• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Rob Spoor
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Holloway
  • Piet Souris
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Himai Minh

Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

I’m new to Tomcat and normally work in a Microsoft Windows world. I’ve stumbled into a problem using Tomcat as a web server, that I’m sure there is a simple solution for though I can’t find it. I’m sure it works if I use a MS IIS server instead of a Tomcat server at least. I hope some of you more experienced users of Tomcat can either point me in the right direction or perhaps come up with the conclusion J
My problem is:
I have a running Active Directory which holds the users and groups. I have a Windows XP client, which is member of the Active Directory domain. If a users logs into the client using he’s username and password and then open Internet Explore I would like him to gain access to a web page hosted on the Tomcat server. The problem is that the Tomcat server shall validate the user’s Active Directory credentials and the credentials should be sent to Tomcat without user interaction. In other words I want “Windows Integrated Authentication” from the MS world, so that Internet Explore takes the users credentials and send them to the Tomcat server (Kerberos). So far I can only get this to work if Internet Explorer prompts the users for he’s credentials (Basic Authentication).
In other words I want to archive this:
· Users logs onto the Windows XP computer using he’s username and password
· User opens Internet explorer and write the URL to the page hosted on the Tomcat server
· Internet Explore sends the users username and password automatically to tomcat (Kerberos)
· The Tomcat validates the user’s credentials and accepts the request.

This is some form of Single Sign On and I know it works if I use IIS instead of Tomcat.
I’ve found several guides on the net, but no one which tells me if this is possible or not. Hope some of you of you can point me in the right direction, but perhaps I have to use a third part application to archive this??

Thanks in advance,
Derlei
 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes Tomcat (or more correctly jCIFS) can support NTLM, which is the protocol Microsoft uses to do their Windows Integrated authentication thing. Have a read of that link.
 
Saloon Keeper
Posts: 24207
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, I'm not sure if jCIFS is going to help here. It's designed to permit java apps to be able to access Microsoft Windows Networking. There's also an Apache project whose name I forget that uses it as a plugin to provide a more or less "universal" file access mechanism (not just CIFS, but NFS, HTTP, FTP, M.O.U.S.E., and so forth),

Check this out: https://coderanch.com/t/87625/Tomcat/apache-tomcat-mod-auth-kerb#469714

There is at least one Tomcat security realm that supports SSO via Windows authentication, though I'm not up to date on the exact options.

CAUTION: Windows authentication is really only effective on your LAN. On the open Internet, it's not effective, both because of security concerns and because not all of us happen to be running Windows.

The Windows authentication realms don't have your userID and password, however. What they have is the Kerberos ticket that the Windows domain manager granted when you logged into the Windows network. Which is preferable, since you don't really want the keys to your Windows life bouncing around in memory/disk all the time.
 
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

This project has an example for Tomcat...

http://spnego.sourceforge.net/spnego_tomcat.html

 
You will always be treated with dignity. Now, strip naked, get on the probulator and hold this tiny ad:
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic