None

IIS Proxying Tomcat

May 5, 2010

We have a need to set up IIS infront of Tomcat, so that IIS can pick up the current user's Windows login and then pass it through to Tomcat, where it is accessible from request.getRemoteUser(). We're using IIS 7 on a Windows 2008 Server, and we assume that you already have Tomcat running.

Tomcat

In $TOMCAT_HOME, create an ISAPI directory at the same level as bin, conf, webapps.

Download the latest DLL from http://apache.wildit.net.au/tomcat/tomcat-connectors/jk/binaries/win32/ and put it into the ISAPI folder. Rename it to be just isapi_redirect.dll.

Create isapi_redirect.properties in the same folder, with these contents:

extension_uri=/jakarta/isapi_redirect.dll
log_file=c:\tomcat\logs\isapi_redirect.log
log_level=info
worker_file=c:\tomcat\conf\workers.properties
worker_mount_file=c:\tomcat\conf\uriworkermap.properties

Create conf/uriworkermap.properties. Documentation for this file and the next is available at http://tomcat.apache.org/connectors-doc/index.html

/admin/*=wlb
/manager/*=wlb
/examples/*=wlb
# for production you should secure access to the /jkmanager offset
/jkmanager=jkstatus

The ilst of offsets at the top of this is the ones you want to forward, so if your application is at /myapp/, you'll need a line in here to say /myapp/*=wlb

Create conf/workers.properties

worker.list=wlb,jkstatus
worker.ajp13w.type=ajp13
worker.ajp13w.host=localhost
worker.ajp13w.port=8009
worker.wlb.type=lb
worker.wlb.balance_workers=ajp13w
worker.jkstatus.type=status

Create a new AJP/1.3 connector in tomcat's server.xml

<Connector port="8009" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3"/>

Turning off tomcatAuthentication is required for the IIS user to be picked up. 8009 matches the port configured in workers.properties

IIS

Create a new virtual directory, with an alias which matches the name of the one on the first line of isapi_redirect.properties, in our example jakarta. This can be done from Windows Control Panel / Administrative Tools / Internet Information Services / computer name / Web Sites / Default Web Site. Right click Default Web Site and select Add Virtual Directory .

Set the physical path to to be the ISAPI directory created earlier.

Once created, click on the new jakarta node, then open Handler Mappings

Edit Feature Permissions on the right hand side, check execute then OK.

Select the Default Web Site node on the left hand side

Double click ISAPI filters

On the right hand side, click Add, enter Tomcat and the path to the isapi_redirect.dll.

Click on the left hand side node with the machine name on and double click ISAPI and CGI Restrictions

On the right hand side, click Add, enter the path to the isapi_redirect.dll at the top, and Tomcat at the bottom. Check the box to Allow extension path to execute.

Testing

Tomcat should now work as it did before, on its port, i.e. 8080

You should be able to go to the same URL on port 80, which will proxy through to 8080.

Problems

Here's some details of problems I had with Windows Server 2008 when testing this.

  • I couldn't directly modify any of the Tomcat files. I installed them as part of a product, using the product installer. Trying to modify any of the installed config files gave me an error saving in Notepad. If I deleted the config file, and then recreated from scratch, it let me do whatever I wanted with it.

  • The product installer installed Tomcat as a windows service. It installed and started fine. Now, when I try and stop the service using net stop ServiceName it give me an "Access is denied" error. Thankfully I had a gui app to do this process, so I was able to right click it in the start menu and "run as administrator".

  • After reinstalling the Tomcat, the IIS server would try and download the ISAPI dll rather than show my web content. This could be fixed be deleting and recreating the jakarta virtual directory entry and then bouncing IIS.

Passing through the Windows Login

We originally did all this work so we can get the windows user passed through to a WAR file inside Tomcat. We need to change settings in IIS to get it to work.

On the Default Web Site node in the IIS Manager, double click Authentication. Disable Anonymous Authentication and enable Windows Authentication.

This causes IE to pass through the windows settings, and Firefox (I tried 3.6) to prompt - you can login with your normal windows login.

References

Tags: iis tomcat proxy isapi