Most companies of any significant size have lots of applications designed to support their employees across many departments. The bane of any system administrator in these environments, is user access to these applications. Provisioning a new employee, decommissioning an exiting employee, controlling access to contractors, and of course, the ubiquitous password resets for every employee who forgets which cat or kid they used to name their latest password.
For companies using Microsoft Windows, it is possible to do user authentication within the domain. Each user is created with one username and password, and assigned roles which designate access to various applications. Until now, in order to integrate Apache Tomcat based applications with Windows Authentication, administrators would need to use a third party library like WAFFLE, or employ a reverse proxy, such as IIS or httpd, to perform the authentication step. Many of these libraries are heavy-weight, and some solutions, such as IIS, are limited to only working on Windows hosts.
With Tomcat 7, there is now the option to use built in support for Windows Authentication. Tomcat’s Windows Authentication relies solely on Java 6 and therefore works when Tomcat is running on Linux or other non-Windows platforms. Users can also use a range of platforms and still take advantage of Windows Authentication. Users on Windows platforms, such as Windows XP, Vista or Windows 7, and who are logged on to the Windows domain, can use Windows Authentication to access applications any platforms without having to re-enter their password.
Once windows native authentication is enabled, when a user logs onto the domain and connects to the Tomcat Server, rather than Tomcat prompting the user for a username and password, Tomcat will send a particular header to the browser. The browser recognizes this and knows that it wants it to try Windows Authentication. Since the user is already logged onto the domain, the browser can get the information from the domain. The browser constructs a response and sends it back to the Tomcat server. The server then authenticates it. Assuming response is authenticated, the user is granted access to whatever role they are assigned within the application. For users on non-Windows platforms and/or users who are not logged on to a Windows domain, the browser will prompt the user to provide their user name and password.
Originally provided to the Apache Tomcat project as a patch from a user, the Tomcat committers have split things up to better align with how Tomcat performs authentication and authorization. In Tomcat, the user credentials are obtained via an Authenticator and this is separate from how the user is authenticated and authorized. There are four types of authenticators in Tomcat: BASIC; DIGEST; FORM; and CLIENT-CERT. Windows Authentication adds a fifth: SPNEGO. After the user credentials have been obtained, Tomcat then relies on the Realms to authenticate those credentials and find the group information which dictates what parts of the applications the user is validated to use.
The Tomcat documentation has a very specific set of steps to enable this built-in Windows Authentication. It is very important to follow these steps closely, otherwise your configuration may go wrong. If things do go wrong, you should get a useful error message, but since this code is relatively new there may still be some scenarios where the error messages are not very helpful.
Windows Authentication can be used with any of Tomcat's Realms. If you use it with the JNDI Realm then by default the JNDI Realm will use the user's delegated credentials to connect to the active directory. This can be disabled by setting the useDelegatedCredential attribute of the Realm to false.
Currently, this works with all the current windows server operating systems: Server 2003 and Server 2008. It may work with older versions such as Windows 2000, but has not been tested. In terms of clients, it works with Windows XP, Vista and Windows 7. For browsers, it has been tested with Firefox and Internet Explorer.
Note: While support has been tested on the above platforms, and documentation exists, it is still new. Currently the documentation is extremely rigid, and needs further testing to better understand where it is possible to deviate from the current configuration guidelines. If you do try out this capability and have additional insight to contribute to the documentation, bugs to report etc, then please email the Tomcat developer list or better still, open a Bugzilla issue. If you have a question about how to use this new feature then you can use the "Ask the Experts" link above or e-mail the Tomcat users list.