Tomcat connector for IIS, are user groups passed along?

[Marcel Stör <ma...@frightanic.com>]

Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site 
in IIS that delegates to Tomcat.

Question: would the ISAPI connector be able to pass the Active Directory 
groups (i.e. user's membership info) along to Tomcat in the request?
Question 2: if yes, could I call request.isUserInRole(roleName) in the 
Tomcat app?

Cheers,
Marcel

-- 
Marcel Stör, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat connector for IIS, are user groups passed along?

[Marcel Stör <ma...@frightanic.com>]

On 13.10.2011 00:14, chris derham wrote:
>>
>> - it would probably require serious coding changes to do it (notably
>> because in the AJP protocol, there is no attribute or packet type foreseen
>> to pass such information per se)
>> - and there are some conceptual issues linked to this, essentially because
>> the very notion  of AD/NTLM "user groups" is something valid only in an
>> MS-centric context (and Tomcat has to work in other contexts).
>>
>>
> Kerberos is cross platform standard, allowing for groups to be embedded in
> the token. Nothing windows specific about that. I've definitely had windows
> primary domain controller and clients running on Windows talking to a tomcat
> running on Linux, and allowing access to the group info in the kerberos
> tokens

How did you configure this? Was Tomcat responsible for the Kerberos 
authentication against the Windows Active Directory?

>> For another option, in Tomcat 7.x there is also a new SPNEGO authentication
>> mechanism available, described here :
>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
>>
>
> SPNEGO is Simple Protocol for Negotiating Authentication (or something like
> that). It basically causes a Kerberos token to be added via a http header
> called  authentication. I don't know anything about the ISAPI connector, but
> if it could pass through the authentication header with the kerberos token,
> then tomcat side you can decode the kerberos token and access the users
> groups. So that should work, and should work at no cost - well you'll need
> to spend some time configuring it and getting accounts setup, but should be
> easy enough.

Do you happen to have instructions for this?

Cheers,
Marcel

-- 
Marcel Stör, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat connector for IIS, are user groups passed along?

[chris derham <ch...@derham.me.uk>]

>
> - it would probably require serious coding changes to do it (notably
> because in the AJP protocol, there is no attribute or packet type foreseen
> to pass such information per se)
> - and there are some conceptual issues linked to this, essentially because
> the very notion  of AD/NTLM "user groups" is something valid only in an
> MS-centric context (and Tomcat has to work in other contexts).
>
>
Kerberos is cross platform standard, allowing for groups to be embedded in
the token. Nothing windows specific about that. I've definitely had windows
primary domain controller and clients running on Windows talking to a tomcat
running on Linux, and allowing access to the group info in the kerberos
tokens


> For another option, in Tomcat 7.x there is also a new SPNEGO authentication
> mechanism available, described here :
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
>

SPNEGO is Simple Protocol for Negotiating Authentication (or something like
that). It basically causes a Kerberos token to be added via a http header
called  authentication. I don't know anything about the ISAPI connector, but
if it could pass through the authentication header with the kerberos token,
then tomcat side you can decode the kerberos token and access the users
groups. So that should work, and should work at no cost - well you'll need
to spend some time configuring it and getting accounts setup, but should be
easy enough.

HTH

Chris

Re: Tomcat connector for IIS, are user groups passed along?

[chris derham <ch...@derham.me.uk>]

>Kerberos is cross platform standard, allowing for groups to be embedded in
>the token. Nothing windows specific about that. I've definitely had windows
>primary domain controller and clients running on Windows talking to a
tomcat
> running on Linux, and allowing access to the group info in the kerberos
>tokens
>
>How did you configure this? Was Tomcat responsible for the Kerberos
authentication against the Windows Active Directory?

Yes tomcat was responsible for talking to primary domain controller - this
decoded kerberos token. Just google for spnego and it is all explained

 For another option, in Tomcat 7.x there is also a new SPNEGO authentication
>> mechanism available, described here :
>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
>>
>>
> SPNEGO is Simple Protocol for Negotiating Authentication (or something like
> that). It basically causes a Kerberos token to be added via a http header
> called  authentication. I don't know anything about the ISAPI connector,
> but
> if it could pass through the authentication header with the kerberos token,
> then tomcat side you can decode the kerberos token and access the users
> groups. So that should work, and should work at no cost - well you'll need
> to spend some time configuring it and getting accounts setup, but should be
> easy enough.
>
>
>Do you happen to have instructions for this?

The project was a good 10 years ago - instructions I had have gone sorry.
However it wasn't that hard - I'm sure after 10 mins of googling and you'd
off and running

> Context: Java web app with Spring Security (SS).

