升级Tomcat版本 apache-tomcat-7.0.77
diff --git a/tomcat-uidm/webapps/docs/windows-auth-howto.html b/tomcat-uidm/webapps/docs/windows-auth-howto.html
new file mode 100644
index 0000000..ce082da
--- /dev/null
+++ b/tomcat-uidm/webapps/docs/windows-auth-howto.html
@@ -0,0 +1,398 @@
+<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 7 (7.0.77) - Windows Authentication How-To</title><style type="text/css" media="print">
+ .noPrint {display: none;}
+ td#mainBody {width: 100%;}
+</style><style type="text/css">
+code {background-color:rgb(224,255,255);padding:0 0.1em;}
+code.attributeName, code.propertyName {background-color:transparent;}
+
+
+table {
+ border-collapse: collapse;
+ text-align: left;
+}
+table *:not(table) {
+ /* Prevent border-collapsing for table child elements like <div> */
+ border-collapse: separate;
+}
+
+th {
+ text-align: left;
+}
+
+
+div.codeBox pre code, code.attributeName, code.propertyName, code.noHighlight, .noHighlight code {
+ background-color: transparent;
+}
+div.codeBox {
+ overflow: auto;
+ margin: 1em 0;
+}
+div.codeBox pre {
+ margin: 0;
+ padding: 4px;
+ border: 1px solid #999;
+ border-radius: 5px;
+ background-color: #eff8ff;
+ display: table; /* To prevent <pre>s from taking the complete available width. */
+ /*
+ When it is officially supported, use the following CSS instead of display: table
+ to prevent big <pre>s from exceeding the browser window:
+ max-width: available;
+ width: min-content;
+ */
+}
+
+div.codeBox pre.wrap {
+ white-space: pre-wrap;
+}
+
+
+table.defaultTable tr, table.detail-table tr {
+ border: 1px solid #CCC;
+}
+
+table.defaultTable tr:nth-child(even), table.detail-table tr:nth-child(even) {
+ background-color: #FAFBFF;
+}
+
+table.defaultTable tr:nth-child(odd), table.detail-table tr:nth-child(odd) {
+ background-color: #EEEFFF;
+}
+
+table.defaultTable th, table.detail-table th {
+ background-color: #88b;
+ color: #fff;
+}
+
+table.defaultTable th, table.defaultTable td, table.detail-table th, table.detail-table td {
+ padding: 5px 8px;
+}
+
+
+p.notice {
+ border: 1px solid rgb(255, 0, 0);
+ background-color: rgb(238, 238, 238);
+ color: rgb(0, 51, 102);
+ padding: 0.5em;
+ margin: 1em 2em 1em 1em;
+}
+</style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="right" alt="
+ The Apache Tomcat Servlet/JSP Container
+ " border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font face="arial,helvetica,sanserif">Version 7.0.77, Mar 28 2017</font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img src="./images/asf-logo.svg" align="right" alt="Apache Logo" border="0" style="width: 266px;height: 83px;"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap class="noPrint"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="#comments_section">User Comments</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a href="security-manager-howto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10) Classloading</a></li><li><a href="jasper-howto.html">11) JSPs</a></li><li><a href="ssl-howto.html">12) SSL/TLS</a></li><li><a href="ssi-howto.html">13) SSI</a></li><li><a href="cgi-howto.html">14) CGI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans-descriptors-howto.html">16) MBeans Descriptors</a></li><li><a href="default-servlet.html">17) Default Servlet</a></li><li><a href="cluster-howto.html">18) Clustering</a></li><li><a href="balancer-howto.html">19) Load Balancer</a></li><li><a href="connectors.html">20) Connectors</a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a href="logging.html">22) Logging</a></li><li><a href="apr.html">23) APR/Native</a></li><li><a href="virtual-hosting-howto.html">24) Virtual Hosting</a></li><li><a href="aio.html">25) Advanced IO</a></li><li><a href="extras.html">26) Additional Components</a></li><li><a href="maven-jars.html">27) Mavenized</a></li><li><a href="security-howto.html">28) Security Considerations</a></li><li><a href="windows-service-howto.html">29) Windows Service</a></li><li><a href="windows-auth-howto.html">30) Windows Authentication</a></li><li><a href="jdbc-pool.html">31) Tomcat's JDBC Pool</a></li><li><a href="web-socket-howto.html">32) WebSocket</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Configuration</a></li><li><a href="api/index.html">Tomcat Javadocs</a></li><li><a href="servletapi/index.html">Servlet Javadocs</a></li><li><a href="jspapi/index.html">JSP 2.2 Javadocs</a></li><li><a href="elapi/index.html">EL 2.2 Javadocs</a></li><li><a href="websocketapi/index.html">WebSocket 1.1 Javadocs</a></li><li><a href="http://tomcat.apache.org/connectors-doc/">JK 1.2 Documentation</a></li></ul><p><strong>Apache Tomcat Development</strong></p><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="http://wiki.apache.org/tomcat/TomcatVersions">Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="architecture/index.html">Architecture</a></li><li><a href="funcspecs/index.html">Functional Specs.</a></li><li><a href="tribes/introduction.html">Tribes</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody"><h1>Windows Authentication How-To</h1><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Table of Contents"><!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td></tr><tr><td><blockquote>
