On 12.10.2011 22:47, André Warnier wrote:
Marcel Stör wrote:
Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
in IIS that delegates to Tomcat.
Question: would the ISAPI connector be able to pass the Active
Directory groups (i.e. user's membership info) along to Tomcat in the
request?
I am not the ultimate expert on this, but awaiting the ultimate expert's
confirmation, I would say :
How would I be able to identify the mysterious "ultimate expert" should
he appear here ;-)
- it does not do it right now
- it would probably require serious coding changes to do it (notably
because in the AJP protocol, there is no attribute or packet type
foreseen to pass such information per se)
- and there are some conceptual issues linked to this, essentially
because the very notion of AD/NTLM "user groups" is something valid only
in an MS-centric context (and Tomcat has to work in other contexts).
(*)
Question 2: if yes, could I call request.isUserInRole(roleName) in the
Tomcat app?
If you mean to say that you would use the name of an NTLM group as
"roleName" above,
that'a a different matter, and also with some conceptual difficulties.
The notions of "roles" in Tomcat, and the notion of "user groups" are
somewhat different.
This being said, there is one (commercial but affordable) product which
allows you to do something of the kind. Have a look at Jespa
(www.ioplex.com). Download the product (free), and read the User's Guide
that comes with it, particularly what it has to say about user groups
and roles.
This product works purely at the Tomcat level, as an authenticating
servlet filter.
So it does not use the authentication already made by IIS, it does it
all at the Tomcat level. This may of may not suit your needs, but if
your ultimate purpose is to have a Windows Domain kind of authentication
and SSO, and allow/deny access to applications based on user Domain
group membership, then it can do that.
For another option, in Tomcat 7.x there is also a new SPNEGO
authentication mechanism available, described here :
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
I really do not know much about it, as I use the Jespa mentioned above.
Maybe someone else can opine if this Valve provides access to the user's
NTLM groups ?
(*) Also, but probably a very long shot : some recent discussion on this
list, prompted by someone having difficulties with large headers being
passed to Tomcat via AJP, seemed to indicate that the NTLM Authorization
headers which are sent by the (authenticated) browser to Tomcat (via
IIS), include the user's group membership in some form. This is probably
encrypted, but it may be possible to decrypt this at the Tomcat level.
Ah good, this subject popped up in a different context just a few days
ago (Windows sys admin having problems with user how are in 100ds of AD
groups).
Do you happen to have a pointer to that discussion?
Cheers,
Marcel
--
Marcel Stör, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
