Return-Path: 
 <users-return-186995-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 93671 invoked from network); 21 Oct 2008 19:37:12 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 21 Oct 2008 19:37:12 -0000
Received: (qmail 97768 invoked by uid 500); 21 Oct 2008 19:37:02 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 97741 invoked by uid 500); 21 Oct 2008 19:37:02 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 97730 invoked by uid 99); 21 Oct 2008 19:37:02 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Oct 2008 12:37:02 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of lajatca@gmail.com designates
 209.85.217.10 as permitted sender)
Received: from [209.85.217.10] (HELO mail-gx0-f10.google.com) (209.85.217.10)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Oct 2008 19:35:50 +0000
Received: by gxk3 with SMTP id 3so6617457gxk.0
        for <users@tomcat.apache.org>; Tue, 21 Oct 2008 12:35:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from
         :user-agent:mime-version:to:subject:content-type
         :content-transfer-encoding;
        bh=3RWXHC3mhtCcm6E8Ryr0wR3IiFWCTiP2a1Lsa7W2FvY=;
        b=GY5yCTL3aOvLrJ4JfWFJZHyGJc3Hd/BqH4QVKrmg0xymkt3sf7ojQtxlIc09EMedEj
         it9lpxBbOeyDMA7Y3+NazLLYvvXMMSJfqwFtPoOwOB9qSXbtDEgkfkxT39L+BSolro1L
         oPDm7aBmSYNScfxe70kApj3RGRzElSSfkFEIY=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:subject
         :content-type:content-transfer-encoding;
        b=CTr30etfPRToBKMRN/RR/OoyWx7gNZHkXCFNE/s8ANIGE9Cbn+DYH/IXFe0fTK4WN8
         QNu/k1Bg3xdZa1cQV5SD027p0AEOsdOl4e8ITq3Zbr946+YAClOV9FV6bnw+JxtqtlzU
         gkK86c2HodOfoZ29WsuzFUhxTGnJ/GUnfc2Y4=
Received: by 10.64.180.15 with SMTP id c15mr7158883qbf.82.1224617726897;
        Tue, 21 Oct 2008 12:35:26 -0700 (PDT)
Received: from ?192.168.3.135? (69-196-135-125.dsl.teksavvy.com
 [69.196.135.125])
        by mx.google.com with ESMTPS id 25sm12034966qbw.1.2008.10.21.12.35.24
        (version=SSLv3 cipher=RC4-MD5);
        Tue, 21 Oct 2008 12:35:25 -0700 (PDT)
Message-ID: <48FE2EFB.2000807@gmail.com>
Date: Tue, 21 Oct 2008 15:35:23 -0400
From: Louis <lajatca@gmail.com>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: Tomcat Users <users@tomcat.apache.org>
Subject: Announce: PrincipalAuthenticator 1.0 (for NTLM Authorization behind
 IIS)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

PrincipalAuthenticator is an implementation of a Tomcat Authenticator 
that allows transparent authorization to happen for corporate Windows users.

The JKConnector provides Tomcat the ability to sit behind an instance of 
IIS and have requests passed to it for java applications. If NTLM 
(Integrated Windows Authentication) is enabled on IIS and 
tomcatAuthentication="false" on the tomcat side AJP connector, then IIS 
will provide each request into tomcat with a Principal container the 
user's DOMAIN\USERNAME. ie: javax.security.Principal(HOME\ME). This is a 
fully authenticated credential when used in a trusted domain.

This is usefull for identifying users in java applications without 
forcing them to sign-in. Unfortunately, this short circuits the rest of 
tomcat's normal authentication sequence (where it asks the SecurityRealm 
what the user's roles are. eg: authorization).

The PrincipalAuthenticator uses the Principal supplied by IIS to make 
Tomcat ask the SecurityRealm what roles the user should have. It closes 
the JAAS loop. Once the server is configured with an appropriate source 
of permissions (SecurityRealm or LoginModule) developers can use the 
typical 'request.isUserInRole("role")' calls and declarative security to 
perform checks on users' permissions.

All an application must do to use this is declare their login-config as 
such in the web.xml (on top of whatever binding is required to their 
security config on the server)

|<login-config>
	<auth-method>PRINCIPAL</auth-method>
</login-config>


The PrincipalAuthenticator is available as either ASF or LGPL licensed code (your choice).

http://www.laj.ca/projects/PrincipalAuthenticator/
|


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org