tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Announce: PrincipalAuthenticator 1.0 (for NTLM Authorization behind IIS)
Date Wed, 22 Oct 2008 03:34:03 GMT

"André Warnier" <> wrote in message
> Louis wrote:
> [...]
>> PrincipalAuthenticator is an implementation of a Tomcat Authenticator 
>> that allows transparent authorization to happen for corporate Windows 
>> users.
> [...]
> The JKConnector provides Tomcat the ability to sit behind an instance of 
> IIS and have requests passed to it for java applications. If NTLM 
> (Integrated Windows Authentication) is enabled on IIS and 
> tomcatAuthentication="false" on the tomcat side AJP connector, then IIS 
> will provide each request into tomcat with a Principal container the 
> user's DOMAIN\USERNAME. ie:\ME). This is a 
> fully authenticated credential when used in a trusted domain.
> [...]
>> The PrincipalAuthenticator uses the Principal supplied by IIS to make 
>> Tomcat ask the SecurityRealm what roles the user should have. It closes 
>> the JAAS loop.
> [...]
> Hi.
> I am unfamiliar with Tomcat Authenticator(s), therefor my questions below 
> may be naive or nonsensical. I apologise in advance if that is the case.
> What you describe above for IIS, seems to me similar to the case where 
> Apache in front of mod_jk performs user authentication, and passes it on 
> to Tomcat through mod_jk.  In that case also I believe that each request 
> in Tomcat ends up with a
> If the Apache authentication is based on NTLM (various add_on modules 
> allow that at Apache level), then the user-id is also of the form 
> Domain\User.
> If I understand thus correctly what PrincipalAuthenticator does, it is not 
> to itself authenticate the Tomcat user, but associate this user with 
> Tomcat roles. Yes ?
> And it would work just as well, whether the original authentication came 
> from IIS or from Apache, or any other source (e.g. the jCIFS servlet 
> filter).  Is that correct ?

With the attribute tomcatAuthentication="false", the out-of-the-box Tomcat 
will authenticate the user (i.e. assign a Principal), but without any roles. 
This means that container-based security (i.e. 
<security-constraint>...</security-constraint>) is almost useless in this 

> Next, the association between users and roles.
> The way it is described above, it sounds like, at the Tomcat level, there 
> must still be some source of information that associates a given user-id 
> with a list of roles.  How is that achieved, and how does the user-id part 
> of this get to be known by Tomcat ?
> Does Tomcat need its own local list of NTLM user-id's associated to roles 
> ?

Not being interested enough to look over the code ;), it sounds like this 
finds the roles assigned to NTLM and assigns them to the user.  In this 
case, it sounds like it works a lot like the JNDIRealm except that it skips 
the additional sign-on step (so the user doesn't have to send a 
username/password, and is just logged in with their NTLM credentials).

> As a more generic topic, does there exist any method by which the notion 
> of "role" in Tomcat parlance can be associated (preferably dynamically and 
> without a local store) with the notion of "user groups" in NTLM/Windows 
> Domain parlance ?

Nothing in Tomcat-out-of-the-box.  You'll have to take it up with the OP if 
he wants to add such an extension to his code.

> Thanks in advance for any light on the above,
> André
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message