Probably the easiest way to accomplish this is to use IIS as a front-end to Tomcat
(using the ISAPI redirector). In this mode, you'd set up IIS to require
authentication to the web site. So by the time the request hits Tomcat, the user is
already authenticated (IIS does the magic SSO authentication stuff). I'm pretty sure
the Tomcat ISAPI redirector passes the user name as a request attribute. To do this,
use request.getAttribute("USERNAME"). (The "USERNAME" value might not be the right
one...I don't remember off the top of my head).
Now if you need to do authorization (e.g. if you wanted to make sure the user is a
member of a group), you could use the Windows user name to do an LDAP query to the
ActiveDirectory.
Also, your original idea about grabbing the user name and password then passing them
to the server won't work for a couple of reasons. The primary reason is that there is
no way in Windows to grab the user's password.
Tim mentioned the use of the JCIFS library. I don't think that'd work either since
it'd need to run on the same machine as the browser, which doesn't seem right. Or
perhaps I'm missing something. Now if Tomcat supported Windows SSO using JCIFS, then
that's a different story. I don't think it does though (and I'm sure someone will
correct me if I'm wrong :)).
Good luck!
Allen
> -----Original Message-----
> From: Pitre, Russell [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, September 09, 2003 4:54 PM
> To: Tomcat Users List
> Subject: RE: Active Directory Single Sign-On
>
>
> Okay, Checked it out, can I use this API to grab the username and
> password with a .jsp or servlet off the NT machine.....and
> then pass it
> to Tomcat so it then can look up users in Active Directory?
>
> I want security to be container managed.....So I need to
>
> 1.) Grab the username and password
> 2.) Post it to the login form (action="j_security_check")
> 3.) Tomcat will connect to Active Directory (JNDI)
> 4.) Tomcat will redirect to the original page called.......
>
>
> Does this make sense to everyone?
>
>
>
>
> -----Original Message-----
> From: Tim Funk [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, September 09, 2003 4:17 PM
> To: Tomcat Users List
> Subject: Re: Active Directory Single Sign-On
>
> I think you are looking for NTLM authentication which was done by the
> samba
> folks. See http://jcifs.samba.org/
>
> -Tim
>
> Pitre, Russell wrote:
>
> > Hey All-
> >
> >
> >
> > Finally Finally, Finally, I figured out how to authenticate
> to Active
> > Directory.......(code below minus the login form).....now to go
> further,
> > I would like to implement Single Sign-On.....somehow we
> would need to
> > retrieve the user's name and password off their NT machine and use
> them
> > to automatically post the form......does anyone have any
> suggestions?
> >
> >
> >
> > Also, I was able to see in the log that it enumerates the groups of
> the
> > user, but It didn't find the "Domain Users"
> > group.........hmmmm.....anyone know why? I see the
> security group in
> AD
> > Comp & Users......
> >
> >
> >
> > <SERVER.XML>
> >
> >
> >
> > <Context>
> >
> >
> >
> > ......stuff
> >
> > ......stuff
> >
> > .....stuff
> >
> >
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> >
> > debug="99"
> >
> > connectionURL="ldap://[Domain
> Controller]:389"
> >
> >
> > userBase="OU=Users,OU=Shawmut,DC=[Domain],DC=com"
> >
> > userSearch="(sAMAccountName={0})"
> >
> > userRoleName="member"
> >
> >
> > roleBase="OU=Users,OU=Shawmut,DC=[Domain],DC=com"
> >
> > roleName="memberOf"
> >
> >
> > roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)"
> >
> >
> > connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com"
> >
> > connectionPassword="[password]"
> >
> > roleSubtree="true"
> >
> > userSubtree="true"/>
> >
> > </Context>
> >
> >
> >
> >
> >
> > <WEB.XML>
> >
> >
> >
> > <security-constraint>
> >
> > <display-name>Show Tracker
> Security
> > Constraint</display-name>
> >
> > <web-resource-collection>
> >
> >
> > <web-resource-name>Protected Area</web-resource-name>
> >
> >
> > <url-pattern>/*</url-pattern>
> >
> > </web-resource-collection>
> >
> > <auth-constraint>
> >
> >
> > <role-name>CN=Alloffice,OU=SDC,OU=Email Distribution
> > Lists,OU=Groups,OU=Shawmut,DC=[Domain],DC=com</role-name>
> >
> > </auth-constraint>
> >
> > </security-constraint>
> >
> >
> >
> > <login-config>
> >
> > <auth-method>FORM</auth-method>
> >
> > <realm-name>Show Tracker
> > Authentication Area</realm-name>
> >
> > <form-login-config>
> >
> >
> > <form-login-page>/login.jsp</form-login-page>
> >
> >
> > <form-error-page>/error.jsp</form-error-page>
> >
> > </form-login-config>
> >
> > </login-config>
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
