I'll move it to the dev list, since it doesn't really belong on the users' one.
The reason why you don't have it in Tomcat yet is cause it's not easy. To do Negotiate (NTLM / Kerberos) you need to basically call one windows API (AcceptSecurityContext). All other methods don't really work. Then you need to call another hundred APIs to extract the user information (such as group membership) from the logged on user security token. I wrote a long post with all the details here: http://code.dblock.org/ShowPost.aspx?id=91 (AcceptSecurityContext) and http://code.dblock.org/ShowPost.aspx?id=89 (GetTokenInformation). People usually don't get it right since you have to really understand what the hell those tokens and structures are, how to create and dispose of them. You can look at JNA source code in com.sun.jna.platform.win32, it's hundreds of lines of code and represents a few months of on-and-off work. You can make it just a few JARs if you take JNA 3.2.5+. Without it you're doomed writing A LOT of code in JNI (if it's even possible). Waffle is a rather thin layer on top of that, so you could take it as is or rewrite it without needing all those generic interfaces if you like. The authenticator is trivial except for some tricks to make NTLM POST work per protocol (it sends Authorization with every request and an empty body first - I wasted two days of my life on this). Feel free to ask for help, I know this stuff inside-out since my MSFT days ;) cheers dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, May 20, 2010 10:33 AM To: Tomcat Users List Subject: Re: Tomcat NTLM authentication On 20/05/2010 15:11, dB. wrote: > You have my explicit +1 to take this code and use/include it in Tomcat. Cheers. Looking at this is on my todo list. There is also another enhancement in BZ that covers SPNEGO. I'm not sure either solution is exactly what I am looking for since my (maybe impossible) ideal is to do this with not much more than a couple of Java classes. I'll see how feasible that is when I get around to looking at this. I suspect I'll end up borrowing heavily from both proposals. It it does end up that the only solution is one that requires a handful of extra JARs then it will probably become a Tomcat module. Thanks again, Mark > > dB. @ dblock.org > Moscow|Geneva|Seattle|New York > > > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Thursday, May 20, 2010 9:29 AM > To: Tomcat Users List > Subject: Re: Tomcat NTLM authentication > > On 20/05/2010 13:48, dB. wrote: >> Eclipse Public License >> http://waffle.codeplex.com/license >> >> I am happy to attach another license to this if there're any real issues >> with it. > > There are. Sort of. The ASF can't include source code that is EPL > licensed in Apache products. > > However, the bugzilla issue: > https://issues.apache.org/bugzilla/show_bug.cgi?id=49318 > > when read with the terms of creating a bugzilla account: > https://issues.apache.org/bugzilla/createaccount.cgi > > and section 5 of the Apache License: > http://www.apache.org/licenses/LICENSE-2.0.html > > is legally sufficient for us to include this code in Tomcat. > > Despite that, we (the ASF) would rather an explicit "Yes we're fine with > you doing that" rather than relying on the legalese since we don't want > to do do something you don't like, even if legally we could. > > If you are happy for this to be included then a "+1" here is all that is > required. > > Mark > > >> >> dB. @ dblock.org >> Moscow|Geneva|Seattle|New York >> >> >> >> -----Original Message----- >> From: Jason Pyeron [mailto:jpye...@pdinc.us] >> Sent: Thursday, May 20, 2010 8:50 AM >> To: 'Tomcat Users List' >> Subject: RE: Tomcat NTLM authentication >> >>> -----Original Message----- >>> From: dB. >>> Sent: Thursday, May 20, 2010 8:42 >>> Subject: Tomcat NTLM authentication >>> >>> Forgive me for shameless advertising. This should be useful >>> to lots of people. >>> >>> We've published a free Tomcat 6 Negotiate authenticator based >> >> Apache License? >> >> >>> on JNA that supports the Negotiate protocol, including >>> Kerberos and the much requested NTLM. This is equivalent to >>> checking the Integrated Authentication box in IIS, enabling >>> single sign-on for windows servers that are both joined or >>> not to an Active Directory domain. The authenticator is part >>> of project Waffle. >>> >>> Tutorial: http://code.dblock.org/ShowPost.aspx?id=103 >>> Download Waffle: http://waffle.codeplex.com/ >>> >>> Hope this helps, your feedback is much appreciated, >>> >>> -dB. >>> dB. @ dblock.org<http://www.dblock.org/> >>> Moscow|Geneva|Seattle|New York >>> >>> >>> >> >> -- >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> - - >> - Jason Pyeron PD Inc. http://www.pdinc.us - >> - Principal Consultant 10 West 24th Street #100 - >> - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - >> - - >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> This message is copyright PD Inc, subject to license 20080407P00. >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> No virus found in this incoming message. >> Checked by AVG - www.avg.com >> Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 >> 14:26:00 >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.819 / Virus Database: 271.1.1/2885 - Release Date: 05/20/10 > 02:26:00 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2885 - Release Date: 05/20/10 02:26:00 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
