tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Field-Elliot <bryan_li...@netmeme.org>
Subject Re: JAASRealm/LoginManager questions
Date Mon, 10 Feb 2003 00:26:10 GMT
Thanks for all your comments Craig,

I did a little more thinking since my original post.

First, to clarify - you mentioned that in this scenario, there really
isn't a local realm at all, since there is no local user database.
Actually there is, in the SAML model, there's a remote user database and
a local one, which are synchronized (out of band). That's simplifying,
but basically, SAML tells me which of my local userID's the current user
is, without me actually having to ask the user. By all means, there
really is a local realm/local user database.

Now, with "form-based" authentication, the developer has total control
over the page (e.g. JSP page) displayed. My toolkit could provide a
sample (which SHOULDN'T be altered in any major way), which saves state
information, etc., and redirects to the remote server for
authentication.

When the remote server returns, it can post back to the local server (to
a local JSP page or Servlet), the SAML credentials. True, they will NOT
be in the "j_username" and "j_password" format (instead they'll be in
SAML format). However, a Filter (Servlet 2.3) could parse this SAML
response, and re-package the request parameters as a j_username and a
j_password (even though, really, the j_username isn't a true username,
YET).

THEN, (still with me?), a JAASRealm could forward this j_username and
j_password to my LoginManager, for final SAML processing and log the
bloke on.

It seems a little convoluted, but, what it buys me is, any Servlet
container which supports form-based authentication, and which supports
JAAS for realms (or equivalent), can harness this toolkit. I assume (but
have not verified) that this buys me into the major J2EE containers --
Weblogic, SunONE, Websphere, etc, in addition to my favorite (Tomcat).

Does this sound like it would work?

Thanks,
Bryan


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message