+<ul><li><a href="#Overview">Overview</a></li><li><a href="#Built-in_Tomcat_support">Built-in Tomcat support</a><ol><li><a href="#Domain_Controller">Domain Controller</a></li><li><a href="#Tomcat_instance_(Windows_server)">Tomcat instance (Windows server)</a></li><li><a href="#Tomcat_instance_(Linux_server)">Tomcat instance (Linux server)</a></li><li><a href="#Web_application">Web application</a></li><li><a href="#Client">Client</a></li><li><a href="#References">References</a></li></ol></li><li><a href="#Third_party_libraries">Third party libraries</a><ol><li><a href="#Waffle">Waffle</a></li><li><a href="#Spring_Security_-_Kerberos_Extension">Spring Security - Kerberos Extension</a></li><li><a href="#SPNEGO_project_at_SourceForge">SPNEGO project at SourceForge</a></li><li><a href="#Jespa">Jespa</a></li></ol></li><li><a href="#Reverse_proxies">Reverse proxies</a><ol><li><a href="#Microsoft_IIS">Microsoft IIS</a></li><li><a href="#Apache_httpd">Apache httpd</a></li></ol></li></ul>
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Overview"><strong>Overview</strong></a></font></td></tr><tr><td><blockquote>
+<p>Integrated Windows authentication is most frequently used within intranet
+environments since it requires that the server performing the authentication and
+the user being authenticated are part of the same domain. For the user to be
+authenticated automatically, the client machine used by the user must also be
+part of the domain.</p>
+<p>There are several options for implementing integrated Windows authentication
+with Apache Tomcat. They are:
+<ul>
+<li>Built-in Tomcat support.</li>
+<li>Use a third party library such as Waffle.</li>
+<li>Use a reverse proxy that supports Windows authentication to perform the
+authentication step such as IIS or httpd.</li>
+</ul>
+The configuration of each of these options is discussed in the following
+sections.</p>
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Built-in Tomcat support"><!--()--></a><a name="Built-in_Tomcat_support"><strong>Built-in Tomcat support</strong></a></font></td></tr><tr><td><blockquote>
+<p>Kerberos (the basis for integrated Windows authentication) requires careful
+configuration. If the steps in this guide are followed exactly, then a working
+configuration will result. It is important that the steps below are followed
+exactly. There is very little scope for flexibility in the configuration. From
+the testing to date it is known that:</p>
+<ul>
+<li>The host name used to access the Tomcat server must match the host name in
+the SPN exactly else authentication will fail. A checksum error may be reported
+in the debug logs in this case.</li>
+<li>The client must be of the view that the server is part of the local trusted
+intranet.</li>
+<li>The SPN must be HTTP/<hostname> and it must be exactly the same in all
+the places it is used.</li>
+<li>The port number must not be included in the SPN.</li>
+<li>No more than one SPN may be mapped to a domain user.</li>
+<li>Tomcat must run as the domain account with which the SPN has been associated
+or as domain admin. It is <strong>NOT</strong> recommended to run Tomcat under a
+domain admin user.</li>
+<li>The domain name (<code>DEV.LOCAL</code>) is not case sensitive when used in
+the ktpass command, nor when used in jaas.conf</li>
+<li>The domain must be specified when using the ktpass command</li>
+</ul>
+<p>There are four components to the configuration of the built-in Tomcat
+support for Windows authentication. The domain controller, the server hosting
+Tomcat, the web application wishing to use Windows authentication and the client
+machine. The following sections describe the configuration required for each
+component.</p>
+<p>The names of the three machines used in the configuration examples below are
+win-dc01.dev.local (the domain controller), win-tc01.dev.local (the Tomcat
+instance) and win-pc01.dev.local (client). All are members of the DEV.LOCAL
+domain.</p>
+<p>Note: In order to use the passwords in the steps below, the domain password
+policy had to be relaxed. This is not recommended for production environments.
