tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Hadden" <ahad...@authentica.com>
Subject RE: Active Directory Single Sign-On
Date Tue, 09 Sep 2003 21:24:06 GMT
Probably the easiest way to accomplish this is to use IIS as a front-end to Tomcat (using the
ISAPI redirector).  In this mode, you'd set up IIS to require authentication to the web site.
 So by the time the request hits Tomcat, the user is already authenticated (IIS does the magic
SSO authentication stuff).  I'm pretty sure the Tomcat ISAPI redirector passes the user name
as a request attribute.  To do this, use request.getAttribute("USERNAME").  (The "USERNAME"
value might not be the right one...I don't remember off the top of my head).

Now if you need to do authorization (e.g. if you wanted to make sure the user is a member
of a group), you could use the Windows user name to do an LDAP query to the ActiveDirectory.

Also, your original idea about grabbing the user name and password then passing them to the
server won't work for a couple of reasons.  The primary reason is that there is no way in
Windows to grab the user's password.

Tim mentioned the use of the JCIFS library.  I don't think that'd work either since it'd need
to run on the same machine as the browser, which doesn't seem right.  Or perhaps I'm missing
something.  Now if Tomcat supported Windows SSO using JCIFS, then that's a different story.
 I don't think it does though (and I'm sure someone will correct me if I'm wrong :)).

Good luck!

Allen

> -----Original Message-----
> From: Pitre, Russell [mailto:RPITRE@shawmut.com] 
> Sent: Tuesday, September 09, 2003 4:54 PM
> To: Tomcat Users List
> Subject: RE: Active Directory Single Sign-On
> 
> 
> Okay, Checked it out, can I use this API to grab the username and
> password with a .jsp or servlet off the NT machine.....and 
> then pass it
> to Tomcat so it then can look up users in Active Directory?  
> 
> I want security to be container managed.....So I need to 
> 
> 1.)  Grab the username and password 
> 2.)  Post it to the login form (action="j_security_check")
> 3.)  Tomcat will connect to Active Directory  (JNDI)
> 4.)  Tomcat will redirect to the original page called.......
> 
> 
> Does this make sense to everyone?  
> 
> 
> 
> 
> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org] 
> Sent: Tuesday, September 09, 2003 4:17 PM
> To: Tomcat Users List
> Subject: Re: Active Directory Single Sign-On
> 
> I think you are looking for NTLM authentication which was done by the
> samba 
> folks. See http://jcifs.samba.org/
> 
> -Tim
> 
> Pitre, Russell wrote:
> 
> > Hey All-
> > 
> >  
> > 
> > Finally Finally, Finally, I figured out how to authenticate 
> to Active
> > Directory.......(code below minus the login form).....now to go
> further,
> > I would like to implement Single Sign-On.....somehow we 
> would need to
> > retrieve the user's name and password off their NT machine and use
> them
> > to automatically post the form......does anyone have any 
> suggestions?
> > 
> >  
> > 
> > Also, I was able to see in the log that it enumerates the groups of
> the
> > user,  but It didn't find the "Domain Users"
> > group.........hmmmm.....anyone know why?  I see the 
> security group in
> AD
> > Comp & Users...... 
> > 
> >  
> > 
> > <SERVER.XML>
> > 
> >  
> > 
> > <Context>
> > 
> >             
> > 
> >             ......stuff
> > 
> >             ......stuff
> > 
> >             .....stuff 
> > 
> >  
> > 
> >             <Realm className="org.apache.catalina.realm.JNDIRealm"
> > 
> >                         debug="99"
> > 
> >                         connectionURL="ldap://[Domain 
> Controller]:389"
> > 
> >  
> > userBase="OU=Users,OU=Shawmut,DC=[Domain],DC=com"
> > 
> >                         userSearch="(sAMAccountName={0})"
> > 
> >                         userRoleName="member"
> > 
> >  
> > roleBase="OU=Users,OU=Shawmut,DC=[Domain],DC=com"
> > 
> >                         roleName="memberOf"
> > 
> >  
> > roleSearch="(memberOf=CN=tomcat,CN=Users,DC=[Domain],DC=com)"
> > 
> >  
> > connectionName="CN=Administrator,CN=Users,DC=[Domain],DC=com"
> > 
> >                         connectionPassword="[password]"
> > 
> >                         roleSubtree="true"
> > 
> >                         userSubtree="true"/>
> > 
> > </Context>
> > 
> >  
> > 
> >  
> > 
> > <WEB.XML>
> > 
> >  
> > 
> >                         <security-constraint>
> > 
> >                                     <display-name>Show Tracker
> Security
> > Constraint</display-name>
> > 
> >                                     <web-resource-collection>
> > 
> >  
> > <web-resource-name>Protected Area</web-resource-name>
> > 
> >  
> > <url-pattern>/*</url-pattern>
> > 
> >                                     </web-resource-collection>
> > 
> >                                     <auth-constraint>
> > 
> >  
> > <role-name>CN=Alloffice,OU=SDC,OU=Email Distribution
> > Lists,OU=Groups,OU=Shawmut,DC=[Domain],DC=com</role-name>
> > 
> >                                     </auth-constraint>
> > 
> >                         </security-constraint>
> > 
> >  
> > 
> >                         <login-config>
> > 
> >                                     <auth-method>FORM</auth-method>
> > 
> >                                     <realm-name>Show Tracker
> > Authentication Area</realm-name>
> > 
> >                                     <form-login-config>
> > 
> >  
> > <form-login-page>/login.jsp</form-login-page>
> > 
> >  
> > <form-error-page>/error.jsp</form-error-page>
> > 
> >                                     </form-login-config>
> > 
> >                         </login-config>
> > 
> >  
> > 
> >  
> > 
> >  
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

Mime
View raw message