Error 403

Oct 1, 2010 at 3:33 PM


I am new here and have tried to install waffle... but I get always an error 403.

I follow the "A Tomcat Negotiate" tutorial, and on my tomcat console I read :

INFO: Server startup in 3025 ms
- successfully logged in user: MyPC\U12345

where U12345 is my windows login.

But on my browser, I get the HTTP error 403 !!!

A link should be missing somewhere.......

please help.



Oct 1, 2010 at 4:11 PM

403 means that the resource you're trying to access is forbidden for this user. So most likely you have a security constraint in one of the configuration files that says something other than MyPC\U12345 has access to a certain resource. Logged in users are typically members of "Everyone", try granting "Everyone" access.

Oct 1, 2010 at 4:31 PM


You surely right, the question is now where is that security constraint....

You say to grant "Everyone" access.... but where ? in active directory ? in tomcat (and where in tomcat) ?????'


I have reinstall every thing out of the box, and put my application (which is a 'hello world like app, and runs ok with Basic authentication) with a web.xml like :

<display-name>Tomcat Server Configuration Security Constraint</display-name>
<web-resource-name>Protected Area</web-resource-name>

The role that is required to log in to the RAPv4 Application

and context.xml :


<Valve className="waffle.apache.NegotiateAuthenticator" principalFormat="fqn" roleFormat="both" />
 <Realm className="waffle.apache.WindowsRealm" />

and server.xml still have the out of the box

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"

but if I comment this, it is still giving me the same 403 error.......


many thanks for your help




Oct 1, 2010 at 4:44 PM

In Tomcat.

Maybe you want to consider the filter though rather than the Valve (simpler, read this). Get rid of all valves - valves are deprecated Tomcat mechanisms in 7.0, so don't create technical debt right now as you implement something new.

I don't see anything wrong in your configuration (definitely remove the UserDatabaseRealm realm from server.xml). I assume you restarted tomcat and all that stuff. I recommend you take a clean Tomcat and try the Waffle demo applications "as is" first as a next step. If that works, move on to the tomcat you have right now, there's definitely something wrong in one of the configuration files related to permissions.

Oct 1, 2010 at 5:13 PM

Ok, I have reinstall tomcat from scratch and just put the examples.

I have tried the waffle-filter demo.

When go in first time, I get an auth dialog boc (User / Pass like BASIC auth) - why ???

I enter my login, and get the message :

You are logged in as remote user XYZ\U12345 in session BBCD0716DEFFD3BBAF78F21B8745D184. 

Your user principal name is XYZ\U12345.

I then check for role, and type Everyone..... and it reply :

You have not been granted role Everyone

???!!!!! surely I have missed something.... where should I grant exactly ???????



Oct 1, 2010 at 9:57 PM

You're almost there - this is a frequently asked question ;) Your browser is not configured for Windows authentication.

Most likely your browser doesn't believe that the site is in the intranet (on IE you need to add localhost explicitly for example). The CHM has a whole page of known things about browsers and how to make sure they want to do NTLM. Basically, you shouldn't be getting any prompts - we'll look at your next problem after that's resolved.

Oct 2, 2010 at 8:25 AM

You right :-) after adding localhost, the dialog box does not appears any more :-)))

But with URL :


 I still have the message :

Your user principal name is XYZ\U12345.

You have not been granted role Everyone

Oct 2, 2010 at 1:27 PM

I bet you aren't a member of Everyone or the group is called differently. Try enumerating the groups you're actually a member of, add this to the JSP page.

  All user groups:
  <% principal= request.getUserPrincipal();
  if (principal instanceof waffle.servlet.WindowsPrincipal) {
	  waffle.servlet.WindowsPrincipal windowsPrincipal = (waffle.servlet.WindowsPrincipal) principal;
	  for(String group : windowsPrincipal.getGroups().keySet()) {
		  <li><%= group %>
Oct 2, 2010 at 2:03 PM

YES !!!! It's alive !!!!!!!!

Many thanks, you'r great !

(In my Windows Everyone is 'Tout le monde' - it is a french version !!!)

Oct 2, 2010 at 6:08 PM

C'est bien ce que je pensais ;) That was your 403 problem in the first place, right?

If you need the application and its permissions to be portable from an English to a French OS, use SIDs instead of group names. It's broken in Waffle 1.3, so you'll need 1.4 beta. With 1.4 you can set roleFormat filter option to both and auth contraints to S-1-1-0, which means Everyone regardless of what OS version/language you're on.

Oct 3, 2010 at 7:19 AM

Oui, Merci...

I will try the 1.4 beta version.