Re: Grabbing the user's info
Terence M. Bandoian wrote: On 1:59 PM, chris derham wrote: But for _transparent_ authentication IIS is required as Christopher mentioned. That is not true. You can use SPNEGO to setup transparent authentication directly to tomcat. You do not need IIS. This means that a browser accesses a protected url on the server, and the server and browser discuss who the user is, and then the application is presented with that information. This discussion is transparent and involves no user interaction. This can be done by default in IE and I believe chrome, but firefox is more secure so needs to have explicitly have this authentication security enabled - by default it is turned off to stop hackers falsely requesting the details from a malicious server HTH Chris You might also consider using Waffle: http://waffle.codeplex.com/ which does not require IIS and supports NTLM and Kerberos. I've used it as a valve with Tomcat and believe it is also available as a filter. Both Internet Explorer and Firefox have settings to enable or disable automatic login. A brief mention is made in the Tomcat docs: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html You might also consider using Jespa (www.ioplex.com). Not free, but very reasonably priced and works perfectly. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Grabbing the user's info
I use OpenAM. It is free and source is free. A tomcat server does all of the authentication and authorization. But what is nice is that there is an apache module so you can do all of the enforcement at your web server. Then all other tomcat servers being proxied by that same web server can be sent custom headers for things like user name, user id, groups, etc. On Nov 16, 2011 1:09 PM, chris derham ch...@derham.me.uk wrote: But for _transparent_ authentication IIS is required as Christopher mentioned. That is not true. You can use SPNEGO to setup transparent authentication directly to tomcat. You do not need IIS. This means that a browser accesses a protected url on the server, and the server and browser discuss who the user is, and then the application is presented with that information. This discussion is transparent and involves no user interaction. This can be done by default in IE and I believe chrome, but firefox is more secure so needs to have explicitly have this authentication security enabled - by default it is turned off to stop hackers falsely requesting the details from a malicious server HTH Chris
Re: Grabbing the user's info
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Josh, On 11/14/11 1:18 PM, Josh Gooding wrote: Question. I'm developing an application that resides on a network. I wondered if (and how) there was a way to use the users network authentication as a valid authentication into this application? As Ilya hints, you'll have to use NTLM to get this to work. IIRC, this requires that you use IIS with mod_jk to capture the authentication information and forward it over to Tomcat. If you want to be able to use NTLM for authentication into your webapp, you'll need to use a specific type of realm to do that. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7D48wACgkQ9CaO5/Lv0PCJ6ACfUVovBy3G9ToGOOGPfUyB16Dj Jb8AoJw919KLrFZeLR/mE08VHi8/cB5E =U1z3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Grabbing the user's info
Hello, As Ilya hints, you'll have to use NTLM to get this to work. IIRC, this requires that you use IIS with mod_jk to capture the authentication information and forward it over to Tomcat. If you want to be able to use NTLM for authentication into your webapp, you'll need to use a specific type of realm to do that. IE and almost all modern browsers on windows may sent authentication info transparently. Old, non-ie browsers can't and you need user needs to use HTTP plain auth (401 Unauthorized) or form authentication. Only IIS is able to accept it transparently AFAIK, tomcat natevly accepts only form and HTTP-based auth. So: If you want your user not to enter log and pass (you just log into windows and go to web site) -- you need IIS and IE (or modern version of another browser). In all other cases user would need to enter her login and password in browser window (for http auth) or special page (form auth). You may use LDAP AD interface to check this info. That could be done with out of IIS. But for _transparent_ authentication IIS is required as Christopher mentioned. Ilya. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Grabbing the user's info
But for _transparent_ authentication IIS is required as Christopher mentioned. That is not true. You can use SPNEGO to setup transparent authentication directly to tomcat. You do not need IIS. This means that a browser accesses a protected url on the server, and the server and browser discuss who the user is, and then the application is presented with that information. This discussion is transparent and involves no user interaction. This can be done by default in IE and I believe chrome, but firefox is more secure so needs to have explicitly have this authentication security enabled - by default it is turned off to stop hackers falsely requesting the details from a malicious server HTH Chris
Re: Grabbing the user's info
On 1:59 PM, chris derham wrote: But for _transparent_ authentication IIS is required as Christopher mentioned. That is not true. You can use SPNEGO to setup transparent authentication directly to tomcat. You do not need IIS. This means that a browser accesses a protected url on the server, and the server and browser discuss who the user is, and then the application is presented with that information. This discussion is transparent and involves no user interaction. This can be done by default in IE and I believe chrome, but firefox is more secure so needs to have explicitly have this authentication security enabled - by default it is turned off to stop hackers falsely requesting the details from a malicious server HTH Chris You might also consider using Waffle: http://waffle.codeplex.com/ which does not require IIS and supports NTLM and Kerberos. I've used it as a valve with Tomcat and believe it is also available as a filter. Both Internet Explorer and Firefox have settings to enable or disable automatic login. A brief mention is made in the Tomcat docs: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Grabbing the user's info
Hello, What do you call network authentication ? If you speak about windows domain (active directory) authentication you can use JNDIRealm (http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm) because AD has LDAP interface. Here are some examples: http://www.jspwiki.org/wiki/ActiveDirectoryIntegration Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: Josh Gooding [mailto:josh.good...@gmail.com] Sent: Monday, November 14, 2011 10:19 PM To: Tomcat Users List Subject: Grabbing the user's info Hey guys, Question. I'm developing an application that resides on a network. I wondered if (and how) there was a way to use the users network authentication as a valid authentication into this application? - Josh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Grabbing the user's info
-Original Message- From: Ilya Kazakevich [mailto:ilya.kazakev...@jetbrains.com] Sent: Monday, November 14, 2011 1:27 PM To: 'Tomcat Users List' Subject: RE: Grabbing the user's info Hello, What do you call network authentication ? If you speak about windows domain (active directory) authentication you can use JNDIRealm (http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm) because AD has LDAP interface. Here are some examples: http://www.jspwiki.org/wiki/ActiveDirectoryIntegration Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: Josh Gooding [mailto:josh.good...@gmail.com] Sent: Monday, November 14, 2011 10:19 PM To: Tomcat Users List Subject: Grabbing the user's info Hey guys, Question. I'm developing an application that resides on a network. I wondered if (and how) there was a way to use the users network authentication as a valid authentication into this application? - Josh To add to Ilya's reply: If you are using Active Directory in your network to provide authentication and authorization then you can also use Kerberos which allows Single Sign-On to properly authorized users and applications (i.e., user only needs to log in once to a workstation to access network services including applications running in Web servers such as Tomcat; not to be confused with Tomcat's Single Sign-On feature that which I believe allows single authentication between different Web applications running on the same instance). I am no expert in this subject, but I have tested Waffle[1] which provides a simple interface to the Kerberos protocol and it seems quite powerful. I have used Waffle with Tomcat as instructed in the tutorials and it worked as explained. Keep in mind that Waffle JARs need to reside in Tomcat's lib and not in your app's lib. As for Kerberos, you may want to check [2] which is a good reference in my opinion. Note that I am not able to judge the quality of Waffle or the applicability of Kerberos to your project, I just thought that it may be of some interest. /ricardo [1] Windows Authentication Functional Framework: http://waffle.codeplex.com/ [2] Garman, Jason. Kerberos: The Definitive Guide. O'Reilly Media. August 26, 2003. ISBN: 978-0-596-00403-3 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org