Louis wrote:
[...]
PrincipalAuthenticator is an implementation of a Tomcat Authenticator
that allows transparent authorization to happen for corporate Windows
users.
[...]
The JKConnector provides Tomcat the ability to sit behind an instance of
IIS and have requests passed to it for java applications. If NTLM
(Integrated Windows Authentication) is enabled on IIS and
tomcatAuthentication="false" on the tomcat side AJP connector, then IIS
will provide each request into tomcat with a Principal container the
user's DOMAIN\USERNAME. ie: javax.security.Principal(HOME\ME). This is a
fully authenticated credential when used in a trusted domain.
[...]
The PrincipalAuthenticator uses the Principal supplied by IIS to make
Tomcat ask the SecurityRealm what roles the user should have. It closes
the JAAS loop.
[...]
Hi.
I am unfamiliar with Tomcat Authenticator(s), therefor my questions
below may be naive or nonsensical. I apologise in advance if that is the
case.
What you describe above for IIS, seems to me similar to the case where
Apache in front of mod_jk performs user authentication, and passes it on
to Tomcat through mod_jk. In that case also I believe that each request
in Tomcat ends up with a javax.security.Principal(user-id).
If the Apache authentication is based on NTLM (various add_on modules
allow that at Apache level), then the user-id is also of the form
Domain\User.
If I understand thus correctly what PrincipalAuthenticator does, it is
not to itself authenticate the Tomcat user, but associate this user with
Tomcat roles. Yes ?
And it would work just as well, whether the original authentication came
from IIS or from Apache, or any other source (e.g. the jCIFS servlet
filter). Is that correct ?
Next, the association between users and roles.
The way it is described above, it sounds like, at the Tomcat level,
there must still be some source of information that associates a given
user-id with a list of roles. How is that achieved, and how does the
user-id part of this get to be known by Tomcat ?
Does Tomcat need its own local list of NTLM user-id's associated to roles ?
As a more generic topic, does there exist any method by which the notion
of "role" in Tomcat parlance can be associated (preferably dynamically
and without a local store) with the notion of "user groups" in
NTLM/Windows Domain parlance ?
Thanks in advance for any light on the above,
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
