tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Tomcat connector for IIS, are user groups passed along?
Date Wed, 12 Oct 2011 20:47:24 GMT
Marcel Stör wrote:
> Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site 
> in IIS that delegates to Tomcat.
> Question: would the ISAPI connector be able to pass the Active Directory 
> groups (i.e. user's membership info) along to Tomcat in the request?

I am not the ultimate expert on this, but awaiting the ultimate expert's confirmation, I 
would say :
- it does not do it right now
- it would probably require serious coding changes to do it (notably because in the AJP 
protocol, there is no attribute or packet type foreseen to pass such information per se)
- and there are some conceptual issues linked to this, essentially because the very notion

  of AD/NTLM "user groups" is something valid only in an MS-centric context (and Tomcat 
has to work in other contexts).


> Question 2: if yes, could I call request.isUserInRole(roleName) in the 
> Tomcat app?
If you mean to say that you would use the name of an NTLM group as "roleName" above,
that'a a different matter, and also with some conceptual difficulties.  The notions of 
"roles" in Tomcat, and the notion of "user groups" are somewhat different.

This being said, there is one (commercial but affordable) product which allows you to do 
something of the kind.  Have a look at Jespa (  Download the product 
(free), and read the User's Guide that comes with it, particularly what it has to say 
about user groups and roles.
This product works purely at the Tomcat level, as an authenticating servlet filter.
So it does not use the authentication already made by IIS, it does it all at the Tomcat 
level.  This may of may not suit your needs, but if your ultimate purpose is to have a 
Windows Domain kind of authentication and SSO, and allow/deny access to applications based

on user Domain group membership, then it can do that.

For another option, in Tomcat 7.x there is also a new SPNEGO authentication mechanism 
available, described here :
I really do not know much about it, as I use the Jespa mentioned above.
Maybe someone else can opine if this Valve provides access to the user's NTLM groups ?

(*) Also, but probably a very long shot : some recent discussion on this list, prompted by

someone having difficulties with large headers being passed to Tomcat via AJP, seemed to 
indicate that the NTLM Authorization headers which are sent by the (authenticated) browser

to Tomcat (via IIS), include the user's group membership in some form.  This is probably 
encrypted, but it may be possible to decrypt this at the Tomcat level.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message