tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Louis <>
Subject Re: Announce: PrincipalAuthenticator 1.0 (for NTLM Authorization behind IIS)
Date Thu, 23 Oct 2008 00:33:45 GMT
André Warnier wrote:
> Louis wrote:
> [...]
>> PrincipalAuthenticator is an implementation of a Tomcat Authenticator 
>> that allows transparent authorization to happen for corporate Windows 
>> users.
> [...]
> The JKConnector provides Tomcat the ability to sit behind an instance 
> of IIS and have requests passed to it for java applications. If NTLM 
> (Integrated Windows Authentication) is enabled on IIS and 
> tomcatAuthentication="false" on the tomcat side AJP connector, then 
> IIS will provide each request into tomcat with a Principal container 
> the user's DOMAIN\USERNAME. ie:\ME). 
> This is a fully authenticated credential when used in a trusted domain.
> [...]
>> The PrincipalAuthenticator uses the Principal supplied by IIS to make 
>> Tomcat ask the SecurityRealm what roles the user should have. It 
>> closes the JAAS loop.
> [...]
> Hi.
> I am unfamiliar with Tomcat Authenticator(s), therefor my questions 
> below may be naive or nonsensical. I apologise in advance if that is 
> the case.
> What you describe above for IIS, seems to me similar to the case where 
> Apache in front of mod_jk performs user authentication, and passes it 
> on to Tomcat through mod_jk.  In that case also I believe that each 
> request in Tomcat ends up with a
> If the Apache authentication is based on NTLM (various add_on modules 
> allow that at Apache level), then the user-id is also of the form 
> Domain\User.
> If I understand thus correctly what PrincipalAuthenticator does, it is 
> not to itself authenticate the Tomcat user, but associate this user 
> with Tomcat roles. Yes ?
Almost, it makes Tomcat check the application's SecurityRealm for the 
user's Roles. If there's no SecurityRealm defined then the user still 
gets no Roles.

The third uml on the docs page shows the Authenticator closing the JAAS 
loop on tomcat.
(The diagrams a little out of date, the PrincipalAuthenticator is shown 
as TomcatIISAuthenticatorValve)
> And it would work just as well, whether the original authentication 
> came from IIS or from Apache, or any other source (e.g. the jCIFS 
> servlet filter).  Is that correct ?
That is exactly right. This is why it's called a PrincipalAuthenticator. 
The principal supplied by the JK connector can come from anywhere. It 
can also be provided by a tomcat Valve acting before the Authenticator 
is called.

The PrincipalAuthenticator has gone through a few names early on, but I 
realized that the mechanism was actually fairly generic, and so I 
refactored the names until settling on PrincipalAuthenticator.

> Next, the association between users and roles.
> The way it is described above, it sounds like, at the Tomcat level, 
> there must still be some source of information that associates a given 
> user-id with a list of roles.  How is that achieved, and how does the 
> user-id part of this get to be known by Tomcat ?
> Does Tomcat need its own local list of NTLM user-id's associated to 
> roles ?
Tomcat doesn't need to necessarily maintain the list, but there are 
SecurityRealms that work that way. Typically you would use a 
DatabaseSecurityRealm that would lookup the user's Roles from a table 
(or from an LDAP query. eg: ActiveDirectory).
Since the Principal isn't supplied with a password or other credential, 
we're relying on the providing service to be accurate. (ie: we assume 
that IIS or Apache isn't lying to us, and has done it's job correctly). 
As such, some Realms may require a little extra configuration or Java to 
cough up the Roles without getting a password.
> As a more generic topic, does there exist any method by which the 
> notion of "role" in Tomcat parlance can be associated (preferably 
> dynamically and without a local store) with the notion of "user 
> groups" in NTLM/Windows Domain parlance ?
Yes. This is a popular topic on the net. Here's some references that I'm 
familiar with:

> Thanks in advance for any light on the above,
> André
My Pleasure. It's great to see some interest in this.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message