> > - it would probably require serious coding changes to do it (notably > because in the AJP protocol, there is no attribute or packet type foreseen > to pass such information per se) > - and there are some conceptual issues linked to this, essentially because > the very notion of AD/NTLM "user groups" is something valid only in an > MS-centric context (and Tomcat has to work in other contexts). > > Kerberos is cross platform standard, allowing for groups to be embedded in the token. Nothing windows specific about that. I've definitely had windows primary domain controller and clients running on Windows talking to a tomcat running on Linux, and allowing access to the group info in the kerberos tokens
> For another option, in Tomcat 7.x there is also a new SPNEGO authentication > mechanism available, described here : > http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve > SPNEGO is Simple Protocol for Negotiating Authentication (or something like that). It basically causes a Kerberos token to be added via a http header called authentication. I don't know anything about the ISAPI connector, but if it could pass through the authentication header with the kerberos token, then tomcat side you can decode the kerberos token and access the users groups. So that should work, and should work at no cost - well you'll need to spend some time configuring it and getting accounts setup, but should be easy enough. HTH Chris
