Friday, October 27, 2006

QA - Commonly Misunderstood Concepts, Part 1

Question:

I am running IIS 6 on 2003 servers. If I configuration Integrated Windows Authentication, is it possible to pass one of the user headers to a J2EE application server on another 2003 box?

Answer:

There are several commonly misunderstood concepts exemplified by this question, so I am going to clarify them.


  • First, the question actually has nothing to do with IIS. Why? Well, IIS is a web server, which accepts requests from clients and generate responses. In particular, IIS does not make requests to other servers. Now, your question asks about the functionality of "something" which makes a request to a J2EE application server. Since IIS does not make a request, it has nothing to do with the question.
  • The answer actually depends on the unknown "something" which makes the requests from the IIS server to the J2EE application server. Since we are talking about software, it is theoretically possible, but we do not know if you have the software to do it.
  • Authentication protocols, such as Integrated Windows Authentication, have no correlation/influence on ability to make requests or pass values to another server. Authentication influences the user identity which executes code on that server, not what that code chooses to do.
  • LogonUser, AuthUser, RemoteUser are not user headers. They are Server Variables whose values derive from HTTP request headers. When authentication is enabled, they can be non-empty after authentication completes.

Thus, one can conceivably configure a program on IIS which runs after Integrated Authentication finishes populating the LogonUser, AuthUser, and RemoteUser Server Variables and makes a request to the J2EE Application Server with those values stored in the request header - and pass those values to the J2EE Application Server.

IIS does not provide such a program, but anyone can write such a program for IIS.

//David

No comments: