Choosing and Using Authenticators

Choose an authenticator which will determine a user's identity. Usually, the SpnegoAuthenticator or SSLAuthenticator will do, but during local development you will find the CurrentWindowsIdentityAuthenticator very handy.

SPNEGO Authenticator

The SpnegoAuthenticator challenges the client to perform SPNEGO authentication. In turn the server accepts a GSS context by validating an authentication token and responds with a proper token to the client.

Attention
Though SPNEGO is intended to negotiate a mechanism, OpenJDK currently supports Kerberos 5 only and not NTLM additionally due to its proprietary nature. Anyway, it is finally deprecated by Microsoft.

Open or create your app's context.xml and add:

<Context>
[…]
  <!-- Add this -->
  <Valve className="net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator"
    loginEntryName="a-login-entry" />
[…]
</Context>

Provide the login entry name from your login.conf configured for the machine or service account capable of accepting GSS contexts with SPNEGO/Kerberos.

You have successfully configured the SpnegoAuthenticator in your webapp. It is now ready to use.

SSL Authenticator

The SSLAuthenticator is bundled with Tomcat and extracts user certificates from the TLS context.

Open or create your app's context.xml and add:

<Context>
[…]
  <!-- Add this -->
  <Valve className="org.apache.catalina.authenticator.SSLAuthenticator" />
[…]
</Context>

It is expected that you follow the Tomcat documentation to properly configure your Connector for certificate-based authentication.

You have successfully configured the SSLAuthenticator in your webapp. It is now ready to use.

Using an Authenticator During Development

After examining the authenticators above and probably ask yourself: How do I use that on my local development machine? CurrentWindowsIdentityAuthenticator to the rescue. It will automatically obtain the GSS credential of the currently logged in domain user and auto-login you in the application. This is very handy when you are running your Tomcat instance inside an IDE.

Open or create your app's context.xml and add:

<Context>
[…]
  <!-- Add this -->
  <Valve className="net.sf.michaelo.tomcat.authenticator.CurrentWindowsIdentityAuthenticator"
    loginEntryName="a-login-entry" />
[…]
</Context>

Provide the login entry name from your login.conf configured for your user account capable of initiating GSS contexts with SPNEGO/Kerberos.

Warning
Do not use this in production. This has been created for the ease of development and testing purposes only.

Now you have successfully configured the CurrentWindowsIdentityAuthenticator in your webapp. It is now ready to use.

Next Step

After you have properly configured an authenticator, go on to the realm.