Configuring Tomcat to authenticate using Windows Active Directory

Question

What is the best way to configure Tomcat 5.5 or later to authenticate users from Windows Active Directory?

Answer 1

from www.jspwiki.org

See : ActiveDirectoryIntegration

Try this in the server.xml with your ldap-settings :

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"

           connectionURL="ldap://youradsserver:389"
           alternateURL="ldap://youradsserver:389"         
           userRoleName="member"
           userBase="cn=Users,dc=yourdomain"
           userPattern="cn={0},cn=Users,dc=yourdomain"
           roleBase="cn=Users,dc=yourdomain"
           roleName="cn"
           roleSearch="(member={0})"
           roleSubtree="false"
           userSubtree="true" 
   />

and define the role in the tomcat-users.xml and the web.xml of your application

edit webapp_root/WEB_INF/Web.xml file as follows:

<security-constraint>
   <display-name>your web app display name</display-name>
   <web-resource-collection>
     <web-resource-name>Protected Area</web-resource-name>
     <url-pattern>*.jsp</url-pattern>
     <url-pattern>*.html</url-pattern>
     <url-pattern>*.xml</url-pattern>
   </web-resource-collection>
   <auth-constraint>
     <role-name>yourrolname(ADS Group)</role-name>
   </auth-constraint>
 </security-constraint>
 <login-config>
   <auth-method>FORM</auth-method>
   <form-login-config>
     <form-login-page>/login.jsp</form-login-page>
     <form-error-page>/error.jsp</form-error-page>
   </form-login-config>
 </login-config>
 <security-role>
   <description>your role description</description>
   <role-name>yourrolename(i.e ADS group)</role-name>
 </security-role>

Answer 2

The LDAP based authentication works without any additional steps on any operating system.

http://spnego.sf.net can be used for silent authentication of users logged into the Windows Domain. This needs an domain account that is registered in the domain to be authoritative for the provided service. It works on both Windows and Linux.

Answer 3

Blauhr's answer is good, but the CN of a user in AD is based on their "Display Name", not their saMAccountName (which user's are used to logging in with). Based on his solution, it looks like someone would have to log in with their Display Name, based on the userPattern.

I've personally used the following:

      <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
        connectionURL="ldap://DOMAIN_CONTROLLER:389"
        connectionName="USERID@DOMAIN.com"
        connectionPassword="USER_PASSWORD"
        referrals="follow"
        userBase="OU=USER_GROUP,DC=DOMAIN,DC=com"
        userSearch="(sAMAccountName={0})"
        userSubtree="true"
        roleBase="OU=GROUPS_GROUP,DC=DOMAIN,DC=com"
        roleName="name"
        roleSubtree="true"
        roleSearch="(member={0})"
  />

Everything else would pretty much work the same.

Answer 4

"Welcome to the SPNEGO SourceForge project Integrated Windows Authentication in Java

The intent of this project is to provide an alternative library (.jar file) that application servers (like Tomcat) can use as the means for authenticating clients (like web browsers).

If your organization is running Active Directory (AD) and all of your web applications go through Microsoft's Internet Information Services (IIS), and IIS has Integrated Windows Authentication enabled, and everyone in your organization is using Internet Explorer (IE), then this project may not be of any interest to you."