PrincipalAuthenticator is an implementation of a Tomcat Authenticator
that allows transparent authorization to happen for corporate Windows users.
The JKConnector provides Tomcat the ability to sit behind an instance of
IIS and have requests passed to it for java applications. If NTLM
(Integrated Windows Authentication) is enabled on IIS and
tomcatAuthentication="false" on the tomcat side AJP connector, then IIS
will provide each request into tomcat with a Principal container the
user's DOMAIN\USERNAME. ie: javax.security.Principal(HOME\ME). This is a
fully authenticated credential when used in a trusted domain.
This is usefull for identifying users in java applications without
forcing them to sign-in. Unfortunately, this short circuits the rest of
tomcat's normal authentication sequence (where it asks the SecurityRealm
what the user's roles are. eg: authorization).
The PrincipalAuthenticator uses the Principal supplied by IIS to make
Tomcat ask the SecurityRealm what roles the user should have. It closes
the JAAS loop. Once the server is configured with an appropriate source
of permissions (SecurityRealm or LoginModule) developers can use the
typical 'request.isUserInRole("role")' calls and declarative security to
perform checks on users' permissions.
All an application must do to use this is declare their login-config as
such in the web.xml (on top of whatever binding is required to their
security config on the server)
|<login-config>
<auth-method>PRINCIPAL</auth-method>
</login-config>
The PrincipalAuthenticator is available as either ASF or LGPL licensed code
(your choice).
http://www.laj.ca/projects/PrincipalAuthenticator/
|
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
