It sounds like we should come up with a de facto way of achieving SSO with Tomcat and NTLM (since there is plenty of M$ workstations out there).....Which leads me to believe that a lot of people could very well benefit from this...... I'm required to implement this for our intranet application which I have found to be the most common need for such an implementation..........
I will investigate further into these methods and report back with any comments, suggestions, and if I need any further help (which will probably be the case).....After which, I will try to get some documentation...... Any thoughts, suggestions, comments? Cheers Russ -----Original Message----- From: Allen Hadden [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 6:36 AM To: Tomcat Users List Subject: RE: Active Directory Single Sign-On > -----Original Message----- > From: Endre St�lsvik [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 10, 2003 3:45 AM > To: Tomcat Users List > Subject: Re: Active Directory Single Sign-On > > > | Tim mentioned the use of the JCIFS library. I don't think > that'd work > | either since it'd need to run on the same machine as the browser, > | which doesn't seem right. Or perhaps I'm missing > something. Now if > | Tomcat supported Windows SSO using JCIFS, then that's a different > | story. I don't think it does though (and I'm sure someone will > | correct me if I'm wrong :)). > > You're missing something. I'm correcting you! It works. We've > done it with our portal engine..! > OK, right. Thanks for the correction. Very good work, those JCIFS guys. Sorry for the misinformation (and for doubting Tim). To summarize, there are three ways to do the SSO: 1. Use IIS to front Tomcat using the ISAPI redirector 2. Use the JCIFS filter to do the authentication 3. Use low-level JCIFS calls to implement the authentication yourself #2 seems like the preferred approach, unless there is a reason you can't tie yourself to the 2.3 servlet spec. It looks like someone recently added an NtlmServlet class to JCIFS, which would provide a fourth method to achieve SSO (and wouldn't require a 2.3 servlet container). In all cases, there is no "password" being passed from the browser to the web server. Also, you'll have to figure out the best way to do authorization. You could definitely use JNDI to query the ActiveDirectory for authorization information. But does JCIFS provide anything that might help authorization? For example, does it pass a list of groups the user is in as a request attribute? That'd be nice (a quick look at the docs didn't reveal anything). Allen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
