Matt RaibleMatt Raible is a Web Developer and Java Champion. Connect with him on LinkedIn.

The Angular Mini-Book The Angular Mini-Book is a guide to getting started with Angular. You'll learn how to develop a bare-bones application, test it, and deploy it. Then you'll move on to adding Bootstrap, Angular Material, continuous integration, and authentication.

Spring Boot is a popular framework for building REST APIs. You'll learn how to integrate Angular with Spring Boot and use security best practices like HTTPS and a content security policy.

For book updates, follow @angular_book on Twitter.

The JHipster Mini-Book The JHipster Mini-Book is a guide to getting started with hip technologies today: Angular, Bootstrap, and Spring Boot. All of these frameworks are wrapped up in an easy-to-use project called JHipster.

This book shows you how to build an app with JHipster, and guides you through the plethora of tools, techniques and options you can use. Furthermore, it explains the UI and API building blocks so you understand the underpinnings of your great application.

For book updates, follow @jhipster-book on Twitter.

10+ YEARS


Over 10 years ago, I wrote my first blog post. Since then, I've authored books, had kids, traveled the world, found Trish and blogged about it all.

RECENT ENTRIES


Tag Cloud


abbie appfuse birthday denver family grails gwt jack java javascript jhipster jsf linkedin maven roller skiing softwaresummit spring springmvc struts2 travel trish vacation webframeworks wicket
« Comparative analysis... | Main | StrutsCX: Updated »
Monday February 17, 2003

Easy Windows Authentication with Tomcat 4.x

The original blog entry by Robert Rasmussen has disappeared from the Internet (cannot find server) so I'm reproducing it here via Google's caching feature. I've made a few changes to pretty up the formatting, but that's about it.

I've been pulled into a little internal project, and one of the requirements is that users should be able to authenticate with their Windows login and password. IIS may or may not be in the picture.

Since the server is a Windows 2000 machine, this turns out to be extremely simple to do thanks to Andy Armstrong's JAAS login modules.

Once you've downloaded the login modules, set your classpath accordingly and make sure that the directory holding NTSystem.dll is in your %PATH% variable. Next, in the "Sample config" folder you'll find a tagish.login file and a java.security.sample file. The last line in the .sample file is significant, and it needs to be in your $JAVA_HOME/jre/lib/security folder (in a file named java.security). You should copy the tagish.login file there as well. If your users will always be logging into the same domain (which is the case in my situation), just set the defaultDomain property in tagish.login, like this:

NTLogin
{
    com.tagish.auth.win32.NTSystemLogin required returnNames=true returnSIDs=false defaultDomain=YOUR_DOMAIN_HERE;
};

Now, all you need to do to use Windows authentication in your webapps is to make one addition to your server.xml file (or to your specific context's definition):

<Realm className="org.apache.catalina.realm.JAASRealm" debug="99"
       appName="NTLogin"
       userClassNames="com.tagish.auth.win32.NTPrincipal"
       roleClassNames="com.tagish.auth.win32.NTPrincipal" />

I'll admit this config is slightly hokey. If you look at the Catalina JAASCallbackHandler (which is hardwired to JAASRealm), the way that I have the realm configured above pretty much counts on the User principal (in effect, the user name) being the first principal returned. This is evil, but it works. It would be nice if either Catalina allowed a pluggable CallbackHandler so that I could take advantage of the NTPrincipal.getType() method or if Andy's code returned subclasses of NTPrincipal like UserPrincipal or GroupPrincipal that I could specify in server.xml.

Once you've got this all configured, the various groups your users belong to equate to role names (so if I belong to an administrators group, my authenticated user will be in role "administrators"), and you can configure security in your webapps using these roles.

Posted in Java at Feb 17 2003, 04:11:52 PM MST 19 Comments
Comments:

Thanks for posting this, Matt.

