Hello,
I’m posting this to document my findings and progress in case anyone else has a similar need.
Environment:
Corporate LAN
Windows environment (Active Directory)
XWiki deployed internally as knowledge base platform
Separate XWiki accounts (XWiki has not been configured for Active Directory / LDAP integration)
Goal: Log all access (by active directory ID) to XWiki for export compliance and IP protection.
There are several options for logging activity:
- XWiki → not natively supported and not appropriate
- Analytics platform (piwik) → users must log into XWiki in order to track activity by account; piwik designed for traffic and performance analysis, not IP / export compliance.
- Web server traffic logging (most appropriate)
Background: XWiki has been configured to allow anonymous viewing of content. So far, we’ve been accessing Tomcat via http directly without any webserver authentication imposed. Without authentication, access logs only list users’ IP address, and not Active Directory account information.
Solutions:
- Configure Tomcat to use Windows Authentication: there are numerous ways of doing this, but we’ve been unsuccessful in our attempts in implementing them.
- Use IIS as a reverse proxy to Tomcat; Windows authentication is easily configured and managed in IIS. In addition to addressing Windows Authentication, a reverse proxy setup has other advantages
A reverse proxy can be configured as follows:
2a. Configure the ISAPI redirector for Microsoft IIS as an AJP proxy.
2b. Use the URL rewrite module / Application Request Routing in IIS as a http reverse proxy
2c. Use the httpplatformhandler module in IIS. → this was not chosen as it necessitates that Tomcat is managed via batch scripts rather than as a windows service
Notes and issues:
- We successfully deployed options 2a and 2b, but had to overcome the following issues:
- An IE login box would appear when trying to log into XWiki. This is caused by the combination of the following:
– Windows authentication uses a 401 response in IIS to prompt for authentication. IE will display a login box whenever a 401 response is received with WWW-Authenticate headers set (by IIS)
– A 401 response is provided by XWiki when navigating to the login page. Because Windows Authentication has been enabled in IIS, IIS adds the WWW-Authenticate headers to the response, causing a login box to appear. Note that since XWiki is not aware of AD accounts, there is no way to utilize this login box. It must be cancelled, or fail three times for the XWiki login page to appear.
Resolution: use an outbound url rewrite rule to set the WWW-Authenticate headers to None. Note that a precondition must be used or else the native IIS 401 responses for authentication will also be filtered. The precondition can be {RESPONSE_CONTENT_TYPE} matches the pattern ^text/html - this will leave the native IIS 401 response unmodified. Match scope = Server Variable; Variable name: RESPONSE_www_authenticate, pattern:*; Action=Rewrite, Value=None.
- Some images in XWiki (particularly those stored as attachments on other pages) would not display correctly. This was resolved by setting: Request filtering → Edit feature settings → Allow double escaping = true.
- Some users (members of many AD groups) would get a 413 request entity too large error.
– 2b) This was resolved for option 2b (http proxy) by setting the maxHttpHeaderSize=“65536” in the Tomcat server.xml file for the http connector.
– 2a) This page lists many steps on resolving this for the AJP proxy, but we decided to abandon this approach due to the extensive IIS configuration steps required. Note that simply editing the Tomcat connector setting and the workers.properties file did not work and resulted in a “Bad gateway” error.
Sorry that this post isn’t clearer, but I wanted to put something on the Forum in case anyone else runs into these issues. Please feel free to ask for clarification on any specifics or contact me directly.