tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Custom realm.authenticate() that would work with any realm - possible?
Date Fri, 09 Dec 2011 11:34:00 GMT
Hi Jim.

As I recall, your original issue was that there is no "OAM plugin" for Tomcat, and 
therefore, you are doing the OAM authentication within the front-end Apache, and then 
passing the user-id to Tomcat.
And then, you find yourself in Tomcat with a user-id, but without any "roles" 
corresponding to this user-id.
And in order to get such roles, you are now facing a rather complex programming issue at 
the Tomcat level.

I wrote this before, but let me repeat it : are you not doing a lot of work un-necessarily

there, and should you not look at this another way ?

As far as I understand these Tomcat-level matters, a "role" in Tomcat is used to control 
access to resources.
And you seem to use Tomcat's "declarative" type of acess-control, which means that you 
allow access or not to a given webapp, in function of whether the user-id (which is passed

to Tomcat by the front-end) has or not a particular "role".

And, in the OAM system globally, the fact that a user has or not access to a particular 
resource, is already managed at the OAM level; but to which OAM level, unfortunately right

now, you do not have access from Tomcat.

But in this case, all your accesses to Tomcat webapps *always* happen through the 
front-end, because it is this front-end which obtains the user-id (from OAM) and later 
passes it to Tomcat.  And this front-end thus *has* access to the OAM data.

So what is stopping you from :
- not using any authentication/access-control at the Tomcat level
- but checking all this at the Apache httpd front-end level

Example : suppose you have 3 webapps app1, app2, app3.
You could have at the front-end level these sections :
<Location /app1>
   SetHandler jakarta-servlet   (same as "JkMount /app1")
   AuthType Oblix
   require valid-user
   require .. (whatever)
<Location /app2>
   SetHandler jakarta-servlet   (same as "JkMount /app2")
   AuthType Oblix
   require valid-user
   require .. (whatever)
<Location /app3>
   SetHandler jakarta-servlet   (same as "JkMount /app3")
   AuthType Oblix
   require valid-user
   require .. (whatever)

If the user "does not pass muster" for /app1 according to OAM, then the call will never 
even make it Tomcat.
If the user passes muster, then you can let them access Tomcat's /app1 application, as 
they have been checked for it.

Or am I missing something ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message