mystyleit

Tomcat Authentication to Active Directory

Love IIS and its easy Authentication Model (Anonymous, Basic, Integrated)? Me too! The following post will, to the best of my ability, explain how to make Tomcat to Basic and Integrated Authentication to Active Directory (AD). It actually isn't to bad but the information is all over the place.

In order to be successful at this you will need to have a good working knowledge of Tomcat. If you don't I suggest reading this:
http://mystyleit.com/blogs/mystyleit/archive/2008/12/05/adventures-with-tomcat-5-5.aspx

Tomcat LDAP Authentication to AD (aka Basic)

If you have read the official Tomcat documentation, hopefully you know that we need to create a JNDI Realm. In this example we are going to create a Global Realm, the means it is going in the Service area of the server.xml.

Here is the link to the official documentation:
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm

If you have read the documentation you will see that JNDI Realms support to modes, Bind mode and Comparison mode. Based on everything I have read, Bind mode does NOT work with AD. Only Comparison mode modes does.

Creating the authentication is a two step process. The steps are:

1. We must create a global JDNI Realm
2. Create a security constraint in the web.xml (equivalent checking off the Basic Authentication check box in IIS)

So lets have a look at a Comparison mode JNDI Realm. This would go in the server.xml:

<Realm className="org.apache.catalina.realm.JNDIRealm" <!-- The LDAP Address of your DC --> connectionURL="ldap://dc1.domain.local:389" <!-- Account information to access the Directory --> connectionName="tomcat@DOMAIN" connectionPassword="AReallyLongPassword" <!-- Where should Tomcat look for users --> userBase="OU=users,OU=mydomain,DC=DOMAIN,DC=local" userSearch="(sAMAccountName={0})" userSubtree="true" userRoleName="memberOf" <!-- Where should tomcat look for groups --> roleBase="OU=groups,OU=mydomain,DC=DOMAIN,DC=local" roleSubtree="true" roleName="cn" roleSearch="(member={0})" <!-- Debug Level --> debug="99" />

So lets have a look security constraint. This goes in your applications web.xml:

<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- The name of the AD security groups users must be a member of to login --> <auth-constraint> <role-name>Tomcat Users</role-name> </auth-constraint> </security-constraint> <!-- Basic Authentication using a JNDIRealm --> <login-config> <auth-method>BASIC</auth-method> <realm-name>JNDIRealm</realm-name> </login-config>

Below is a link to a great MSDN web cast about setting up the same thing:
http://blogs.msdn.com/alextch/archive/2007/06/25/configuring-tomcat-to-authenticate-against-active-directory.aspx

Tomcat NTLM Authentication to AD (aka Integrated)

Next up is setting up Tomcat to use NTLM authentication (aka Integrated). This one is more complicated.

NTLM

NTLM is complicated stuff. In short there are two versions of NTLM, NTLMv1 and NTLMv2. NTLMv2 is the good stuff. NTLMv1 is the bad stuff. If you would like to know more I recommend reading the following:
http://en.wikipedia.org/wiki/NTLM
http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx

JCIFS

JCIFS is a open source client library that can do all sorts of things, including to NTLM Authentication for a web app. See the following:
http://jcifs.samba.org/
http://jcifs.samba.org/src/docs/ntlmhttpauth.html

Deploying JCIFS

There are many deployment scenarios for JCIFS. The deployment I'm covering getting JCIFS to Authenticate against a Network Share. In this approach you create a secure network share, only the users who have access to the network share can access the web site.

The installation has several steps:

1. Create a secured share and secure using NTFS permissions
2. Download the jcifs.jar and copy to the lib folder of your web app
3. Create the JCIFS filter in you web app's web.xml file

This guide is not going to cover how to create a network share. So look elsewhere.

Let's have a look at the JCIFS filter we need to create in the web.xml:

<filter> <filter-name>NtlmHttpFilter</filter-name> <filter-class>jcifs.http.NtlmHttpFilter</filter-class> <init-param> <param-name>jcifs.http.domainController</param-name> <param-value>192.168.0.30</param-value> </init-param> <init-param> <param-name>jcifs.smb.client.domain</param-name> <param-value>CITY</param-value> </init-param> <!-- permissions on \\192.168.0.30\JcifsAcl share gate web access --> <init-param> <param-name>jcifs.smb.client.logonShare</param-name> <param-value>JcifsAcl$</param-value> </init-param> </filter> <!-- NTLM Authentication using NtlmHttpFilter --> <filter-mapping> <filter-name>NtlmHttpFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

For more information see:
http://jcifs.samba.org/src/docs/ntlmhttpauth.html#install

The above configuration works on my Server 2008 native domain with no change to the Domain Security policy.

Conclusion

When I went to set all this up myself the first time I had a really hard time finding examples of configurations. Hopefully these examples are helpful to you.