tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aggarwal, Ajay" <>
Subject RE: mixing authentication schemes
Date Thu, 21 Jun 2012 19:34:56 GMT
Sorry about the poor formatting of my message.

-----Original Message-----
From: Aggarwal, Ajay [] 
Sent: Thursday, June 21, 2012 3:27 PM
Subject: mixing authentication schemes



Our device is managed via a tomcat 6 based web-server that runs on the
device. We have a proprietary XML/JSON API that web based UI client uses
to talk to web-server. We are NOT using container managed security.
Instead our application has implemented its own authentication.
Essentially client uses a proprietary login request and after a
successful authentication, server marks the HTTP session as




Now we are looking to build a new multi-device management application,
which would have its own UI and server. As the name implies this
application is for managing multiple devices. 


How should this multi-device service authenticate itself with the
individual devices? We do not want user to enter credentials for each
device every time this service wants to talk to a managed device. We
also do not want to store each managed device's credentials with the
multi-device service.


One of the possibility is to use SSL certificate based authentication.
So multi-device application can authenticate itself with individual
devices using a SSL certificate.  We only need to import multi-device
application's certificate into each managed device's trust-store once.




Few questions for those of you who have dealt with this type of 3-tier


Q1. How to get above scheme working in tomcat, such that the existing
device specific UI clients can continue to authenticate using
proprietary login request, whereas multi-device application uses SSL
certificate based authentication?


Q2. What are some of the other suggestions and/or best practices that
you would recommend to solve this problem?





To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message