Roles of Tomcat, groups of Windows

Coordinator
Jan 21, 2010 at 5:43 PM
Edited Jan 25, 2010 at 8:41 PM

How to define the Tomcat roles with the windows groups?

To define roles in your Tomcat application with the file web.xml, you map the roles into Windows groups. You can use local groups of your authentication server where the users are authenticated (server where tomcat is running if you use the dll and the server where Negoserver is running if you use tcp). You can use all the global and universal groups defined in your Active Directory forest. You can also use the local domain groups defined on the domain where you find the account of your authentication server.

Why Global and local groups?

You take a set of resources on a server. For each authorization, you define a partition of the set of resources. The resources A and B are in the same subset of the partition if and only if someone has this authorization on A, he has also the same authorization on B. You define roles and give the authorizations via the subsets of resources.
Roles are associated to accounts. To do that, you define global groups in each domain. The accounts are put in these groups when they are created.
To define the authorizations on the resources, you use the abstract subsets defined before.  In fact, you cannot directly define the subsets, so, you use a local group to associate a subset of resource to an authorization. You give this authorization to each element of the subset of resources to the local group.
To define the authorization to a subset of resource to a role, you put the global groups associated to roles into the local groups.

Why to use this procedure?
1)      When you modify the roles of a user, you have only to change the content of the global groups. You not have to modify the permissions on the resources.
2)      If a new role is added, you not have to modify the authorizations on the resources. You have only to add a new global group and put these global groups into the local groups.
3)      If an account is deleted, automatically, this account is moved from all the global groups. The administrators have nothing to do. So, do not put accounts of Active Directory in a local domain group or in a local group of a server.

This procedure, often called AGDLP (Account, Global group, Local domain group, Permission) is used to define rights on the file. cf http://en.wikipedia.org/wiki/AGDLP

What is the best procedure to define the tomcat roles?

If you have only one domain in your forest, you can use the global groups (which are roles too). If you have many domains in your forest, use the global groups to define the roles of the users and put the global groups of your different domains in local domain groups (tomcat roles). If you are allowed to create these groups, create local groups on the authentication server.

To define the roles in the file web.xml of your tomcat application, see the files configure.txt. You find them trunk***.zip