Well in that case IMO it would be simipler to just use spring and kerberos.
There is nothing "wrong" with tomcat kerberos integration that I know of,
but if you go that route you will have to get that working,a dn then get
spring to talk to tomcat. If you just go with spring, the second step is
avoided This may help

http://blog.springsource.com/2009/09/28/spring-security-kerberos/

HTH

Chris

Re: Tomcat connector for IIS, are user groups passed along?

[Marcel Stör <ma...@frightanic.com>]

On 13.10.2011 10:38, Mark Thomas wrote:
> On 13/10/2011 07:41, Marcel Stör wrote:
>> On 12.10.2011 22:47, André Warnier wrote:
>>> Marcel Stör wrote:
>>>> Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
>>>> in IIS that delegates to Tomcat.
>>>>
>>>> Question: would the ISAPI connector be able to pass the Active
>>>> Directory groups (i.e. user's membership info) along to Tomcat in the
>>>> request?
>>>
>>> I am not the ultimate expert on this, but awaiting the ultimate expert's
>>> confirmation, I would say :
>>
>> How would I be able to identify the mysterious "ultimate expert" should
>> he appear here ;-)
>
> Generally, a couple of different ways:
> - An @apache.org e-mail address is usually a good sign
> - A name that appears here http://tomcat.apache.org/whoweare.html
>
> For this specific question, looking at the commit log for the IIS
> specific part of the native code, you ideally want Rainer, Tim or Mladen
> for the ultimate expert although there isn't anything I would fault in
> André's original response.
>
>>> - it does not do it right now
> Correct.
>
>>> - it would probably require serious coding changes to do it (notably
>>> because in the AJP protocol, there is no attribute or packet type
>>> foreseen to pass such information per se)
> Agreed.
>
>>> - and there are some conceptual issues linked to this, essentially
>>> because the very notion of AD/NTLM "user groups" is something valid only
>>> in an MS-centric context (and Tomcat has to work in other contexts).
>
> Usually the mapping is group<==>  role. Combine this with the role
> mapping available in web.xml and you can usually handle most situations.
>
>
> I can think of a couple of ways that this could be hacked together if
> you wanted to keep IIS in the picture. One option is to get (somehow)
> IIS to add the groups as an HTTP header and then use a filter on the
> Tomcat side to wrap the request, insert the groups into the wrapper and
> then use then in any call is isUserInRole().
>
> The other is to use the built-in support for passing the user name from
> IIS to Tomcat and then write a filter that looks up the roles for that
> user from AD and then inserts them in a similar way as the previous option.
>
> Actually dropping IIS and doing the authentication and authorization
> directly in Tomcat is probably easier.

Yeah, I'm considering this, too.

Actually I guess my problem is not that I have too few options but 
rather too many. Context: Java web app with Spring Security (SS).

a) use IIS for Windows Authentication
    a1) write filter to look up roles in AD
    a2) or use SS pre-authentication and look up roles in AD
b) drop IIS
    b1) do authentication and authorization in Tomcat (combined with SS)
    b2) or use SS Kerberos extension
    b3) or use Waffle

I've got no experience with either of these but my favorites are/were a2 
and b2.

>>> (*)
>>>
>>>> Question 2: if yes, could I call request.isUserInRole(roleName) in the
>>>> Tomcat app?
>>> If you mean to say that you would use the name of an NTLM group as
>>> "roleName" above,
>>> that'a a different matter, and also with some conceptual difficulties.
>>> The notions of "roles" in Tomcat, and the notion of "user groups" are
>>> somewhat different.
>
> See previous comment.
>
>>> This being said, there is one (commercial but affordable) product which
>>> allows you to do something of the kind. Have a look at Jespa
>>> (www.ioplex.com).
>
> There are a couple of open source alternatives as well. See
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries
>
>>> For another option, in Tomcat 7.x there is also a new SPNEGO
>>> authentication mechanism available, described here :
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
>>> I really do not know much about it, as I use the Jespa mentioned above.
>>> Maybe someone else can opine if this Valve provides access to the user's
>>> NTLM groups ?
>
> The SPNEGO authenticator only handles authentication but combine it with
> the JNDIRealm pointing to an AD instance and you'll get the roles as well.
>
>>> (*) Also, but probably a very long shot : some recent discussion on this
>>> list, prompted by someone having difficulties with large headers being
>>> passed to Tomcat via AJP, seemed to indicate that the NTLM Authorization
>>> headers which are sent by the (authenticated) browser to Tomcat (via
>>> IIS), include the user's group membership in some form. This is probably
>>> encrypted, but it may be possible to decrypt this at the Tomcat level.
>>
>> Ah good, this subject popped up in a different context just a few days
>> ago (Windows sys admin having problems with user how are in 100ds of AD
>> groups).
>> Do you happen to have a pointer to that discussion?
>
> I think this is what you want:
> http://tomcat.markmail.org/thread/qbj376riu2rclt3n

Thanks for the link, very helpful

Cheers,
Marcel

-- 
Marcel Stör, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat connector for IIS, are user groups passed along?

