NTLMAuthenticator for Apache Tomcat 6.0.18 (Intranet within a Microsoft domain) (GOOD links to source files)
Hi again Tomcat Developpers!
(Message re-re-re-sent because attached files did not went through the MailList
management program and then Outlook resent an old version of my message): SORRY!
The patch file is accessible:
http://www.destin.be/tomcat/NtlmAuthentication.patch
The new authenticator class is accessible:
http://www.destin.be/tomcat/NtlmAuthenticator.java
I wanted to:
* centralize the parameterization of user authentication at the container level;
* have a simple NTLM authentication for intranet users;
* be able to run Tomcat in a Microsoft Active Directory network where the
server is secured (absolutely no login allowed to regular users)
There is a Microsoft specification (bug?) by which all LDAP binds are
evaluated on the Domain Server (like if the user was attempting to login on the
Domain Server).
It would be better to have binds evaluated as if they were originating from the
LDAP client machine (the Tomcat Server).
To circumvent this, I have been obliged to remove the binding (the password
checking) but to ensure that it is NTLM (and nothing else) which provides the
username.
The users are therefore automatically logged with the username used to log on
their PC.
The attached patch is for current Apache Tomcat sources (6.0.18).
It adds:
An NTLM Authenticator: nothing to configure except in the web.xml of each
application:
login-config
auth-methodNTLM/auth-method
realm-nameThisIsApassword/realm-name
/login-config
The realm-name is the password which ensures that authentication is done by
NTLM and no other method.
A very long password is strongly recommended.
A modified JNDI Realm with new parameters:
preAuthenticatedPassword=ThisIsApassword
This to suppress password checking if preAuthenticatedPassword is provided.
userIdentification=userPrincipalName provides a standardized username,
whatever the retrieved user name (case of complex userSearch patterns)
userNamePrefix and userNameSuffix
This to suppress a prefix and/or a suffix from username before returning it to
the application: good to suppress domain identification, etc.
When you user complex userSearch pattern, this can be very useful. Example:
userSearch=(|(sAMAccountName={0})([EMAIL PROTECTED])(userPrincipalName={0}))
userIdentification=userPrincipalName userNamePrefix=domain\
userNameSuffix=@domain.com
Hopes this can be useful to the community!
Please do not hesitate to ask me what I should do to make this contribution
perennial.
Wishing you a very nice weekend,
Christophe Dupriez
Centre Antipoisons - Antigifcentrum
C/o Hôpital Central de la Base Reine Astrid
Rue Bruyn - 1120 Bruxelles - Belgique
tel 32-(0)2.264.96.36 fax 32-(0)2.264.96.46
Re: NTLMAuthenticator for Apache Tomcat 6.0.18 (Intranet within a Microsoft domain) (GOOD links to source files)
Great.
Thanks for these.
I'd like to see it included in the next TC release
2008/11/14 Christophe Dupriez [EMAIL PROTECTED]:
Hi again Tomcat Developpers!
(Message re-re-re-sent because attached files did not went through the
MailList management program and then Outlook resent an old version of my
message): SORRY!
The patch file is accessible:
http://www.destin.be/tomcat/NtlmAuthentication.patch
The new authenticator class is accessible:
http://www.destin.be/tomcat/NtlmAuthenticator.java
I wanted to:
* centralize the parameterization of user authentication at the container
level;
* have a simple NTLM authentication for intranet users;
* be able to run Tomcat in a Microsoft Active Directory network where the
server is secured (absolutely no login allowed to regular users)
There is a Microsoft specification (bug?) by which all LDAP binds are
evaluated on the Domain Server (like if the user was attempting to login on
the Domain Server).
It would be better to have binds evaluated as if they were originating from
the LDAP client machine (the Tomcat Server).
To circumvent this, I have been obliged to remove the binding (the password
checking) but to ensure that it is NTLM (and nothing else) which provides the
username.
The users are therefore automatically logged with the username used to log on
their PC.
The attached patch is for current Apache Tomcat sources (6.0.18).
It adds:
An NTLM Authenticator: nothing to configure except in the web.xml of each
application:
login-config
auth-methodNTLM/auth-method
realm-nameThisIsApassword/realm-name
/login-config
The realm-name is the password which ensures that authentication is done by
NTLM and no other method.
A very long password is strongly recommended.
A modified JNDI Realm with new parameters:
preAuthenticatedPassword=ThisIsApassword
This to suppress password checking if preAuthenticatedPassword is provided.
userIdentification=userPrincipalName provides a standardized username,
whatever the retrieved user name (case of complex userSearch patterns)
userNamePrefix and userNameSuffix
This to suppress a prefix and/or a suffix from username before returning it
to the application: good to suppress domain identification, etc.
When you user complex userSearch pattern, this can be very useful. Example:
userSearch=(|(sAMAccountName={0})([EMAIL PROTECTED])(userPrincipalName={0}))
userIdentification=userPrincipalName userNamePrefix=domain\
userNameSuffix=@domain.com
Hopes this can be useful to the community!