+</p>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Domain Controller"><!--()--></a><a name="Domain_Controller"><strong>Domain Controller</strong></a></font></td></tr><tr><td><blockquote>
+ <p>These steps assume that the server has already been configured to act as a
+ domain controller. Configuration of a Windows server as a domain controller is
+ outside the scope of this how-to. The steps to configure the domain controller
+ to enable Tomcat to support Windows authentication are as follows:
+ </p>
+ <ul>
+ <li>Create a domain user that will be mapped to the service name used by the
+ Tomcat server. In this how-to, this user is called <code>tc01</code> and has a
+ password of <code>tc01pass</code>.</li>
+ <li>Map the service principal name (SPN) to the user account. SPNs take the
+ form <code>
+ <service class>/<host>:<port>/<service name></code>.
+ The SPN used in this how-to is <code>HTTP/win-tc01.dev.local</code>. To
+ map the user to the SPN, run the following:
+ <div class="codeBox"><pre><code>setspn -A HTTP/win-tc01.dev.local tc01</code></pre></div>
+ </li>
+ <li>Generate the keytab file that the Tomcat server will use to authenticate
+ itself to the domain controller. This file contains the Tomcat private key for
+ the service provider account and should be protected accordingly. To generate
+ the file, run the following command (all on a single line):
+ <div class="codeBox"><pre><code>ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL
+ /princ HTTP/win-tc01.dev.local@DEV.LOCAL
+ /pass tc01pass /kvno 0</code></pre></div></li>
+ <li>Create a domain user to be used on the client. In this how-to the domain
+ user is <code>test</code> with a password of <code>testpass</code>.</li>
+ </ul>
+ <p>The above steps have been tested on a domain controller running Windows
+ Server 2008 R2 64-bit Standard using the Windows Server 2003 functional level
+ for both the forest and the domain.
+ </p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Tomcat instance (Windows server)"><!--()--></a><a name="Tomcat_instance_(Windows_server)"><strong>Tomcat instance (Windows server)</strong></a></font></td></tr><tr><td><blockquote>
+ <p>These steps assume that Tomcat and a Java 6 JDK/JRE have already been
+ installed and configured and that Tomcat is running as the tc01@DEV.LOCAL
+ user. The steps to configure the Tomcat instance for Windows authentication
+ are as follows:
+ </p>
+ <ul>
+ <li>Copy the <code>tomcat.keytab</code> file created on the domain controller
+ to <code>$CATALINA_BASE/conf/tomcat.keytab</code>.</li>
+ <li>Create the kerberos configuration file
+ <code>$CATALINA_BASE/conf/krb5.ini</code>. The file used in this how-to
+ contained:<div class="codeBox"><pre><code>[libdefaults]
+default_realm = DEV.LOCAL
+default_keytab_name = FILE:c:\apache-tomcat-7.0.x\conf\tomcat.keytab
+default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
+default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
+forwardable=true
+
+[realms]
+DEV.LOCAL = {
+ kdc = win-dc01.dev.local:88
+}
+
+[domain_realm]
+dev.local= DEV.LOCAL
+.dev.local= DEV.LOCAL</code></pre></div>
+ The location of this file can be changed by setting the
+ <code>java.security.krb5.conf</code> system property.</li>
+ <li>Create the JAAS login configuration file
+ <code>$CATALINA_BASE/conf/jaas.conf</code>. The file used in this how-to
+ contained:<div class="codeBox"><pre><code>com.sun.security.jgss.krb5.initiate {
+ com.sun.security.auth.module.Krb5LoginModule required
+ doNotPrompt=true
+ principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
+ useKeyTab=true
+ keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
+ storeKey=true;
+};
+
+com.sun.security.jgss.krb5.accept {
+ com.sun.security.auth.module.Krb5LoginModule required
+ doNotPrompt=true
+ principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
+ useKeyTab=true
+ keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
+ storeKey=true;
+};</code></pre></div>
+ The location of this file can be changed by setting the
+ <code>java.security.auth.login.config</code> system property. The LoginModule
+ used is a JVM specific one so ensure that the LoginModule specified matches
+ the JVM being used. The name of the login configuration must match the
+ value used by the <a href="config/valve.html#SPNEGO_Valve">authentication
+ valve</a>.</li>
+ </ul>
+ <p>The SPNEGO authenticator will work with any <a href="config/realm.html">
+ Realm</a> but if used with the JNDI Realm, by default the JNDI Realm will use
+ the user's delegated credentials to connect to the Active Directory.
