• 绍兴印染布质量比对成果发布 部分指标国际领先 2019-07-11
  • 陕西守艺人丨一场大火后,她带领600羌州绣娘从头开始 2019-07-11
  • 今日武汉中考考生可看考点考场 进行英语听力试听 2019-07-08
  • 中方坚决捍卫国家利益和人民利益 2019-07-08
  • "创造101"杨超越引争议 表演业余人气高别光怨选手 2019-07-07
  • 风水神话的回帖除了对我的攻击以外吗,别的还有什么吗? 2019-06-21
  • 通过学历教育、职业培训、在线学习等渠道 新区居民将享天津职教资源 2019-06-17
  • 千名新疆学子的梦想在鄱湖之滨启航 2019-06-13
  • 晋冀鲁豫人民日报印刷厂的组建与迁徙 2019-06-01
  • 高清图集:习近平在山东考察 2019-05-28
  • 让海淀城市“名片”更闪亮 2019-05-28
  • 轻生活,做不一样的自己 2019-05-27
  • 【理上网来·辉煌十九大】德国北威州经济部长:十九大报告表明中国有能力为世界做出更多贡献 2019-05-27
  • 端午出行怕拥堵 别慌,这里有一份出行指南 2019-05-24
  • 空军飞行学员展开高强度实战打靶 消耗千余枚弹药 2019-05-24
  • 
      The Apache Tomcat Servlet/JSP Container

    qq游戏有没十三水:Apache Tomcat 7

    Version 7.0.68, Feb 8 2016
    Apache Logo

    qq游戏里有十三水这个游戏吗 www.tdgb.net Links

    User Guide

    Reference

    Apache Tomcat Development

    Windows Authentication How-To

    Table of Contents
    Overview

    Integrated Windows authentication is most frequently used within intranet environments since it requires that the server performing the authentication and the user being authenticated are part of the same domain. For the user to be authenticated automatically, the client machine used by the user must also be part of the domain.

    There are several options for implementing integrated Windows authentication with Apache Tomcat. They are:

    • Built-in Tomcat support.
    • Use a third party library such as Waffle.
    • Use a reverse proxy that supports Windows authentication to perform the authentication step such as IIS or httpd.
    The configuration of each of these options is discussed in the following sections.

    Built-in Tomcat support

    Kerberos (the basis for integrated Windows authentication) requires careful configuration. If the steps in this guide are followed exactly, then a working configuration will result. It is important that the steps below are followed exactly. There is very little scope for flexibility in the configuration. From the testing to date it is known that:

    • The host name used to access the Tomcat server must match the host name in the SPN exactly else authentication will fail. A checksum error may be reported in the debug logs in this case.
    • The client must be of the view that the server is part of the local trusted intranet.
    • The SPN must be HTTP/<hostname> and it must be exactly the same in all the places it is used.
    • The port number must not be included in the SPN.
    • No more than one SPN may be mapped to a domain user.
    • Tomcat must run as the domain account with which the SPN has been associated or as domain admin. It is NOT recommended to run Tomcat under a domain admin user.
    • The domain name (DEV.LOCAL) is not case sensitive when used in the ktpass command, nor when used in jaas.conf
    • The domain must be specified when using the ktpass command

    There are four components to the configuration of the built-in Tomcat support for Windows authentication. The domain controller, the server hosting Tomcat, the web application wishing to use Windows authentication and the client machine. The following sections describe the configuration required for each component.

    The names of the three machines used in the configuration examples below are win-dc01.dev.local (the domain controller), win-tc01.dev.local (the Tomcat instance) and win-pc01.dev.local (client). All are members of the DEV.LOCAL domain.

    Note: In order to use the passwords in the steps below, the domain password policy had to be relaxed. This is not recommended for production environments.