[Mark Thomas <ma...@apache.org>]

On 13/10/2011 07:41, Marcel Stör wrote:
> On 12.10.2011 22:47, André Warnier wrote:
>> Marcel Stör wrote:
>>> Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
>>> in IIS that delegates to Tomcat.
>>>
>>> Question: would the ISAPI connector be able to pass the Active
>>> Directory groups (i.e. user's membership info) along to Tomcat in the
>>> request?
>>
>> I am not the ultimate expert on this, but awaiting the ultimate expert's
>> confirmation, I would say :
> 
> How would I be able to identify the mysterious "ultimate expert" should
> he appear here ;-)

Generally, a couple of different ways:
- An @apache.org e-mail address is usually a good sign
- A name that appears here http://tomcat.apache.org/whoweare.html

For this specific question, looking at the commit log for the IIS
specific part of the native code, you ideally want Rainer, Tim or Mladen
for the ultimate expert although there isn't anything I would fault in
André's original response.

>> - it does not do it right now
Correct.

>> - it would probably require serious coding changes to do it (notably
>> because in the AJP protocol, there is no attribute or packet type
>> foreseen to pass such information per se)
Agreed.

>> - and there are some conceptual issues linked to this, essentially
>> because the very notion of AD/NTLM "user groups" is something valid only
>> in an MS-centric context (and Tomcat has to work in other contexts).

Usually the mapping is group <==> role. Combine this with the role
mapping available in web.xml and you can usually handle most situations.


I can think of a couple of ways that this could be hacked together if
you wanted to keep IIS in the picture. One option is to get (somehow)
IIS to add the groups as an HTTP header and then use a filter on the
Tomcat side to wrap the request, insert the groups into the wrapper and
then use then in any call is isUserInRole().

The other is to use the built-in support for passing the user name from
IIS to Tomcat and then write a filter that looks up the roles for that
user from AD and then inserts them in a similar way as the previous option.

Actually dropping IIS and doing the authentication and authorization
directly in Tomcat is probably easier.

>> (*)
>>
>>> Question 2: if yes, could I call request.isUserInRole(roleName) in the
>>> Tomcat app?
>> If you mean to say that you would use the name of an NTLM group as
>> "roleName" above,
>> that'a a different matter, and also with some conceptual difficulties.
>> The notions of "roles" in Tomcat, and the notion of "user groups" are
>> somewhat different.

See previous comment.

>> This being said, there is one (commercial but affordable) product which
>> allows you to do something of the kind. Have a look at Jespa
>> (www.ioplex.com).

There are a couple of open source alternatives as well. See
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries

>> For another option, in Tomcat 7.x there is also a new SPNEGO
>> authentication mechanism available, described here :
>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
>> I really do not know much about it, as I use the Jespa mentioned above.
>> Maybe someone else can opine if this Valve provides access to the user's
>> NTLM groups ?

The SPNEGO authenticator only handles authentication but combine it with
the JNDIRealm pointing to an AD instance and you'll get the roles as well.

>> (*) Also, but probably a very long shot : some recent discussion on this
>> list, prompted by someone having difficulties with large headers being
>> passed to Tomcat via AJP, seemed to indicate that the NTLM Authorization
>> headers which are sent by the (authenticated) browser to Tomcat (via
>> IIS), include the user's group membership in some form. This is probably
>> encrypted, but it may be possible to decrypt this at the Tomcat level.
> 
> Ah good, this subject popped up in a different context just a few days
> ago (Windows sys admin having problems with user how are in 100ds of AD
> groups).
> Do you happen to have a pointer to that discussion?

I think this is what you want:
http://tomcat.markmail.org/thread/qbj376riu2rclt3n

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat connector for IIS, are user groups passed along?

