On 12.10.2011 22:47, André Warnier wrote:
Marcel Stör wrote:
Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
in IIS that delegates to Tomcat.
Question: would the ISAPI connector be able to pass the Active
Directory groups (i.e. user's membership info) along to Tomcat in
On 13.10.2011 00:14, chris derham wrote:
- it would probably require serious coding changes to do it (notably
because in the AJP protocol, there is no attribute or packet type foreseen
to pass such information per se)
- and there are some conceptual issues linked to this, essentially because
On 13/10/2011 07:41, Marcel Stör wrote:
On 12.10.2011 22:47, André Warnier wrote:
Marcel Stör wrote:
Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
in IIS that delegates to Tomcat.
Question: would the ISAPI connector be able to pass the Active
Directory groups (i.e.
On 13.10.2011 10:38, Mark Thomas wrote:
On 13/10/2011 07:41, Marcel Stör wrote:
On 12.10.2011 22:47, André Warnier wrote:
Marcel Stör wrote:
Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
in IIS that delegates to Tomcat.
Question: would the ISAPI connector be able to
Kerberos is cross platform standard, allowing for groups to be embedded in
the token. Nothing windows specific about that. I've definitely had windows
primary domain controller and clients running on Windows talking to a
tomcat
running on Linux, and allowing access to the group info in the
Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
in IIS that delegates to Tomcat.
Question: would the ISAPI connector be able to pass the Active Directory
groups (i.e. user's membership info) along to Tomcat in the request?
Question 2: if yes, could I call
Marcel Stör wrote:
Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
in IIS that delegates to Tomcat.
Question: would the ISAPI connector be able to pass the Active Directory
groups (i.e. user's membership info) along to Tomcat in the request?
I am not the ultimate
- it would probably require serious coding changes to do it (notably
because in the AJP protocol, there is no attribute or packet type foreseen
to pass such information per se)
- and there are some conceptual issues linked to this, essentially because
the very notion of AD/NTLM user groups