    Domain Controller

    These steps assume that the server has already been configured to act as a domain controller. Configuration of a Windows server as a domain controller is outside the scope of this how-to. The steps to configure the domain controller to enable Tomcat to support Windows authentication are as follows:

    • Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass.
    • Map the service principal name (SPN) to the user account. SPNs take the form <service class>/<host>:<port>/<service name>. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following:
      setspn -A HTTP/win-tc01.dev.local tc01
    • Generate the keytab file that the Tomcat server will use to authenticate itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command (all on a single line):
      ktpass /out c:\tomcat.keytab /mapuser [email protected]
                /princ HTTP/[email protected]
                /pass tc01pass /kvno 0
    • Create a domain user to be used on the client. In this how-to the domain user is test with a password of testpass.

    The above steps have been tested on a domain controller running Windows Server 2008 R2 64-bit Standard using the Windows Server 2003 functional level for both the forest and the domain.

    Tomcat instance (Windows server)

    These steps assume that Tomcat and a Java 6 JDK/JRE have already been installed and configured and that Tomcat is running as the [email protected] user. The steps to configure the Tomcat instance for Windows authentication are as follows:

    • Copy the tomcat.keytab file created on the domain controller to $CATALINA_BASE/conf/tomcat.keytab.
    • Create the kerberos configuration file $CATALINA_BASE/conf/krb5.ini. The file used in this how-to contained:
      [libdefaults]
      default_realm = DEV.LOCAL
      default_keytab_name = FILE:c:\apache-tomcat-7.0.x\conf\tomcat.keytab
      default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
      default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
      forwardable=true
      
      [realms]
      DEV.LOCAL = {
              kdc = win-dc01.dev.local:88
      }
      
      [domain_realm]
      dev.local= DEV.LOCAL
      .dev.local= DEV.LOCAL
      The location of this file can be changed by setting the java.security.krb5.conf system property.
    • Create the JAAS login configuration file $CATALINA_BASE/conf/jaas.conf. The file used in this how-to contained:
      com.sun.security.jgss.krb5.initiate {
          com.sun.security.auth.module.Krb5LoginModule required
          doNotPrompt=true
          principal="HTTP/[email protected]"
          useKeyTab=true
          keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
          storeKey=true;
      };
      
      com.sun.security.jgss.krb5.accept {
          com.sun.security.auth.module.Krb5LoginModule required
          doNotPrompt=true
          principal="HTTP/[email protected]"
          useKeyTab=true
          keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
          storeKey=true;
      };
      The location of this file can be changed by setting the java.security.auth.login.config system property. The LoginModule used is a JVM specific one so ensure that the LoginModule specified matches the JVM being used. The name of the login configuration must match the value used by the authentication valve.

    The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, by default the JNDI Realm will use the user's delegated credentials to connect to the Active Directory.

    The above steps have been tested on a Tomcat server running Windows Server 2008 R2 64-bit Standard with an Oracle 1.6.0_24 64-bit JDK.

    Tomcat instance (Linux server)

    This was tested with:

    • Java 1.7.0, update 45, 64-bit
    • Ubuntu Server 12.04.3 LTS 64-bit
    • Tomcat 8.0.x (r1546570)

    It should work with any Tomcat 7 release from 7.0.12 onwards although it is recommended that the latest stable release is used.

    The configuration is the same as for Windows but with the following changes:

    • The Linux server does not have to be part of the Windows domain.
    • The path to the keytab file in krb5.ini and jass.conf should be updated to reflect the path to the keytab file on the Linux server using Linux style file paths (e.g. /usr/local/tomcat/...).
    Web application

    The web application needs to be configured to the use Tomcat specific authentication method of SPNEGO (rather than BASIC etc.) in web.xml. As with the other authenticators, behaviour can be customised by explicitly configuring the authentication valve and setting attributes on the Valve.

    Client

    The client must be configured to use Kerberos authentication. For Internet Explorer this means making sure that the Tomcat instance is in the "Local intranet" security domain and that it is configured (Tools > Internet Options > Advanced) with integrated Windows authentication enabled. Note that this will not work if you use the same machine for the client and the Tomcat instance as Internet Explorer will use the unsupported NTLM protocol.

    References

    Correctly configuring Kerberos authentication can be tricky. The following references may prove helpful. Advice is also always available from the Tomcat users mailing list.

