like you’re trying to set up something similar to Siteminder or OpenSSO – they can set custom HTTP request headers with information about the current user.]

Overriding with a filter has one necessary characteristic. You should make sure that you strip any existing headers with the same name – e.g. if you add HTTP_USERNAME, make sure that you don’t pass whatever HTTP_USERNAME header that the request might have had. Otherwise, it’s way too easy for a user to add HTTP request headers to a request that otherwise might have failed.

06/08/13 @ 00:31
Comment from: Ravi [Visitor]  


I am getting the below error,
Sep 9, 2013 4:18:49 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Security checking request GET /prdbutil/FirstSteps/FirstSteps.jsp
Sep 9, 2013 4:18:49 PM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint ‘SecurityConstraint[DEV-PRDBUTIL]’ against GET /FirstSteps/FirstSteps.jsp –> true
Sep 9, 2013 4:18:49 PM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint ‘SecurityConstraint[DEV-PRDBUTIL]’ against GET /FirstSteps/FirstSteps.jsp –> true
Sep 9, 2013 4:18:49 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling hasUserDataPermission()
Sep 9, 2013 4:18:49 PM org.apache.catalina.realm.RealmBase hasUserDataPermission
FINE: User data constraint has no restrictions
Sep 9, 2013 4:18:49 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling authenticate()
Sep 9, 2013 4:18:49 PM org.apache.catalina.authenticator.FormAuthenticator authenticate
FINE: Save request in session ‘0C8F89C27341789348362CB1E061BEB5.SGPLTRDV4′
Sep 9, 2013 4:18:49 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed authenticate() test
Sep 9, 2013 4:19:05 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Security checking request POST /prdbutil/FirstSteps/j_security_check
Sep 9, 2013 4:19:05 PM org.apache.catalina.authenticator.FormAuthenticator authenticate
FINE: Authenticating username ‘DICK-LDAP’
Sep 9, 2013 4:19:05 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed authenticate() test ??/prdbutil/FirstSteps/j_security_check

I have followed all the steps in the context and web.xml to the book. but i am just geeting the error as Failed authenticate() test. there is no other stack overflow. And page is redirected to the error.jsp page. Can anyone plaes advise on this.

09/09/13 @ 10:24
Comment from: Inbal [Visitor]

I’m trying to connect AD without writing a plain text password in server.xml file.
I tried overriding JDNIRealm and overriding getPasswordConnection (so the password will come from a differenet resource).
I packaged my new file inot a jar and placed it in tomcat\lib. The tomcat doesn’t seem to find my code.. any suggestions? I’m stacked…
thank you very much

09/19/13 @ 15:51

This post has 2 feedbacks awaiting moderation...