Hi Andy, > (http://www.simongbrown.com/blog/2004/11/04/1099588633312.html) might > also be a reasonable approach.
I had a quick look at that article. I'm neither a tomcat nor a JEE expert, but I can say that we use Apache httpd with kerberos authentication quite successfully for our applications. Granted we have only ~2000 users in our AD that kerberos authenticates against, but it works quite well. Additionally you can configure Internet Explorer and Mozilla Firefox to pass on a Kerberos TGT to trusted hosts. This way the users who authenticated against the Windows Domain controller (i.e. all Windows users upon login to the domain) are automatically logged in to any web application that we "kerberized" using Apache. To use shiro for the remaining stuff you could implement a simple realm that looks into the HTTP headers (IIRC the header is called REMOTE_USER and it's set to the user name). Surely some more experienced Shiro user/developer could tell you more about the feasibility of this approach. Anyway, maybe this helps you or anybody else on the list. Cheers, DJ
