Apache Tomcat 7 now gives you the option to use built in support for Windows Authentication. Previously, enabling Tomcat with Windows Authentication required adding extra libraries, such as WAFFLE, to broker communication between Tomcat and the Windows Authentication protocol. Now, new in Tomcat 7, this integration is straight-forward.
In a post this week discussing the new Windows Authentication, Apache Tomcat Release Manager, Mark Thomas describes how it works by saying:
Once windows native authentication is enabled, when a user logs onto the domain and connects to the Tomcat Server, rather than Tomcat prompting the user for a username and password, Tomcat will send a particular header to the browser. The browser recognizes this and knows that it wants it to try Windows Authentication. Since the user is already logged onto the domain, the browser can get the information from the domain. The browser constructs a response and sends it back to the Tomcat server. The server then authenticates it. Assuming response is authenticated, the user is granted access to whatever role they are assigned within the application. For users on non-Windows platforms and/or users who are not logged on to a Windows domain, the browser will prompt the user to provide their user name and password.
Originally provided to the Apache Tomcat project as a patch from a user, the Tomcat committers have split things up to better align with how Tomcat performs authentication and authorization. In Tomcat, the user credentials are obtained via an Authenticator and this is separate from how the user is authenticated and authorized. There are four types of authenticators in Tomcat: BASIC; DIGEST; FORM; and CLIENT-CERT. Windows Authentication adds a fifth: SPNEGO. After the user credentials have been obtained, Tomcat then relies on the Realms to authenticate those credentials and find the group information which dictates what parts of the applications the user is validated to use.
While the new functionality has undergone significant enough testing and documentation that the Apache Software Foundation, known for their high standards, has released the functionality as supported, Thomas also states that it is very important to follow the specific set of steps given to enable the Windows Authentication in the official Apache Tomcat documentation. The functionality works in its straight-forward, as-documented state, however it has not been fully battle tested as to how far you can bend the rules and deviate from the current configuration guidelines. He reminds the community though:
If you do try out this capability and have additional insight to contribute to the documentation, bugs to report etc, then please email the Tomcat developer list or better still, open a Bugzilla issue. If you have a question about how to use this new feature then you can use the "Ask the Experts" link above or e-mail the Tomcat users list.
For the full post, including information on configuration and support please see Thomas’ original article: Windows Authentication with Apache Tomcat