I'm trying to use the Java EWS API from Microsoft http://archive.msdn.microsoft.com/ewsjavaapi
My scenario: I'm having a web app running, using Apache Tomcat as web container. I'm using a single sign-on component to authenticate users for my web app. Now my application wants to consume the Microsoft Exchange Web Services (EWS) impersonating the logged in user from java. The calls to Exchange Web Services should be with the windows user credentials of the logged in user, so e.g. if the webapp creates an appointment it will be in the mailbox of the logged in user. Calling the EWS with the service account of Apache Tomcat works (with user/password), but now I want to impersonate the logged in user.
As far as I understand the protocols I'm facing a "double hop" problem (or "two hop") and have to use Kerberos and the web server has to be trusted for delegation. NTLM is not possible, because it can't delegate the credentials by design (client -> web-server / web-server -> EWS).
Let's assume, that I'm having the kerberos token of the logged in user. Is there a possibility to give it to EWS? In the examples there is always a username and password needed ("WebCredentials"). There is a class "TokenCredentials". Should I use this class?
BTW: I can't use Exchange Impersonation, because sadly some IT departments don't like Exchange Impersonation, because it involves giving the Apache Tomcat service account Exchange Impersonation rights to the users mailboxes and they fear a security problem with this. They would be fine if the EWS call is initiated with the windows token of the logged in SSO user, so I'm searching for a way to achieve this and I'm wondering if I can do this with the ewsjava api.