IIS Integrated Windows Authentication and Jk2 - securing servlets

[Robert Biernat <Ro...@oopl.com.au>]

Hi,

Currently I have a webapp deployed to tomcat and have succesfully configured
the jk2 isapi redirectoralong with iis. What I wish todo now is be able to
use role based security to limit the servlets different people can invoke.
I'm using IIS and integrated windows authentication. I want only members of
a certain NT domain group to be able to access certain servlets. I have done
this in the past when using tomcat's built in http connector and the JNDI
realm, along with specifying the security constraints in my applications
web.xml, however I'm not sure what I need to setup when using IIS and the
JK2 redirector as things are a little different with this configuration.

Looking at the native iis redirector code and the log I can see that the
redirector gets the roles or groups for the authenticated user. I would
expect these are passed along to tomcat. Is there a way to verfiy theyre
being passed across the to the tomcat instance?

Is it then a case of just adding security constraints to my web.xml

Currently in my jk2.properties I have the following line

request.tomcatAuthentication=false

This is needed because in my webapp I log each user using the
getRemoteUser() method.

Thanks

Rob