On 13.10.2011 00:14, chris derham wrote:
- it would probably require serious coding changes to do it (notably
because in the AJP protocol, there is no attribute or packet type foreseen
to pass such information per se)
- and there are some conceptual issues linked to this, essentially because
the very notion of AD/NTLM "user groups" is something valid only in an
MS-centric context (and Tomcat has to work in other contexts).
Kerberos is cross platform standard, allowing for groups to be embedded in
the token. Nothing windows specific about that. I've definitely had windows
primary domain controller and clients running on Windows talking to a tomcat
running on Linux, and allowing access to the group info in the kerberos
tokens
How did you configure this? Was Tomcat responsible for the Kerberos
authentication against the Windows Active Directory?
For another option, in Tomcat 7.x there is also a new SPNEGO authentication
mechanism available, described here :
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
SPNEGO is Simple Protocol for Negotiating Authentication (or something like
that). It basically causes a Kerberos token to be added via a http header
called authentication. I don't know anything about the ISAPI connector, but
if it could pass through the authentication header with the kerberos token,
then tomcat side you can decode the kerberos token and access the users
groups. So that should work, and should work at no cost - well you'll need
to spend some time configuring it and getting accounts setup, but should be
easy enough.
Do you happen to have instructions for this?
Cheers,
Marcel
--
Marcel Stör, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
