On 13/10/2011 07:41, Marcel Stör wrote: > On 12.10.2011 22:47, André Warnier wrote: >> Marcel Stör wrote: >>> Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site >>> in IIS that delegates to Tomcat. >>> >>> Question: would the ISAPI connector be able to pass the Active >>> Directory groups (i.e. user's membership info) along to Tomcat in the >>> request? >> >> I am not the ultimate expert on this, but awaiting the ultimate expert's >> confirmation, I would say : > > How would I be able to identify the mysterious "ultimate expert" should > he appear here ;-)
Generally, a couple of different ways: - An @apache.org e-mail address is usually a good sign - A name that appears here http://tomcat.apache.org/whoweare.html For this specific question, looking at the commit log for the IIS specific part of the native code, you ideally want Rainer, Tim or Mladen for the ultimate expert although there isn't anything I would fault in André's original response. >> - it does not do it right now Correct. >> - it would probably require serious coding changes to do it (notably >> because in the AJP protocol, there is no attribute or packet type >> foreseen to pass such information per se) Agreed. >> - and there are some conceptual issues linked to this, essentially >> because the very notion of AD/NTLM "user groups" is something valid only >> in an MS-centric context (and Tomcat has to work in other contexts). Usually the mapping is group <==> role. Combine this with the role mapping available in web.xml and you can usually handle most situations. I can think of a couple of ways that this could be hacked together if you wanted to keep IIS in the picture. One option is to get (somehow) IIS to add the groups as an HTTP header and then use a filter on the Tomcat side to wrap the request, insert the groups into the wrapper and then use then in any call is isUserInRole(). The other is to use the built-in support for passing the user name from IIS to Tomcat and then write a filter that looks up the roles for that user from AD and then inserts them in a similar way as the previous option. Actually dropping IIS and doing the authentication and authorization directly in Tomcat is probably easier. >> (*) >> >>> Question 2: if yes, could I call request.isUserInRole(roleName) in the >>> Tomcat app? >> If you mean to say that you would use the name of an NTLM group as >> "roleName" above, >> that'a a different matter, and also with some conceptual difficulties. >> The notions of "roles" in Tomcat, and the notion of "user groups" are >> somewhat different. See previous comment. >> This being said, there is one (commercial but affordable) product which >> allows you to do something of the kind. Have a look at Jespa >> (www.ioplex.com). There are a couple of open source alternatives as well. See http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries >> For another option, in Tomcat 7.x there is also a new SPNEGO >> authentication mechanism available, described here : >> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve >> I really do not know much about it, as I use the Jespa mentioned above. >> Maybe someone else can opine if this Valve provides access to the user's >> NTLM groups ? The SPNEGO authenticator only handles authentication but combine it with the JNDIRealm pointing to an AD instance and you'll get the roles as well. >> (*) Also, but probably a very long shot : some recent discussion on this >> list, prompted by someone having difficulties with large headers being >> passed to Tomcat via AJP, seemed to indicate that the NTLM Authorization >> headers which are sent by the (authenticated) browser to Tomcat (via >> IIS), include the user's group membership in some form. This is probably >> encrypted, but it may be possible to decrypt this at the Tomcat level. > > Ah good, this subject popped up in a different context just a few days > ago (Windows sys admin having problems with user how are in 100ds of AD > groups). > Do you happen to have a pointer to that discussion? I think this is what you want: http://tomcat.markmail.org/thread/qbj376riu2rclt3n Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
