tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Announce: PrincipalAuthenticator 1.0 (for NTLM Authorization behind IIS)
Date Tue, 21 Oct 2008 20:01:10 GMT
Louis wrote:
> PrincipalAuthenticator is an implementation of a Tomcat Authenticator 
> that allows transparent authorization to happen for corporate Windows 
> users.
The JKConnector provides Tomcat the ability to sit behind an instance of 
IIS and have requests passed to it for java applications. If NTLM 
(Integrated Windows Authentication) is enabled on IIS and 
tomcatAuthentication="false" on the tomcat side AJP connector, then IIS 
will provide each request into tomcat with a Principal container the 
user's DOMAIN\USERNAME. ie:\ME). This is a 
fully authenticated credential when used in a trusted domain.
> The PrincipalAuthenticator uses the Principal supplied by IIS to make 
> Tomcat ask the SecurityRealm what roles the user should have. It closes 
> the JAAS loop.


I am unfamiliar with Tomcat Authenticator(s), therefor my questions 
below may be naive or nonsensical. I apologise in advance if that is the 

What you describe above for IIS, seems to me similar to the case where 
Apache in front of mod_jk performs user authentication, and passes it on 
to Tomcat through mod_jk.  In that case also I believe that each request 
in Tomcat ends up with a
If the Apache authentication is based on NTLM (various add_on modules 
allow that at Apache level), then the user-id is also of the form 
If I understand thus correctly what PrincipalAuthenticator does, it is 
not to itself authenticate the Tomcat user, but associate this user with 
Tomcat roles. Yes ?
And it would work just as well, whether the original authentication came 
from IIS or from Apache, or any other source (e.g. the jCIFS servlet 
filter).  Is that correct ?

Next, the association between users and roles.
The way it is described above, it sounds like, at the Tomcat level, 
there must still be some source of information that associates a given 
user-id with a list of roles.  How is that achieved, and how does the 
user-id part of this get to be known by Tomcat ?
Does Tomcat need its own local list of NTLM user-id's associated to roles ?

As a more generic topic, does there exist any method by which the notion 
of "role" in Tomcat parlance can be associated (preferably dynamically 
and without a local store) with the notion of "user groups" in 
NTLM/Windows Domain parlance ?

Thanks in advance for any light on the above,

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message