tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aggarwal, Ajay" <Ajay.Aggar...@stratus.com>
Subject mixing authentication schemes
Date Thu, 21 Jun 2012 19:26:59 GMT
CURRENT ENVIRONMENT

 

Our device is managed via a tomcat 6 based web-server that runs on the
device. We have a proprietary XML/JSON API that web based UI client uses
to talk to web-server. We are NOT using container managed security.
Instead our application has implemented its own authentication.
Essentially client uses a proprietary login request and after a
successful authentication, server marks the HTTP session as
authenticated.

 

NEW SITUATION

 

Now we are looking to build a new multi-device management application,
which would have its own UI and server. As the name implies this
application is for managing multiple devices. 

 

How should this multi-device service authenticate itself with the
individual devices? We do not want user to enter credentials for each
device every time this service wants to talk to a managed device. We
also do not want to store each managed device's credentials with the
multi-device service.

 

One of the possibility is to use SSL certificate based authentication.
So multi-device application can authenticate itself with individual
devices using a SSL certificate.  We only need to import multi-device
application's certificate into each managed device's trust-store once.

 

QUESTIONS

 

Few questions for those of you who have dealt with this type of 3-tier
applications

 

Q1. How to get above scheme working in tomcat, such that the existing
device specific UI clients can continue to authenticate using
proprietary login request, whereas multi-device application uses SSL
certificate based authentication?

 

Q2. What are some of the other suggestions and/or best practices that
you would recommend to solve this problem?

 

Thanks.

 

-Ajay


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message