tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Using two authentication methods for one application
Date Wed, 01 Jun 2011 14:41:40 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hauke,

On 6/1/2011 5:48 AM, Hauke Mehrtens wrote:
> I created my own authentication method beside BASIC, DIGEST, FORM, and
> CLIENT-CERT to allow the user to authenticate against our own SAML IdP
> and enter the user credentials on a page provided by the IdP. The
> authentication method of the IdP uses a Java applet to access a smart
> card and get the user credentials, so the web browser has to be
> redirected to some different page to login.
> 
> To add our own authentication method we extended
> org.apache.catalina.authenticator.AuthenticatorBase and added the it to
> the list of supported methods in the tomcat configuration. This is
> working like expected.

Cool!

> Now it should be possible to also log into the application with a from
> based authentication in addition to the IdP login, the normal FORM
> method would be nice. The user should select at some entry page what
> method he wants to use and then the correct authentication method should
> be used. I tried to modify the web.xml of my web application to add both
> methods, but it did not work.
>
> Adding two <login-config> or two <auth-method> is not allowed.

Right: you'll either have to step outside the servlet spec on this one
(i.e. implement everything as a Filter or something like that) or try to
integrate the two authentication methods into a single authenticator
that can handle both situations (which might not be possible).

> Now my
> plan is to implement some additional authentication method which
> supports both or a method which will forward the request to some other
> method ( my own or FORM) depending on some attribute in the http
> request, but this does not look clean to me. Is there a clean way to do
> this?

I think whatever you do, it's going to be kind of ugly. I have never
used it, but you might want to look at using your own JSSE provider or
something like that. I know it supports a lot of complexity, but your
problem might come down to gathering the credentials in the first place,
not necessarily performing the authentication.

I'm totally ignorant of SAMS IdP... how does one communicate
credentials? If you could shoehorn the credentials into
username/password fields (even if one of them is blank), you might be
able to use a unified authenticator.

Since you are using an applet, you can communicate any way you choose
with Tomcat, that is, using any URL with any parameters, etc.

If you are using Tomcat 7, you can use the newly-available
HttpServletRequest.login(String username, String password) method to
access your special, dual-use authenticator from a special URL.

> I am working on the Tomcat included in the JBoss 5.1 (I think it is
> 6.0), but it should also work on other versions (>= 6.0) so that we are
> able to secure any web application running on some tomcat.

Hmm. Does JBoss have a version running Tomcat 7? Or, is it possible to
safely upgrade Tomcat inside of JBoss?

> Please add me to the CC as I am not subscripted to the list.

You must be subscribed to the list to post to it. This is the last time
I will CC you on a message posted to the list, mostly because I'm lazy.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3mT6QACgkQ9CaO5/Lv0PAxYACdGkhA0s4VsHXGnxGr1oz66PI6
mOMAoIAYahgTAsPKnKe+oi7cclQEuzge
=a1Aw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message