Please do not hesitate to ask me what I should do to make this contribution
perennial.
Wishing you a very nice weekend,
Christophe Dupriez
Centre Antipoisons - Antigifcentrum
C/o Hôpital Central de la Base Reine Astrid
Rue Bruyn - 1120 Bruxelles - Belgique
tel 32-(0)2.264.96.36 fax 32-(0)2.264.96.46
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: NTLMAuthenticator for Apache Tomcat 6.0.18 (Intranet within a Microsoft domain)
Hi David!
Thank you for your questions.
FIRST AN APOLOGY TO THE READERS:
The proposed patch file misses the most important, a new java class
NTLMAuthenticator.java: I will make available in a corrected patch FRIDAY
(I am not back to my office before).
For my goals:
* centralize the parameterization of user authentication at the
container level;
The WCA (Web Container Authentication) main advantage is that all applications
may have a consistent, coherent security enforcement.
This comes from a central, common configuration in server.xml (Tomcat
Container) removing many chores from the application itself.
Authorizations based on this authentication is very well expressed in the
web.xml file of each application.
So I preferred to modify slightly Tomcat rather than modify each different
applications (each propose a different security schemas when they are not using
container based authentication).
Do you mean that you want intranet users to have their local MAD login
propagated automatically to the tomcat server with no explicit tomcat
login required?
YES !
If so the official way to support this is via
the JASPI spec (jsr 196) and (IIUC) a SPNEGO server authentication
module such as that at http://spnego.ocean.net.au/ (jboss might have
another one???)
I spent a few weeks trying the different alternatives. All complex and I did
not achieve a real success.
Even JCIFS NTLM filter was not working correctly in our network.
So the proposed patch is lot simpler (nearly no configuration) and it works
(for us).
Have a nice week,
Christophe
- Original Message -
From: David Jencks [mailto:[EMAIL PROTECTED]
To: Tomcat Developers List [mailto:[EMAIL PROTECTED]
Subject: Re: NTLMAuthenticator for Apache Tomcat 6.0.18 (Intranet within a
Microsoft domain)
I'm a little confused about your goals
On Nov 10, 2008, at 11:41 AM, Christophe Dupriez wrote:
Hi Tomcat Developpers!
I wanted to:
What do you mean by this and how is this expressed?
* have a simple NTLM authentication for intranet users;
* be able to run Tomcat in a Microsoft Active Directory network
where the server is secured (absolutely no login allowed to regular
users)
Do you mean that you want intranet users to have their local MAD login
propagated automatically to the tomcat server with no explicit tomcat
login required? If so the official way to support this is via
the JASPI spec (jsr 196) and (IIUC) a SPNEGO server authentication
module such as that at http://spnego.ocean.net.au/ (jboss might have
another one???)
At this point tomcat does not have a jaspi implementation although I
expect it to be a part of javaee 6, and I'm mostly interested in
trying to understand what you are trying to do rather than suggesting
an implementation strategy.
thanks
david jencks
There is a Microsoft “specification” (bug?) by which all LDAP binds
are evaluated on the Domain Server (like if the user was attempting
to login on the Domain Server).
It would be better to have binds evaluated as if they were
originating from the LDAP client machine (the Tomcat Server).
To circumvent this, I have been obliged to remove the binding (the
password checking) but to ensure that it is NTLM (and nothing else)
which provides the username.
The users are therefore automatically logged with the username used
to log on their PC.
The attached patch is for current Apache Tomcat sources (6.0.18).
It adds:
An NTLM Authenticator: nothing to configure except in the web.xml of
each application:
login-config
auth-methodNTLM/auth-method
realm-nameThisIsApassword/realm-name
/login-config
The realm-name is the “password” which ensures that authentication
is done by NTLM and no other method.
A very long password is strongly recommended.
A modified JNDI Realm with new parameters:
preAuthenticatedPassword=”ThisIsApassword”
This to suppress password checking if preAuthenticatedPassword is
provided.
userIdentification=”userPrincipalName” provides a standardized
username, whatever the retrieved user name (case of complex
userSearch patterns)
userNamePrefix and userNameSuffix
This to suppress a prefix and/or a suffix from username before
returning it to the application: good to suppress domain
identification, etc.
When you user complex userSearch pattern, this can be very useful.
Example:
userSearch=(|(sAMAccountName={0})([EMAIL PROTECTED])
(userPrincipalName={0}))
userIdentification=userPrincipalName userNamePrefix=”domain\”
[EMAIL PROTECTED]
”
Hopes this can be useful to the community!
Please do not hesitate to ask me if something can be done to make
this contribution perennial.
Wishing you a very nice day,
Christophe Dupriez
Centre Antipoisons - Antigifcentrum
C/o Hôpital Central de la Base Reine Astrid
Rue Bruyn - 1120
NTLMAuthenticator for Apache Tomcat 6.0.18 (Intranet within a Microsoft domain)
Hi!
