posts - 23,comments - 12,trackbacks - 0

Easy Windows Authentication with Tomcat 4.x Category: Java

The original blog entry by Robert Rasmussen has disappeared from the Internet (cannot find server) so I'm reproducing it here via Google's caching feature. I've made a few changes to pretty up the formatting, but that's about it.


I've been pulled into a little internal project, and one of the requirements is that users should be able to authenticate with their Windows login and password. IIS may or may not be in the picture.

Since the server is a Windows 2000 machine, this turns out to be extremely simple to do thanks to Andy Armstrong's JAAS login modules.

Once you've downloaded the login modules, set your classpath accordingly and make sure that the directory holding NTSystem.dll is in your %PATH% variable. Next, in the "Sample config" folder you'll find a tagish.login file and a java.security.sample file. The last line in the .sample file is significant, and it needs to be in your $JAVA_HOME/jre/lib/security folder (in a file named java.security). You should copy the tagish.login file there as well. If your users will always be logging into the same domain (which is the case in my situation), just set the defaultDomain property in tagish.login, like this:

NTLogin
{
    com.tagish.auth.win32.NTSystemLogin required returnNames=true returnSIDs=false defaultDomain=YOUR_DOMAIN_HERE;
};

Now, all you need to do to use Windows authentication in your webapps is to make one addition to your server.xml file (or to your specific context's definition):

<Realm className="org.apache.catalina.realm.JAASRealm" debug="99"
       appName="NTLogin"
       userClassNames="com.tagish.auth.win32.NTPrincipal"
       roleClassNames="com.tagish.auth.win32.NTPrincipal" />

I'll admit this config is slightly hokey. If you look at the Catalina JAASCallbackHandler (which is hardwired to JAASRealm), the way that I have the realm configured above pretty much counts on the User principal (in effect, the user name) being the first principal returned. This is evil, but it works. It would be nice if either Catalina allowed a pluggable CallbackHandler so that I could take advantage of the NTPrincipal.getType() method or if Andy's code returned subclasses of NTPrincipal like UserPrincipal or GroupPrincipal that I could specify in server.xml.

Once you've got this all configured, the various groups your users belong to equate to role names (so if I belong to an administrators group, my authenticated user will be in role "administrators"), and you can configure security in your webapps using these roles.


二月 17, 2003 04:11 下午 MST Permalink

反向跟踪 URL: http://raibledesigns.com/trackback/rd/sunsets/easy_windows_authentication_with_tomcat
留言:

Thanks for posting this, Matt.

{0}发表于 Robert Rasmussen on 2003年02月17日, 09:18 下午 MST #

I have tired this module and used the form authenication in the tomcat. Howerver, it seems cannot login in successfully as it always go into the pages. Please help!!

{0}发表于 Jimmy Wong on 2003年02月18日, 12:42 上午 MST #

Make sure the path to NTSystem.dll is in your PATH environment variable and that tagishauth.jar is in your $CATALINA_HOME/common/lib. Currently, I believe this only works on a Windows machine. HTH, Matt

{0}发表于 Matt on 2003年02月18日, 07:00 上午 MST #

If I am running a JVM under an already authenticated NT user, does anyone know how I can easily get the NT domain that the user authenticated to ? Thanks !

{0}发表于 Nicholas Whitehead on 2003年02月20日, 11:59 上午 MST #

How can I get Subject in my web application with JAASRealm?

{0}发表于 Roman Velichko on 2003年08月06日, 12:21 上午 MDT #

The same way you always have - request.getRemoteUser()

{0}发表于 Matt Raible on 2003年08月06日, 08:10 上午 MDT #

This tutorial is out of date...Andy Armstrong updated tagish a few months back...it now has more useful types like NTUserPrincipal and NTGroupPrincipal and a few bug fixes. Also, depending on your requirements, the NTLM functionality added in JDK1.4.2 might help.

{0}发表于 Robert Rasmussen on 2003年08月06日, 10:58 上午 MDT #

request.getRemoteUser() does return a String not JAAS's Subject.

{0}发表于 Tomasz Luczynski on 2004年03月09日, 03:23 上午 MST #

[Trackback] This is the solution for my previous post. Samba NTLM Authentication: (Get it here.) This package configures exactly as described. I used the example servlet (NtlmHttpAuthExample) included with the package and set up the filter as in the docs. ...

{0}发表于 Chris Maeda on 2004年07月18日, 10:24 上午 MDT
站点: http://www.cmaeda.com/index.php?p=22 #

My blog has current info for setting up Tagish 1.03 with Tomcat5.

{0}发表于 Chris Maeda on 2004年07月18日, 10:38 上午 MDT
站点: http://cmaeda.com/index.php?p=22 #

{0}发表于 69.193.88.30 on 2004年11月09日, 03:12 上午 MST
站点: http://www.jenniferconnor.com/ #

{0}发表于 69.193.88.30 on 2004年11月14日, 01:53 上午 MST
站点: http://www.36busty.com/00005602.shtml #

{0}发表于 69.42.81.244 on 2005年01月01日, 02:32 上午 MST
站点: http://www.johnhuron.com/ #

Hi Matt, Are you still using tagish library with Tomcat 5.x versions?? If yes, could you please point out the final installing directions. With the present blog instructions from Chris Maeda, they doesn't work at all. You can see the problems at http://www.cmaeda.com/index.php?p=22 Please advice. thanks aks

{0}发表于 Vicky on 2005年04月01日, 10:45 上午 MST #

I prefer not to put my config in $JAVA_HOME/jre/lib/security/java.security instead, use this property when you start tomcat: -Djava.security.auth.login.config=c:/path/to/your/tagish.login

{0}发表于 Joe Scalise on 2005年08月08日, 02:41 下午 MDT
站点: http://www.einvite.com #

posted on 2005-08-18 11:07 my java 阅读(613) 评论(0)  编辑  收藏 所属分类: java身份认证转帖

只有注册用户登录后才能发表评论。


网站导航: