tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Tomcat and Windpws authentication
Date Mon, 01 Apr 2013 19:34:13 GMT
2013/4/1 André Warnier <aw@ice-sa.com>:
> Hi list.
>
> I have (re-)gone through the Tomcat 7 on-line documentation regarding
> Windows Domain authentication (variously designated in different places with
> acronyms such as WIA, SPNEGO, AD Authentication, with some additional
> sub-levels of NTLM (v1 and v2) and Kerberos), without finding ever a clear
> response to this question :
>
> Which of the Valves, methods, third-party libraries etc. work for a Tomcat
> Linux host as well as for a Tomcat Windows host ?
>
> From the on-line documentation to be found on either the Tomcat site or on
> the Waffle page or on the "SPNEGO project at SourceForge", it is *not clear
> at all* if any of these work on a Tomcat Linux host "out of the box" or if
> they require additional software.
> For example, the examples given for the SPNEGO Valve all refer only to a
> Tomcat hosted on a Windows machine; other parts mention that the Tomcat host
> has to be "joined to the Windows Domain" - which to my knowledge under Linux
> would require at least Samba; other parts (Waffle) talk about using a native
> Windows library (which seems to imply that Tomcat is running on a Windows
> host).  Maybe I am misunderstanding some of this, but none of the above
> clearly say either "yes, it works under Linux" or "no, it doesn't".
>
> Is there any way to get some clarification on this ?
>
> I know that this is not easy to provide for any of the Tomcat committers or
> helpers on this list, because it requires a Linux Tomcat host with access to
> one or several Windows Domains, and the time to evaluate the various
> options.  (It is not any easier for me, which is why I am asking.)
>
> But it seems to me that the documentation available at this point on the
> Tomcat site is unclear and - if some of these options do /not/ work under
> Linux - may cause people to lose a significant amount of time trying
> dead-ends.
>
> I'll start the ball rolling : by personal experience, I do know that the
> third-party (commercial) Jespa library works in both cases (Tomcat hosted on
> Linux or Windows), with exactly the same configuration procedure, that it
> does not need any other external component or circumstance (apart from the
> free cifs.jar library from the Samba project), that it has a good and clear
> documentation, and that one can download it and test it for 60 days for
> free.  On the other hand, it is not a <Realm>, it is not a <Valve>, it is
a
> Servlet Filter.
>
> Can anyone provide similar clarification on the other options listed on the
> Tomcat website  ?
>

I understand that you are talking about this page:

http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

Just from a quick look

1. YMMV

2. If it uses native components  (e.g. Waffle says "Uses a native
library") then  would not expect it to run on different OS  (and on
some rare CPUs like i64 that nobody tested and have not compiled the
library for).

It may also depend on some Windows components that may not be present
in your version of Windows (e.g. in cheap versions of Windows 7).

3. If it is pure Java and just uses pure networking then I would
expect it to run everywhere.

4. If it uses some proprietary Java components (security provider)
such as "com.sun.security.jgss.krb5" then the question boils down to
whether your copy of JRE has that component. Does OpenJDK have it?

5. You can run behind Apache HTTPD and use its authentication (and
forward this question to their mailing list).

6. Success stories etc, are welcome.

If anyone wants to amend the documentation, you may submit
a) comments via comments system in Tomcat 7 documentation on tomcat.apache.org
b) documentation patches via bugzilla

c) discuss it here and publish a link to thread archive in the wiki,
e.g. at https://wiki.apache.org/tomcat/FAQ/Windows


Have a nice day!

Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message