Posted by Robert Rasmussen on February 18, 2003 at 04:18 AM MST #

I have tired this module and used the form authenication in the tomcat. Howerver, it seems cannot login in successfully as it always go into the <form-error-page> pages. Please help!!

Posted by Jimmy Wong on February 18, 2003 at 07:42 AM MST #

Make sure the path to <code>NTSystem.dll</code> is in your PATH environment variable and that tagishauth.jar is in your <code>$CATALINA_HOME/common/lib</code>. Currently, I believe this only works on a Windows machine. HTH, Matt

Posted by Matt on February 18, 2003 at 02:00 PM MST #

If I am running a JVM under an already authenticated NT user, does anyone know how I can easily get the NT domain that the user authenticated to ? Thanks !

Posted by Nicholas Whitehead on February 20, 2003 at 06:59 PM MST #

How can I get Subject in my web application with JAASRealm?

Posted by Roman Velichko on August 06, 2003 at 06:21 AM MDT #

The same way you always have - request.getRemoteUser()

Posted by Matt Raible on August 06, 2003 at 02:10 PM MDT #

This tutorial is out of date...Andy Armstrong updated tagish a few months back...it now has more useful types like NTUserPrincipal and NTGroupPrincipal and a few bug fixes. Also, depending on your requirements, the NTLM functionality added in JDK1.4.2 might help.

Posted by Robert Rasmussen on August 06, 2003 at 04:58 PM MDT #

request.getRemoteUser() does return a String not JAAS's Subject.

Posted by Tomasz Luczynski on March 09, 2004 at 10:23 AM MST #

[Trackback] This is the solution for my previous post. Samba NTLM Authentication: (Get it here.) This package configures exactly as described. I used the example servlet (NtlmHttpAuthExample) included with the package and set up the filter as in the docs. ...

Posted by Chris Maeda on July 18, 2004 at 04:24 PM MDT #

My blog has current info for setting up Tagish 1.03 with Tomcat5.

Posted by Chris Maeda on July 18, 2004 at 04:38 PM MDT #

Posted by 69.193.88.30 on November 09, 2004 at 10:12 AM MST #

Posted by 69.193.88.30 on November 14, 2004 at 08:53 AM MST #

Posted by 69.42.81.244 on January 01, 2005 at 09:32 AM MST #

Hi Matt, Are you still using tagish library with Tomcat 5.x versions?? If yes, could you please point out the final installing directions. With the present blog instructions from Chris Maeda, they doesn't work at all. You can see the problems at http://www.cmaeda.com/index.php?p=22 Please advice. thanks aks

Posted by Vicky on April 01, 2005 at 05:45 PM MST #

I prefer not to put my config in $JAVA_HOME/jre/lib/security/java.security instead, use this property when you start tomcat: -Djava.security.auth.login.config=c:/path/to/your/tagish.login

Posted by Joe Scalise on August 08, 2005 at 08:41 PM MDT #

I want to implement SSO using LDAP with Tomcat 5 I am using JAASRealm for Windows authentication and downloaded tagish login module.I have followed all the above steps I am getting following error on Tomcat console Jul 31, 2006 10:58:17 AM org.apache.catalina.realm.JAASRealm authenticate SEVERE: Unexpected error java.lang.SecurityException: Configuration Error: Line 2: expected [option key], found [null] at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) Please help me to solve this Thx - Swanand Joshi

Posted by Swanand Joshi on July 31, 2006 at 05:40 AM MDT #

2

Posted by 217.33.106.234 on March 19, 2007 at 11:41 AM MDT #

Is this working in window XP. I am using Window XP and for each set of user and password it allow me to login. Do any one have idea ?

Posted by 59.95.166.129 on May 08, 2007 at 10:07 AM MDT #

Is this working in window XP. I am using Window XP and for each set of user and password it allow me to login. Do any one have idea ?

Posted by 59.95.166.129 on May 08, 2007 at 10:11 AM MDT #

Post a Comment:
  • HTML Syntax: Allowed