Choosing and Using Authenticators
Choose an authenticator which will determine a user's identity. Usually, the SpnegoAuthenticator
or SSLAuthenticator
will do, but during local development you will find the CurrentWindowsIdentityAuthenticator
very handy.
SPNEGO Authenticator
The SpnegoAuthenticator
challenges the client to perform SPNEGO authentication. In turn the server accepts a GSS context by validating an authentication token and responds with a proper token to the client.
- Attention
- Though SPNEGO is intended to negotiate a mechanism, OpenJDK currently supports Kerberos 5 only and not NTLM additionally due to its proprietary nature. Anyway, it is finally deprecated by Microsoft.
Open or create your app's context.xml
and add:
<Context> […] <!-- Add this --> <Valve className="net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator" loginEntryName="a-login-entry" /> […] </Context>
Provide the login entry name from your login.conf
configured for the machine or service account capable of accepting GSS contexts with SPNEGO/Kerberos.
You have successfully configured the SpnegoAuthenticator
in your webapp. It is now ready to use.
SSL Authenticator
The SSLAuthenticator
is bundled with Tomcat and extracts user certificates from the TLS context.
Open or create your app's context.xml
and add:
<Context> […] <!-- Add this --> <Valve className="org.apache.catalina.authenticator.SSLAuthenticator" /> […] </Context>
It is expected that you follow the Tomcat documentation to properly configure your Connector
for certificate-based authentication.
You have successfully configured the SSLAuthenticator
in your webapp. It is now ready to use.
Using an Authenticator During Development
After examining the authenticators above and probably ask yourself: How do I use that on my local development machine? CurrentWindowsIdentityAuthenticator
to the rescue. It will automatically obtain the GSS credential of the currently logged in domain user and auto-login you in the application. This is very handy when you are running your Tomcat instance inside an IDE.
Open or create your app's context.xml
and add:
<Context> […] <!-- Add this --> <Valve className="net.sf.michaelo.tomcat.authenticator.CurrentWindowsIdentityAuthenticator" loginEntryName="a-login-entry" /> […] </Context>
Provide the login entry name from your login.conf
configured for your user account capable of initiating GSS contexts with SPNEGO/Kerberos.
- Warning
- Do not use this in production. This has been created for the ease of development and testing purposes only.
Now you have successfully configured the CurrentWindowsIdentityAuthenticator
in your webapp. It is now ready to use.
Next Step
After you have properly configured an authenticator, go on to the realm.