tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brooke Hedrick <>
Subject Re: Grabbing the user's info
Date Sun, 20 Nov 2011 14:59:26 GMT
I use OpenAM.  It is free and source is free.  A tomcat server does all of
the authentication and authorization.  But what is nice is that there is an
apache module so you can do all of the enforcement at your web server.
Then all other tomcat servers being proxied by that same web server can be
sent custom headers for things like user name, user id, groups, etc.
On Nov 16, 2011 1:09 PM, "chris derham" <> wrote:

> >
> > But for _transparent_ authentication IIS is required as Christopher
> > mentioned.
> >
> > That is not true. You can use SPNEGO to setup transparent authentication
> directly to tomcat. You do not need IIS. This means that a browser accesses
> a protected url on the server, and the server and browser "discuss" who the
> user is, and then the application is presented with that information. This
> discussion is transparent and involves no user interaction. This can be
> done by default in IE and I believe chrome, but firefox is more secure so
> needs to have explicitly have this authentication security enabled - by
> default it is turned off to stop hackers falsely requesting the details
> from a malicious server
> Chris

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message