tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Louis <>
Subject Announce: PrincipalAuthenticator 1.0 (for NTLM Authorization behind IIS)
Date Tue, 21 Oct 2008 19:35:23 GMT
PrincipalAuthenticator is an implementation of a Tomcat Authenticator 
that allows transparent authorization to happen for corporate Windows users.

The JKConnector provides Tomcat the ability to sit behind an instance of 
IIS and have requests passed to it for java applications. If NTLM 
(Integrated Windows Authentication) is enabled on IIS and 
tomcatAuthentication="false" on the tomcat side AJP connector, then IIS 
will provide each request into tomcat with a Principal container the 
user's DOMAIN\USERNAME. ie:\ME). This is a 
fully authenticated credential when used in a trusted domain.

This is usefull for identifying users in java applications without 
forcing them to sign-in. Unfortunately, this short circuits the rest of 
tomcat's normal authentication sequence (where it asks the SecurityRealm 
what the user's roles are. eg: authorization).

The PrincipalAuthenticator uses the Principal supplied by IIS to make 
Tomcat ask the SecurityRealm what roles the user should have. It closes 
the JAAS loop. Once the server is configured with an appropriate source 
of permissions (SecurityRealm or LoginModule) developers can use the 
typical 'request.isUserInRole("role")' calls and declarative security to 
perform checks on users' permissions.

All an application must do to use this is declare their login-config as 
such in the web.xml (on top of whatever binding is required to their 
security config on the server)


The PrincipalAuthenticator is available as either ASF or LGPL licensed code (your choice).

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message