+ </p>
+ <p>The above steps have been tested on a Tomcat server running Windows Server
+ 2008 R2 64-bit Standard with an Oracle 1.6.0_24 64-bit JDK.</p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Tomcat instance (Linux server)"><!--()--></a><a name="Tomcat_instance_(Linux_server)"><strong>Tomcat instance (Linux server)</strong></a></font></td></tr><tr><td><blockquote>
+ <p>This was tested with:</p>
+ <ul>
+ <li>Java 1.7.0, update 45, 64-bit</li>
+ <li>Ubuntu Server 12.04.3 LTS 64-bit</li>
+ <li>Tomcat 8.0.x (r1546570)</li>
+ </ul>
+ <p>It should work with any Tomcat 7 release from 7.0.12 onwards although it is
+ recommended that the latest stable release is used.</p>
+ <p>The configuration is the same as for Windows but with the following
+ changes:</p>
+ <ul>
+ <li>The Linux server does not have to be part of the Windows domain.</li>
+ <li>The path to the keytab file in krb5.ini and jass.conf should be updated
+ to reflect the path to the keytab file on the Linux server using Linux
+ style file paths (e.g. /usr/local/tomcat/...).</li>
+ </ul>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Web application"><!--()--></a><a name="Web_application"><strong>Web application</strong></a></font></td></tr><tr><td><blockquote>
+ <p>The web application needs to be configured to the use Tomcat specific
+ authentication method of <code>SPNEGO</code> (rather than BASIC etc.) in
+ web.xml. As with the other authenticators, behaviour can be customised by
+ explicitly configuring the <a href="config/valve.html#SPNEGO_Valve">
+ authentication valve</a> and setting attributes on the Valve.</p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Client"><strong>Client</strong></a></font></td></tr><tr><td><blockquote>
+ <p>The client must be configured to use Kerberos authentication. For Internet
+ Explorer this means making sure that the Tomcat instance is in the "Local
+ intranet" security domain and that it is configured (Tools > Internet
+ Options > Advanced) with integrated Windows authentication enabled. Note that
+ this <strong>will not</strong> work if you use the same machine for the client
+ and the Tomcat instance as Internet Explorer will use the unsupported NTLM
+ protocol.</p>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="References"><strong>References</strong></a></font></td></tr><tr><td><blockquote>
+ <p>Correctly configuring Kerberos authentication can be tricky. The following
+ references may prove helpful. Advice is also always available from the
+ <a href="http://tomcat.apache.org/lists.html#tomcat-users">Tomcat users
+ mailing list</a>.</p>
+ <ol>
+ <li><a href="http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx">
+ IIS and Kerberos</a></li>
+ <li><a href="http://spnego.sourceforge.net/index.html">
+ SPNEGO project at SourceForge</a></li>
+ <li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/index.html">
+ Oracle JGSS tutorial</a></li>
+ <li><a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Using+SPNEGO+in+Geronimo#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine">
+ Geronimo configuration for Windows authentication</a></li>
+ <li><a href="http://blogs.msdn.com/b/openspecification/archive/2010/11/17/encryption-type-selection-in-kerberos-exchanges.aspx">
+ Encryption Selection in Kerberos Exchanges</a></li>
+ <li><a href="http://support.microsoft.com/kb/977321">Supported Kerberos Cipher
+ Suites</a></li>
+ </ol>
+ </blockquote></td></tr></table>
+
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Third party libraries"><!--()--></a><a name="Third_party_libraries"><strong>Third party libraries</strong></a></font></td></tr><tr><td><blockquote>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Waffle"><strong>Waffle</strong></a></font></td></tr><tr><td><blockquote>
+ <p>Full details of this solution can be found through the
+ <a href="http://waffle.codeplex.com/" rel="nofollow">Waffle web site</a>. The
+ key features are:</p>
+ <ul>
+ <li>Drop-in solution</li>
+ <li>Simple configuration (no JAAS or Kerberos keytab configuration required)
+ </li>
+ <li>Uses a native library</li>
+ </ul>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Spring Security - Kerberos Extension"><!--()--></a><a name="Spring_Security_-_Kerberos_Extension"><strong>Spring Security - Kerberos Extension</strong></a></font></td></tr><tr><td><blockquote>
+ <p>Full details of this solution can be found through the
+ <a href="http://static.springsource.org/spring-security/site/extensions/krb/index.html" rel="nofollow"> Kerberos extension web site</a>. The key features are:</p>
+ <ul>
+ <li>Extension to Spring Security</li>
+ <li>Requires a Kerberos keytab file to be generated</li>
+ <li>Pure Java solution</li>
+ </ul>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="SPNEGO project at SourceForge"><!--()--></a><a name="SPNEGO_project_at_SourceForge"><strong>SPNEGO project at SourceForge</strong></a></font></td></tr><tr><td><blockquote>
+ <p>Full details of this solution can be found through the
+ <a href="http://spnego.sourceforge.net/index.html/" rel="nofollow">project
+ site</a>. The key features are:</p>
+ <ul>
+ <li>Uses Kerberos</li>
+ <li>Pure Java solution</li>
+ </ul>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Jespa"><strong>Jespa</strong></a></font></td></tr><tr><td><blockquote>
+ <p>Full details of this solution can be found through the
+ <a href="http://www.ioplex.com/" rel="nofollow">project web site</a>The key
+ features are:</p>
+ <ul>
+ <li>Pure Java solution</li>
+ <li>Advanced Active Directory integration</li>
+ </ul>
+ </blockquote></td></tr></table>
+</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Reverse proxies"><!--()--></a><a name="Reverse_proxies"><strong>Reverse proxies</strong></a></font></td></tr><tr><td><blockquote>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Microsoft IIS"><!--()--></a><a name="Microsoft_IIS"><strong>Microsoft IIS</strong></a></font></td></tr><tr><td><blockquote>
+ <p>There are three steps to configuring IIS to provide Windows authentication.
