tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Stör <mar...@frightanic.com>
Subject Re: Tomcat connector for IIS, are user groups passed along?
Date Thu, 13 Oct 2011 06:43:20 GMT
On 13.10.2011 00:14, chris derham wrote:
>>
>> - it would probably require serious coding changes to do it (notably
>> because in the AJP protocol, there is no attribute or packet type foreseen
>> to pass such information per se)
>> - and there are some conceptual issues linked to this, essentially because
>> the very notion  of AD/NTLM "user groups" is something valid only in an
>> MS-centric context (and Tomcat has to work in other contexts).
>>
>>
> Kerberos is cross platform standard, allowing for groups to be embedded in
> the token. Nothing windows specific about that. I've definitely had windows
> primary domain controller and clients running on Windows talking to a tomcat
> running on Linux, and allowing access to the group info in the kerberos
> tokens

How did you configure this? Was Tomcat responsible for the Kerberos 
authentication against the Windows Active Directory?

>> For another option, in Tomcat 7.x there is also a new SPNEGO authentication
>> mechanism available, described here :
>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
>>
>
> SPNEGO is Simple Protocol for Negotiating Authentication (or something like
> that). It basically causes a Kerberos token to be added via a http header
> called  authentication. I don't know anything about the ISAPI connector, but
> if it could pass through the authentication header with the kerberos token,
> then tomcat side you can decode the kerberos token and access the users
> groups. So that should work, and should work at no cost - well you'll need
> to spend some time configuring it and getting accounts setup, but should be
> easy enough.

Do you happen to have instructions for this?

Cheers,
Marcel

-- 
Marcel Stör, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message