Hello all,
We have a Java application running on Unix box and we want to authenticate intranet users with IE browsers on their windows desktops.
Basically when they get to our application, we want to know their windows username and do our custom authentication against our application user database.
I searched around and a lot of them are solutions running tomcat on windows box (such as WAFFLE). Any pointers as how to achieve this one a unix box is greatly appreciate it.
If you want single sign-on I can recommend Jespa, otherwise you just need to setup Active Directory authentication. All depends whether you want to present a password box or not.
I don't know if its applicable in your situation, but there has been a bunch written about using AD as a Kerberos server, using the negotiate protocol on the clients, and either integrating Tomcat with Kerberos or using something like SPNEGO. I keep threatening our Windows and security teams that I'm going to set up such a network, just so I can show how PAINFUL their solutions are in contrast....but I've got to get through the 50+ other things I NEED to get done first, of course. ;)
Jespa sounds like an awesome catch-up to IIS' ability to perform authentication with NTLM (one of the two authentication protocols supported in Windows' SPNEGO implementation). Jespa doesn't seem to support Kerberos authentication at the moment, so if you're for some reason oriented to that authentication protocol, you should investigate GSSAPI includes in Java, and don't forget to register an SPN or two for your Java app server.
Pursuing the SPNEGO/Kerberos path seems to have many proponents and lots of possibly useful documentation, but there's a whole bunch of questions of how many layers are between IE and your Java app. That will help determine the most efficient or least redundant set of add-ons you need to make this work:
And for good measure, here's a couple more resources to fill in more background:
Hope this helps.