TomcatExpert

Windows Authentication with Apache Tomcat

posted by mthomas on June 22, 2011 09:31 AM

Most companies of any significant size have lots of applications designed to support their employees across many departments. The bane of any system administrator in these environments, is user access to these applications. Provisioning a new employee, decommissioning an exiting employee, controlling access to contractors, and of course, the ubiquitous password resets for every employee who forgets which cat or kid they used to name their latest password.

For companies using Microsoft Windows, it is possible to do user authentication within the domain. Each user is created with one username and password, and assigned roles which designate access to various applications. Until now, in order to integrate Apache Tomcat based applications with Windows Authentication, administrators would need to use a third party library like WAFFLE, or employ a reverse proxy, such as IIS or httpd, to perform the authentication step. Many of these libraries are heavy-weight, and some solutions, such as IIS, are limited to only working on Windows hosts.

Built-in Tomcat Support for Windows Authentication

With Tomcat 7, there is now the option to use built in support for Windows Authentication. Tomcat’s Windows Authentication relies solely on Java 6 and therefore works when Tomcat is running on Linux or other non-Windows platforms. Users can also use a range of platforms and still take advantage of Windows Authentication. Users on Windows platforms, such as Windows XP, Vista or Windows 7, and who are logged on to the Windows domain, can use Windows Authentication to access applications any platforms without having to re-enter their password.

How It Works

Once windows native authentication is enabled, when a user logs onto the domain and connects to the Tomcat Server, rather than Tomcat prompting the user for a username and password, Tomcat will send a particular header to the browser. The browser recognizes this and knows that it wants it to try Windows Authentication. Since the user is already logged onto the domain, the browser can get the information from the domain. The browser constructs a response and sends it back to the Tomcat server. The server then authenticates it. Assuming response is authenticated, the user is granted access to whatever role they are assigned within the application. For users on non-Windows platforms and/or users who are not logged on to a Windows domain, the browser will prompt the user to provide their user name and password.

Originally provided to the Apache Tomcat project as a patch from a user, the Tomcat committers have split things up to better align with how Tomcat performs authentication and authorization. In Tomcat, the user credentials are obtained via an Authenticator and this is separate from how the user is authenticated and authorized. There are four types of authenticators in Tomcat: BASIC; DIGEST; FORM; and CLIENT-CERT. Windows Authentication adds a fifth: SPNEGO. After the user credentials have been obtained, Tomcat then relies on the Realms to authenticate those credentials and find the group information which dictates what parts of the applications the user is validated to use.

Configuring Built-in Windows Authentication on Tomcat

The Tomcat documentation has a very specific set of steps to enable this built-in Windows Authentication. It is very important to follow these steps closely, otherwise your configuration may go wrong. If things do go wrong, you should get a useful error message, but since this code is relatively new there may still be some scenarios where the error messages are not very helpful.

Windows Authentication can be used with any of Tomcat's Realms. If you use it with the JNDI Realm then by default the JNDI Realm will use the user's delegated credentials to connect to the active directory. This can be disabled by setting the useDelegatedCredential attribute of the Realm to false.

Supported Platforms

Currently, this works with all the current windows server operating systems: Server 2003 and Server 2008. It may work with older versions such as Windows 2000, but has not been tested. In terms of clients, it works with Windows XP, Vista and Windows 7. For browsers, it has been tested with Firefox and Internet Explorer.

Note: While support has been tested on the above platforms, and documentation exists, it is still new. Currently the documentation is extremely rigid, and needs further testing to better understand where it is possible to deviate from the current configuration guidelines. If you do try out this capability and have additional insight to contribute to the documentation, bugs to report etc, then please email the Tomcat developer list or better still, open a Bugzilla issue. If you have a question about how to use this new feature then you can use the "Ask the Experts" link above or e-mail the Tomcat users list.

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.

Comments

Windows Authentication and AD LDAP role Authorization

Mark,

I have a need to authenticate a user and validate he/she against an AD group (i.e. role) and only allow access if authorized. Is it possible to use Windows Authentication with the JNDIRealm to accomplish this? If so, can you point me to any how-to documentation?

JNDI Realm

Mark is currently on holiday, but here is an answer from another Tomcat expert here at SpringSource/Pivotal:

There are configurable attributes of the JNDIRealm that check that a user is part of a role/group. See the "Assigning roles to the user" section of http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm.

Stacey Schneider is the managing editor for TomcatExpert.com.

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.