    1. IIS and Kerberos
    2. SPNEGO project at SourceForge
    3. Oracle JGSS tutorial
    4. Geronimo configuration for Windows authentication
    5. Encryption Selection in Kerberos Exchanges
    6. Supported Kerberos Cipher Suites
    Third party libraries
    Waffle

    Full details of this solution can be found through the Waffle web site. The key features are:

    • Drop-in solution
    • Simple configuration (no JAAS or Kerberos keytab configuration required)
    • Uses a native library
    Spring Security - Kerberos Extension

    Full details of this solution can be found through the Kerberos extension web site. The key features are:

    • Extension to Spring Security
    • Requires a Kerberos keytab file to be generated
    • Pure Java solution
    SPNEGO project at SourceForge

    Full details of this solution can be found through the project site. The key features are:

    • Uses Kerberos
    • Pure Java solution
    Jespa

    Full details of this solution can be found through the project web siteThe key features are:

    • Pure Java solution
    • Advanced Active Directory integration
    Reverse proxies
    Microsoft IIS

    There are three steps to configuring IIS to provide Windows authentication. They are:

    1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To).
    2. Configure IIS to use Windows authentication
    3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization.
    Apache httpd

    Apache httpd does not support Windows authentication out of the box but there are a number of third-party modules that can be used. These include:

    1. mod_auth_sspi for use on Windows platforms.
    2. mod_auth_ntlm_winbind for non-Windows platforms. Known to work with httpd 2.0.x on 32-bit platforms. Some users have reported stability issues with both httpd 2.2.x builds and 64-bit Linux builds.

    There are three steps to configuring httpd to provide Windows authentication. They are:

    1. Configure httpd as a reverse proxy for Tomcat (see the Apache httpd Web Server How-To).
    2. Configure httpd to use Windows authentication
    3. Configure Tomcat to use the authentication user information from httpd by setting the tomcatAuthentication attribute on the AJP connector to false.
    Comments

    Notice: This comments section collects your suggestions on improving documentation for Apache Tomcat.

    If you have trouble and need help, read Find Help page and ask your question on the tomcat-users qq游戏里有十三水这个游戏吗. Do not ask such questions here. This is not a Q&A section.

    The Apache Comments System is explained here. Comments may be removed by our moderators if they are either implemented or considered invalid/off-topic.


    Copyright © 1999-2016, Apache Software Foundation
  • 绍兴印染布质量比对成果发布 部分指标国际领先 2019-07-11
  • 陕西守艺人丨一场大火后,她带领600羌州绣娘从头开始 2019-07-11
  • 今日武汉中考考生可看考点考场 进行英语听力试听 2019-07-08
  • 中方坚决捍卫国家利益和人民利益 2019-07-08
  • "创造101"杨超越引争议 表演业余人气高别光怨选手 2019-07-07
  • 风水神话的回帖除了对我的攻击以外吗,别的还有什么吗? 2019-06-21
  • 通过学历教育、职业培训、在线学习等渠道 新区居民将享天津职教资源 2019-06-17
  • 千名新疆学子的梦想在鄱湖之滨启航 2019-06-13
  • 晋冀鲁豫人民日报印刷厂的组建与迁徙 2019-06-01
  • 高清图集:习近平在山东考察 2019-05-28
  • 让海淀城市“名片”更闪亮 2019-05-28
  • 轻生活,做不一样的自己 2019-05-27
  • 【理上网来·辉煌十九大】德国北威州经济部长:十九大报告表明中国有能力为世界做出更多贡献 2019-05-27
  • 端午出行怕拥堵 别慌,这里有一份出行指南 2019-05-24
  • 空军飞行学员展开高强度实战打靶 消耗千余枚弹药 2019-05-24
  • 3d定制女仆2 山西快乐十分开奖前三 六合彩二肖中特 福利彩票18选7开奖结果 怎么透视刮刮乐图层 广西快3一共多少期 快乐10分任3 新疆时时彩五星通选咋样是中奖 本彩新疆11选5 乐玩五分彩 中国足彩网甘肃快3 如何下载新浪彩票网 七星彩趣味看图测彩 双色球杀号爱彩网 西甲足球新闻