>Kerberos is cross platform standard, allowing for groups to be embedded in >the token. Nothing windows specific about that. I've definitely had windows >primary domain controller and clients running on Windows talking to a tomcat > running on Linux, and allowing access to the group info in the kerberos >tokens > >How did you configure this? Was Tomcat responsible for the Kerberos authentication against the Windows Active Directory?
Yes tomcat was responsible for talking to primary domain controller - this decoded kerberos token. Just google for spnego and it is all explained For another option, in Tomcat 7.x there is also a new SPNEGO authentication >> mechanism available, described here : >> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve >> >> > SPNEGO is Simple Protocol for Negotiating Authentication (or something like > that). It basically causes a Kerberos token to be added via a http header > called authentication. I don't know anything about the ISAPI connector, > but > if it could pass through the authentication header with the kerberos token, > then tomcat side you can decode the kerberos token and access the users > groups. So that should work, and should work at no cost - well you'll need > to spend some time configuring it and getting accounts setup, but should be > easy enough. > > >Do you happen to have instructions for this? The project was a good 10 years ago - instructions I had have gone sorry. However it wasn't that hard - I'm sure after 10 mins of googling and you'd off and running > Context: Java web app with Spring Security (SS). Well in that case IMO it would be simipler to just use spring and kerberos. There is nothing "wrong" with tomcat kerberos integration that I know of, but if you go that route you will have to get that working,a dn then get spring to talk to tomcat. If you just go with spring, the second step is avoided This may help http://blog.springsource.com/2009/09/28/spring-security-kerberos/ HTH Chris
