The SPNEGO Authenticator

The SpnegoAuthenticator challenges the client to perform SPNEGO authentication. In turn the server accepts a GSS context by validating an authentication token and responds with a proper token to the client.

Attention

Though SPNEGO is intended to negotiate a mechanism, the Oracle JVM currently supports Kerberos 5 only and not NTLM additionally due to its proprietary nature. Anyway, it is discouraged by Microsoft 1) to rely on NTLM anymore.

Open or create your app's context.xml and add:

<Context>
[…]
  <!-- Add this -->
  <Valve className="net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator"
    loginEntryName="a-login-entry" />
[…]
</Context>

Provide the login entry name from your login.conf configured for the machine account capable of accepting GSS contexts with SPNEGO/Kerberos.

You have successfully configured the SpnegoAuthenticator in your webapp. It is now ready to use.

Using an Authenticator During Development

After examining the authenticator above and probably ask yourself: How do I use that on my local development machine? CurrentWindowsIdentityAuthenticator to the rescue. It will automatically obtain the GSS credential of the currently logged in domain user and auto-login you in the application. This is very handy when you are running your Tomcat instance inside Eclipse.

Open or create your app's context.xml and add:

<Context>
[…]
  <!-- Add this -->
  <Valve className="net.sf.michaelo.tomcat.authenticator.CurrentWindowsIdentityAuthenticator"
    loginEntryName="a-login-entry" />
[…]
</Context>

Provide the login entry name from your login.conf configured for your user account capable of initiating GSS contexts with SPNEGO/Kerberos.

Warning

Do not use this in production. This has been created for the ease of development and testing purposes only.

Now you have successfully configured the CurrentWindowsIdentityAuthenticator in your webapp. It is now ready to use.