tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Hadden" <>
Subject RE: Active Directory Single Sign-On
Date Wed, 10 Sep 2003 10:36:29 GMT
> -----Original Message-----
> From: Endre StĂžlsvik [] 
> Sent: Wednesday, September 10, 2003 3:45 AM
> To: Tomcat Users List
> Subject: Re: Active Directory Single Sign-On
> | Tim mentioned the use of the JCIFS library.  I don't think 
> that'd work 
> | either since it'd need to run on the same machine as the browser, 
> | which doesn't seem right.  Or perhaps I'm missing 
> something.  Now if 
> | Tomcat supported Windows SSO using JCIFS, then that's a different 
> | story.  I don't think it does though (and I'm sure someone will 
> | correct me if I'm wrong :)).
> You're missing something. I'm correcting you! It works. We've 
> done it with our portal engine..!

OK, right.  Thanks for the correction.  Very good work, those JCIFS guys.  Sorry for the misinformation
(and for doubting Tim).

To summarize, there are three ways to do the SSO:

   1. Use IIS to front Tomcat using the ISAPI redirector
   2. Use the JCIFS filter to do the authentication
   3. Use low-level JCIFS calls to implement the authentication yourself

#2 seems like the preferred approach, unless there is a reason you can't tie yourself to the
  2.3 servlet spec.  It looks like someone recently added an NtlmServlet class to JCIFS, which
would provide a fourth method to achieve SSO (and wouldn't require a 2.3 servlet container).

In all cases, there is no "password" being passed from the browser to the web server.  Also,
you'll have to figure out the best way to do authorization.  You could definitely use JNDI
to query the ActiveDirectory for authorization information.  But does JCIFS provide anything
that might help authorization?  For example, does it pass a list of groups the user is in
as a request attribute?  That'd be nice (a quick look at the docs didn't reveal anything).


View raw message