+ They are:</p>
+ <ol>
+ <li>Configure IIS as a reverse proxy for Tomcat (see the
+ <a href="http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html">
+ IIS Web Server How-To)</a>.</li>
+ <li>Configure IIS to use Windows authentication</li>
+ <li>Configure Tomcat to use the authentication user information from IIS by
+ setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
+ AJP connector</a> to <code>false</code>. Alternatively, set the
+ tomcatAuthorization attribute to <code>true</code> to allow IIS to
+ authenticate, while Tomcat performs the authorization.</li>
+ </ol>
+ </blockquote></td></tr></table>
+
+ <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Apache httpd"><!--()--></a><a name="Apache_httpd"><strong>Apache httpd</strong></a></font></td></tr><tr><td><blockquote>
+ <p>Apache httpd does not support Windows authentication out of the box but
+ there are a number of third-party modules that can be used. These include:</p>
+ <ol>
+ <li><a href="http://sourceforge.net/projects/mod-auth-sspi/" rel="nofollow">mod_auth_sspi</a> for use on Windows platforms.</li>
+ <li><a href="http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind" rel="nofollow">mod_auth_ntlm_winbind</a> for non-Windows platforms. Known to
+ work with httpd 2.0.x on 32-bit platforms. Some users have reported stability
+ issues with both httpd 2.2.x builds and 64-bit Linux builds.</li>
+ </ol>
+ <p>There are three steps to configuring httpd to provide Windows
+ authentication. They are:</p>
+ <ol>
+ <li>Configure httpd as a reverse proxy for Tomcat (see the
+ <a href="http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html">
+ Apache httpd Web Server How-To)</a>.</li>
+ <li>Configure httpd to use Windows authentication</li>
+ <li>Configure Tomcat to use the authentication user information from httpd by
+ setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
+ AJP connector</a> to <code>false</code>.</li>
+ </ol>
+ </blockquote></td></tr></table>
+
+</blockquote></td></tr></table></td></tr><tr class="noPrint"><td width="20%" valign="top" nowrap class="noPrint"></td><td width="80%" valign="top" align="left"><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="comments_section" id="comments_section"><strong>Comments</strong></a></font></td></tr><tr><td><blockquote><p class="notice"><strong>Notice: </strong>This comments section collects your suggestions
+ on improving documentation for Apache Tomcat.<br><br>
+ If you have trouble and need help, read
+ <a href="http://tomcat.apache.org/findhelp.html">Find Help</a> page
+ and ask your question on the tomcat-users
+ <a href="http://tomcat.apache.org/lists.html">mailing list</a>.
+ Do not ask such questions here. This is not a Q&A section.<br><br>
+ The Apache Comments System is explained <a href="./comments.html">here</a>.
+ Comments may be removed by our moderators if they are either
+ implemented or considered invalid/off-topic.</p><script type="text/javascript"><!--//--><![CDATA[//><!--
+ var comments_shortname = 'tomcat';
+ var comments_identifier = 'http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html';
+ (function(w, d) {
+ if (w.location.hostname.toLowerCase() == "tomcat.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread"><strong>Comments are disabled for this page at the moment.<\/strong><\/div>');
+ }
+ })(window, document);
+ //--><!]]></script></blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr noshade size="1"></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font color="#525D76" size="-1"><em>
+ Copyright © 1999-2017, Apache Software Foundation
+ </em></font></div></td></tr></table></body></html>
\ No newline at end of file