• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Knute Snortum
  • Paul Clapham
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Frits Walraven
Bartenders:
  • Ganesh Patekar
  • Tim Holloway
  • salvin francis

Tomcat 7 Windows authentication setup  RSS feed

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat 7 Windows authentication
Hi, I have followed the guide at https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
After setting "Tomcat instance (Windows server)", What is the next step (I configured the DC/Kerberos keytab)? They write on the user guide stuff about the spnego authenticator, BUT they dont mention anywhere to set a spngeo authentication vavle
What am I missing here ?
I need to set JNDI Realm in the context of the localhost tomcat ? In Server.xml on conf folder ? the JNDI will be used in order to perform the actual authentication with Active Directory ?
Thats all ? Or i should add Spngeo authenticator and filters (as mentioned in spnego website) ?
Do i need to add additional jars to lib folder (the spnego jar) ?
What is the tomcat7 implentation for windows authentication (they use spnego behind the scenes?) ?

My goal is to set up tomcat 7 SSO using kerberos. my domain controller and tomcat with the webapp are sitting on different machines but both on Windows Server 2012.
 
Bartender
Posts: 20725
124
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Ilan!

Probably the most applicable answer to most of your questions can be found here: http://spnego.sourceforge.net/tomcat_valve.html

The spnego service is hosted on sourceforge.net (link can be found in the Tomcat docs). That is where you download it from. The page that the Tomcat docs links to not only allows you to download, but itself links to the spnego docs, which is where the webpage I listed above can be found.

Tomcat is constructed from a bunch of building blocks (POJOs), which are wired together according to the rules supplied in the Tomcat conf/server.xml file. Since Windows Authentication is usually a single-signon thing, you'd add the Valve hooking in spnego at one of the higher levels (probably Host), and not in the context for a single webapp (conf/Catalina/localhost/xxxx.xml).

While Windows Authentication can be convenient, it does have its limitations. It cannot be used with the open Internet, since, for example, I have no credentials for your Windows LAN. You can also skip the Kerberos functionality added by spnego and use the JNDI Realm to authenticate apps directly against Actice Directory, although that loses the Single Signon ability.

Finally, in a rare fit of security-mindedness, Microsoft turned the necessary IE security option OFF by default, so every desktop that wishes to use Windows Authentication for its webapps needs to have its copy of IE enable that feature.
 
ilan sch
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, thanks for answer.
Tomcat7 has build in support windows integration, i understand that behind the scenes, they use spnego authentication. but i dont see the spnego jar in the lib or anything else regarding to spnego.
I need SSO, So i dont have to use the JNDIRealm ?
Do i need to use JAASRealm ? Or no realm at all, Does kerberos knows automatically to identify itself with active directory ?

My goal is the end-user on a client machine will open internet explorer, browse to http://serverhost/ and will see the webpage. the client credential should be on the "security context" on java server-side.
On the server-side code i will getUserCredentials and confirm the user (this avoids the prompt/form)




 
Tim Holloway
Bartender
Posts: 20725
124
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat itself is completely OS-neutral ("write once/run anywhere"). But it's flexible enough to allow OS-specific plugins, which is what spnego is. None of spnego is actually distributed as part of Tomcat itself.

Normally, JEE Authentication and Authorization would be handled by Realm modules (which are themselves plugins), but the magic of Windows Authentication is performed in part by metadata in the HTTP packets sent to Tomcat from the client. The Valve mechanism is useful for packet inspection, so spnego implements itself partly at least as a Valve. Although I believe that there may be a Realm module in the spnego installable to proovide the requisite security interfaces.

Bear in mind that for several years now, about the only time I ever boot up Windows is to run TurboTax or run MS Flight Simulator, so I'm speaking mostly about what I've read rather than what I've done myself.

What you are asking for is the common behavior, so there's no special tricks. If you want to support people running non-Windows clients or clients from outside your LAN/VPN you may need to augment the spnego mechanism with additional Realms (there's a meta-Realm for that supplied with Tomcat).

Kerberos works by granting a ticket to the client when the client logs into Windows. When the appropriate security option is switched on on the client's machine, this ticket is sent as part of the HTTP webpage request, where the spnego Valve can pick up on it. Windows authentication (login to Windows) is actually a "kerberos" server plus an "LDAP" server (Active Directory). so spnego knows where to find things.

You do not need to (in fact you cannot) supply application code to confirm the user/run the login process. Login is automatically handled by the container itself (Tomcat) when using the JEE standard security system and is only initiated when the web.xml of the webapp in question indicates that the URL being requested requires an authorized user. The spnego component plugs into that mechanism, so anyone who's logged into Windows and has their IE security option switched on will never see a login screen/dialog.

Without actually reading the instructions, I'm figuring that there's probably 1 or more spnego jars that you'd drop into the TOMCAT_HOME/lib directory, mods to setup the Valve (and possibly other options) in conf/server/xml and I think maybe an spnego-specific conf configuration file (I may be remembering incorrectly on that one, though). Obviously you should read and follow the actual instructions for the current release of spnego, though.

Beyond that, the only other consideration is your URL. A "http://serverhost/app/something" style URL is only possible if you either run Tomcat on port 80 (which is a security risk) or you're fronting it with a regular HTTP reverse proxy server such as Apache or IIS. In which case, also check the documentation for the proxy and Kerberos. Or there is a wrapper that will expose port 80 without putting Tomcat at risk, avaiailable from the Tomcat downloads page.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!