Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: domain of marcel@frightanic.com
 designates 82.195.224.41 as permitted sender)
Message-ID: <4E96880A.7010803@frightanic.com>
Date: Thu, 13 Oct 2011 08:41:14 +0200
From: =?ISO-8859-1?Q?Marcel_St=F6r?= <marcel@frightanic.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat connector for IIS, are user groups passed along?
References: <4E95F02D.6010509@frightanic.com> <4E95FCDC.3050904@ice-sa.com>
In-Reply-To: <4E95FCDC.3050904@ice-sa.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

On 12.10.2011 22:47, Andr� Warnier wrote:
> Marcel St�r wrote:
>> Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
>> in IIS that delegates to Tomcat.
>>
>> Question: would the ISAPI connector be able to pass the Active
>> Directory groups (i.e. user's membership info) along to Tomcat in the
>> request?
>
> I am not the ultimate expert on this, but awaiting the ultimate expert's
> confirmation, I would say :

How would I be able to identify the mysterious "ultimate expert" should 
he appear here ;-)

> - it does not do it right now
> - it would probably require serious coding changes to do it (notably
> because in the AJP protocol, there is no attribute or packet type
> foreseen to pass such information per se)
> - and there are some conceptual issues linked to this, essentially
> because the very notion of AD/NTLM "user groups" is something valid only
> in an MS-centric context (and Tomcat has to work in other contexts).
>
> (*)
>
>> Question 2: if yes, could I call request.isUserInRole(roleName) in the
>> Tomcat app?
> If you mean to say that you would use the name of an NTLM group as
> "roleName" above,
> that'a a different matter, and also with some conceptual difficulties.
> The notions of "roles" in Tomcat, and the notion of "user groups" are
> somewhat different.
>
> This being said, there is one (commercial but affordable) product which
> allows you to do something of the kind. Have a look at Jespa
> (www.ioplex.com). Download the product (free), and read the User's Guide
> that comes with it, particularly what it has to say about user groups
> and roles.
> This product works purely at the Tomcat level, as an authenticating
> servlet filter.
> So it does not use the authentication already made by IIS, it does it
> all at the Tomcat level. This may of may not suit your needs, but if
> your ultimate purpose is to have a Windows Domain kind of authentication
> and SSO, and allow/deny access to applications based on user Domain
> group membership, then it can do that.
>
> For another option, in Tomcat 7.x there is also a new SPNEGO
> authentication mechanism available, described here :
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
> I really do not know much about it, as I use the Jespa mentioned above.
> Maybe someone else can opine if this Valve provides access to the user's
> NTLM groups ?
>
>
> (*) Also, but probably a very long shot : some recent discussion on this
> list, prompted by someone having difficulties with large headers being
> passed to Tomcat via AJP, seemed to indicate that the NTLM Authorization
> headers which are sent by the (authenticated) browser to Tomcat (via
> IIS), include the user's group membership in some form. This is probably
> encrypted, but it may be possible to decrypt this at the Tomcat level.

Ah good, this subject popped up in a different context just a few days 
ago (Windows sys admin having problems with user how are in 100ds of AD 
groups).
Do you happen to have a pointer to that discussion?

Cheers,
Marcel

-- 
Marcel St�r, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org