What is the best way to configure Tomcat 5.5 or later to authenticate users from Windows Active Directory?
Asked
Active
Viewed 8.1k times
4 Answers
25
From www.jspwiki.org
See : ActiveDirectoryIntegration
Try this in the server.xml with your ldap-settings :
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://youradsserver:389"
alternateURL="ldap://youradsserver:389"
userRoleName="member"
userBase="cn=Users,dc=yourdomain"
userPattern="cn={0},cn=Users,dc=yourdomain"
roleBase="cn=Users,dc=yourdomain"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="false"
userSubtree="true"/>
And define the role in the tomcat-users.xml and the web.xml of your application
Edit webapp_root/WEB_INF/Web.xml file as follows:
<security-constraint>
<display-name>your web app display name</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>*.xml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>yourrolname(ADS Group)</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>your role description</description>
<role-name>yourrolename(i.e ADS group)</role-name>
</security-role>
-
New Link to www.jspwiki.org (Thanks Antonio) – Blauohr Oct 08 '10 at 08:23
-
Since there is no connection username or password specified in the context.xml, this only seems to work if anonymous lookups are allowed to get the list of roles. – Jesse Barnum Sep 30 '14 at 02:05
-
The link has changed again. I can't be 100% sure, because I didn't see the originally linked page, but it may now be [somewhere on here](https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security). – David Moye Dec 12 '14 at 20:09
-
Is there any documentation on the individual XML tags here? I want to trigger the auth via browser, not via login form. – Tomáš Zato Mar 19 '19 at 13:02
19
Blauhr's answer is good, but the CN of a user in AD is based on their "Display Name", not their saMAccountName (which user's are used to logging in with). Based on his solution, it looks like someone would have to log in with their Display Name, based on the userPattern.
I've personally used the following:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://DOMAIN_CONTROLLER:389"
connectionName="USERID@DOMAIN.com"
connectionPassword="USER_PASSWORD"
referrals="follow"
userBase="OU=USER_GROUP,DC=DOMAIN,DC=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="OU=GROUPS_GROUP,DC=DOMAIN,DC=com"
roleName="name"
roleSubtree="true"
roleSearch="(member={0})"/>
Everything else would pretty much work the same.
2
The LDAP based authentication works without any additional steps on any operating system.
http://spnego.sf.net can be used for silent authentication of users logged into the Windows Domain. This needs an domain account that is registered in the domain to be authoritative for the provided service. It works on both Windows and Linux.
Hendrik Brummermann
- 8,242
- 3
- 31
- 55
0
"Welcome to the SPNEGO SourceForge project Integrated Windows Authentication in Java
The intent of this project is to provide an alternative library (.jar file) that application servers (like Tomcat) can use as the means for authenticating clients (like web browsers).
If your organization is running Active Directory (AD) and all of your web applications go through Microsoft's Internet Information Services (IIS), and IIS has Integrated Windows Authentication enabled, and everyone in your organization is using Internet Explorer (IE), then this project may not be of any interest to you."
Renani
- 9
- 1