tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Stör <>
Subject Re: Tomcat connector for IIS, are user groups passed along?
Date Thu, 13 Oct 2011 06:41:14 GMT
On 12.10.2011 22:47, André Warnier wrote:
> Marcel Stör wrote:
>> Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
>> in IIS that delegates to Tomcat.
>> Question: would the ISAPI connector be able to pass the Active
>> Directory groups (i.e. user's membership info) along to Tomcat in the
>> request?
> I am not the ultimate expert on this, but awaiting the ultimate expert's
> confirmation, I would say :

How would I be able to identify the mysterious "ultimate expert" should 
he appear here ;-)

> - it does not do it right now
> - it would probably require serious coding changes to do it (notably
> because in the AJP protocol, there is no attribute or packet type
> foreseen to pass such information per se)
> - and there are some conceptual issues linked to this, essentially
> because the very notion of AD/NTLM "user groups" is something valid only
> in an MS-centric context (and Tomcat has to work in other contexts).
> (*)
>> Question 2: if yes, could I call request.isUserInRole(roleName) in the
>> Tomcat app?
> If you mean to say that you would use the name of an NTLM group as
> "roleName" above,
> that'a a different matter, and also with some conceptual difficulties.
> The notions of "roles" in Tomcat, and the notion of "user groups" are
> somewhat different.
> This being said, there is one (commercial but affordable) product which
> allows you to do something of the kind. Have a look at Jespa
> ( Download the product (free), and read the User's Guide
> that comes with it, particularly what it has to say about user groups
> and roles.
> This product works purely at the Tomcat level, as an authenticating
> servlet filter.
> So it does not use the authentication already made by IIS, it does it
> all at the Tomcat level. This may of may not suit your needs, but if
> your ultimate purpose is to have a Windows Domain kind of authentication
> and SSO, and allow/deny access to applications based on user Domain
> group membership, then it can do that.
> For another option, in Tomcat 7.x there is also a new SPNEGO
> authentication mechanism available, described here :
> I really do not know much about it, as I use the Jespa mentioned above.
> Maybe someone else can opine if this Valve provides access to the user's
> NTLM groups ?
> (*) Also, but probably a very long shot : some recent discussion on this
> list, prompted by someone having difficulties with large headers being
> passed to Tomcat via AJP, seemed to indicate that the NTLM Authorization
> headers which are sent by the (authenticated) browser to Tomcat (via
> IIS), include the user's group membership in some form. This is probably
> encrypted, but it may be possible to decrypt this at the Tomcat level.

Ah good, this subject popped up in a different context just a few days 
ago (Windows sys admin having problems with user how are in 100ds of AD 
Do you happen to have a pointer to that discussion?


Marcel Stör,
O< ascii ribbon campaign - stop html mail -

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message