[Marcel Stör <ma...@frightanic.com>]

On 12.10.2011 22:47, André Warnier wrote:
> Marcel Stör wrote:
>> Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site
>> in IIS that delegates to Tomcat.
>>
>> Question: would the ISAPI connector be able to pass the Active
>> Directory groups (i.e. user's membership info) along to Tomcat in the
>> request?
>
> I am not the ultimate expert on this, but awaiting the ultimate expert's
> confirmation, I would say :

How would I be able to identify the mysterious "ultimate expert" should 
he appear here ;-)

> - it does not do it right now
> - it would probably require serious coding changes to do it (notably
> because in the AJP protocol, there is no attribute or packet type
> foreseen to pass such information per se)
> - and there are some conceptual issues linked to this, essentially
> because the very notion of AD/NTLM "user groups" is something valid only
> in an MS-centric context (and Tomcat has to work in other contexts).
>
> (*)
>
>> Question 2: if yes, could I call request.isUserInRole(roleName) in the
>> Tomcat app?
> If you mean to say that you would use the name of an NTLM group as
> "roleName" above,
> that'a a different matter, and also with some conceptual difficulties.
> The notions of "roles" in Tomcat, and the notion of "user groups" are
> somewhat different.
>
> This being said, there is one (commercial but affordable) product which
> allows you to do something of the kind. Have a look at Jespa
> (www.ioplex.com). Download the product (free), and read the User's Guide
> that comes with it, particularly what it has to say about user groups
> and roles.
> This product works purely at the Tomcat level, as an authenticating
> servlet filter.
> So it does not use the authentication already made by IIS, it does it
> all at the Tomcat level. This may of may not suit your needs, but if
> your ultimate purpose is to have a Windows Domain kind of authentication
> and SSO, and allow/deny access to applications based on user Domain
> group membership, then it can do that.
>
> For another option, in Tomcat 7.x there is also a new SPNEGO
> authentication mechanism available, described here :
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
> I really do not know much about it, as I use the Jespa mentioned above.
> Maybe someone else can opine if this Valve provides access to the user's
> NTLM groups ?
>
>
> (*) Also, but probably a very long shot : some recent discussion on this
> list, prompted by someone having difficulties with large headers being
> passed to Tomcat via AJP, seemed to indicate that the NTLM Authorization
> headers which are sent by the (authenticated) browser to Tomcat (via
> IIS), include the user's group membership in some form. This is probably
> encrypted, but it may be possible to decrypt this at the Tomcat level.

Ah good, this subject popped up in a different context just a few days 
ago (Windows sys admin having problems with user how are in 100ds of AD 
groups).
Do you happen to have a pointer to that discussion?

Cheers,
Marcel

-- 
Marcel Stör, http://www.frightanic.com
Couchsurfing: http://www.couchsurfing.com/people/marcelstoer
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat connector for IIS, are user groups passed along?

[André Warnier <aw...@ice-sa.com>]

Marcel Stör wrote:
> Scenario: use Integrated Windows Security (Kerberos/NTLM) for the site 
> in IIS that delegates to Tomcat.
> 
> Question: would the ISAPI connector be able to pass the Active Directory 
> groups (i.e. user's membership info) along to Tomcat in the request?

I am not the ultimate expert on this, but awaiting the ultimate expert's confirmation, I 
would say :
- it does not do it right now
- it would probably require serious coding changes to do it (notably because in the AJP 
protocol, there is no attribute or packet type foreseen to pass such information per se)
- and there are some conceptual issues linked to this, essentially because the very notion 
  of AD/NTLM "user groups" is something valid only in an MS-centric context (and Tomcat 
has to work in other contexts).

(*)

> Question 2: if yes, could I call request.isUserInRole(roleName) in the 
> Tomcat app?
If you mean to say that you would use the name of an NTLM group as "roleName" above,
that'a a different matter, and also with some conceptual difficulties.  The notions of 
"roles" in Tomcat, and the notion of "user groups" are somewhat different.

This being said, there is one (commercial but affordable) product which allows you to do 
something of the kind.  Have a look at Jespa (www.ioplex.com).  Download the product 
(free), and read the User's Guide that comes with it, particularly what it has to say 
about user groups and roles.
This product works purely at the Tomcat level, as an authenticating servlet filter.
So it does not use the authentication already made by IIS, it does it all at the Tomcat 
level.  This may of may not suit your needs, but if your ultimate purpose is to have a 
Windows Domain kind of authentication and SSO, and allow/deny access to applications based 
on user Domain group membership, then it can do that.

For another option, in Tomcat 7.x there is also a new SPNEGO authentication mechanism 
available, described here : 
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve
I really do not know much about it, as I use the Jespa mentioned above.
Maybe someone else can opine if this Valve provides access to the user's NTLM groups ?


(*) Also, but probably a very long shot : some recent discussion on this list, prompted by 
someone having difficulties with large headers being passed to Tomcat via AJP, seemed to 
indicate that the NTLM Authorization headers which are sent by the (authenticated) browser 
to Tomcat (via IIS), include the user's group membership in some form.  This is probably 
encrypted, but it may be possible to decrypt this at the Tomcat level.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org