Tomcat, HTTP authentication, and Active Directory

Question

In our intranet, all users log in Windows from an Active Directory domain. I must develop a solution for authenticating users against Active Directory, that runs in Tomcat and works for both Servlet and Axis2.

I'm already able to verify authentication manually, using basic JavaSE. I also created a test Servlet that recieves login and password from POST and it authenticated too, so if I use HTTPS at least I could use this ugly solution.

I think HTTP Authentication is the best approach, because it's HTTP standard and works for both Servlet and Axis2 and browser and any kind of SOAP client.

For browser, the desired behavior is that browser will open login modal window, user will type login and password, I retrieve them from within Servlet and verify against AD. For Axis2, client handles its way to set HTTP header, and I retrieve it from withing the class that Axis2 uses to creat the WebService (how to do that I have no idea and haven't searched yet...) and do the same verification.

The problem is that I'm facing a lot of possibilities and can't make any of them work. Most tutorials use conf/tomcat-users.xml and never give me password. Others use NTLM or Kerberos, I've already tried to use spnego for Servlet and it didn't work at all, and it's not available for Axis2. I'd rather use a native solution that doesn't require third party libs.

Any suggestion of where I can start?

Answer 1

It appears that you do NOT require single sign-on for users. In that case, you do NOT need NTLM or Kerberos. All you need is server-side authentication with Active Directory.

Fortunately, AD exposes itself as LDAP, with a few quirks. Please view this answer: Configuring Tomcat to authenticate using Windows Active Directory

If you configure the realm and the container (Tomcat) authentication against AD properly, you should not need to retrieve the headers or write any code to do the authentication - the container (Tomcat) will do it for you.

Edited:

Web XML sample:

 <security-constraint>
  <web-resource-collection>
    <web-resource-name>Wildcard means whole app</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>user</role-name>
  </auth-constraint>
 </security-constraint>

      <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>default</realm-name>
      </login-config>
        <security-role>
           <role-name>user</role-name>
       </security-role>

Answer 2

The only reasonable approach in an Active Directory environment is Kerberos only. The best approach to users IS Kerberos. If you are on Tomcat 7 you have built-in support. Java 6 has everything on board to make it work. This is what I am doing for years.