Roles definition, not in ActiveDirectory

Jun 24, 2010 at 7:27 AM


The roles we can use seems to be defined in ActiveDirectory/Windows. The problem is that we don not necessarelly have administration rights on ActiveDirectory.

So my question is, can we define the roles in a local file on the tomcat server and then, associate the different users to each group and leave the authentication to ActiveDirectory ?

I imagine something like tomcat-users file without the passwords in it. This way, I can create as many groups as I need witohut any impact on ActiveDirectory.


Thank for any answer.


Jun 24, 2010 at 7:31 PM


There are two solutions:

1)You can use the local groups of the server Windows. If tomcat is running on unix, define the groups on the server where Negoserver is running. Althoug you are not an administrator of the server, you can create local groups on this server.


a)With JNA, you comment the line <Realm className="fr.doume.v3.realm.WindowsRealm" /> or with TCP <Realm className="fr.doume.v2.realm.WindowsRealm" />

b) uncomment  <Parameter name="nogroupsinad" value="" override="false" />

c)add the groups in tomcat-users.xml and for each user add a line   <user username="YouUserr" password="YouUserr" roles="users,role1,role2" />. You give the name of the user as password and you remove the prefix before the char '\'. For instance, if your user is TEST\TheNameOfTheUser, the value of username is "TheNameOfTheUser".

d)Verify in sever.xml that the line  <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> is not in a comment