I wanted to:
* centralize the parameterization of user authentication at the container level;
* have a simple NTLM authentication for intranet users;
* be able to run Tomcat in a Microsoft Active Directory network where the
server is secured (absolutely no login allowed to regular users)
There is a Microsoft specification (bug?) by which all LDAP binds are
evaluated on the Domain Server (like if the user was attempting to login on the
Domain Server).
It would be better to have binds evaluated as if they were originating from the
LDAP client machine (the Tomcat Server).
To circumvent this, I have been obliged to remove the binding (the password
checking) but to ensure that it is NTLM (and nothing else) which provides the
username.
The users are therefore automatically logged with the username used to log on
their PC.
The attached patch is for current Apache Tomcat sources (6.0.18).
It adds:
An NTLM Authenticator: nothing to configure except in the web.xml of each
application:
login-config
auth-methodNTLM/auth-method
realm-nameThisIsApassword/realm-name
/login-config
The realm-name is the password which ensures that authentication is done by
NTLM and no other method.
A very long password is strongly recommended.
A modified JNDI Realm with new parameters:
preAuthenticatedPassword=ThisIsApassword
This to suppress password checking if preAuthenticatedPassword is provided.
userIdentification=userPrincipalName provides a standardized username,
whatever the retrieved user name (case of complex userSearch patterns)
userNamePrefix and userNameSuffix
This to suppress a prefix and/or a suffix from username before returning it to
the application: good to suppress domain identification, etc.
When you user complex userSearch pattern, this can be very useful. Example:
userSearch=(|(sAMAccountName={0})([EMAIL PROTECTED])(userPrincipalName={0}))
userIdentification=userPrincipalName userNamePrefix=domain\
userNameSuffix=@domain.com
Hopes this can be useful to the community!
Please do not hesitate to ask me if something can be done to make this
contribution perennial.
Wishing you a very nice day,
Christophe Dupriez
Centre Antipoisons - Antigifcentrum
C/o Hôpital Central de la Base Reine Astrid
Rue Bruyn - 1120 Bruxelles - Belgique
tel 32-(0)2.264.96.36 fax 32-(0)2.264.96.46-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: NTLMAuthenticator for Apache Tomcat 6.0.18 (Intranet within a Microsoft domain)
I'm a little confused about your goals
On Nov 10, 2008, at 11:41 AM, Christophe Dupriez wrote:
Hi Tomcat Developpers!
I wanted to:
* centralize the parameterization of user authentication at the
container level;
What do you mean by this and how is this expressed?
* have a simple NTLM authentication for intranet users;
* be able to run Tomcat in a Microsoft Active Directory network
where the server is secured (absolutely no login allowed to regular
users)
Do you mean that you want intranet users to have their local MAD login
propagated automatically to the tomcat server with no explicit tomcat
login required? If so the official way to support this is via
the JASPI spec (jsr 196) and (IIUC) a SPNEGO server authentication
module such as that at http://spnego.ocean.net.au/ (jboss might have
another one???)
At this point tomcat does not have a jaspi implementation although I
expect it to be a part of javaee 6, and I'm mostly interested in
trying to understand what you are trying to do rather than suggesting
an implementation strategy.
thanks
david jencks
There is a Microsoft “specification” (bug?) by which all LDAP binds
are evaluated on the Domain Server (like if the user was attempting
to login on the Domain Server).
It would be better to have binds evaluated as if they were
originating from the LDAP client machine (the Tomcat Server).
To circumvent this, I have been obliged to remove the binding (the
password checking) but to ensure that it is NTLM (and nothing else)
which provides the username.
The users are therefore automatically logged with the username used
to log on their PC.
The attached patch is for current Apache Tomcat sources (6.0.18).
It adds:
An NTLM Authenticator: nothing to configure except in the web.xml of
each application:
login-config
auth-methodNTLM/auth-method
realm-nameThisIsApassword/realm-name
/login-config
The realm-name is the “password” which ensures that authentication
is done by NTLM and no other method.
A very long password is strongly recommended.
A modified JNDI Realm with new parameters:
preAuthenticatedPassword=”ThisIsApassword”
This to suppress password checking if preAuthenticatedPassword is
provided.
userIdentification=”userPrincipalName” provides a standardized
username, whatever the retrieved user name (case of complex
userSearch patterns)
userNamePrefix and userNameSuffix
This to suppress a prefix and/or a suffix from username before
returning it to the application: good to suppress domain
identification, etc.
When you user complex userSearch pattern, this can be very useful.
Example:
userSearch=(|(sAMAccountName={0})([EMAIL PROTECTED])
(userPrincipalName={0}))
userIdentification=userPrincipalName userNamePrefix=”domain\” [EMAIL PROTECTED]
”
Hopes this can be useful to the community!
Please do not hesitate to ask me if something can be done to make
this contribution perennial.
Wishing you a very nice day,
Christophe Dupriez
Centre Antipoisons - Antigifcentrum
C/o Hôpital Central de la Base Reine Astrid
Rue Bruyn - 1120 Bruxelles - Belgique
tel 32-(0)2.264.96.36 fax 32-(0)2.264.96.46
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
