tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aggarwal, Ajay" <Ajay.Aggar...@stratus.com>
Subject RE: mixing authentication schemes
Date Fri, 22 Jun 2012 18:51:14 GMT
Thanks for pointing to OAuth. Any suggestion for open source OAuth Java
library both for provider side implementation and client side? And can
OAuth provider issue non-expiring tokens? That's kind of our
requirement. After asking user once for credentials, we do not want to
bother user again.


-----Original Message-----
From: Pid [mailto:pid@pidster.com] 
Sent: Thursday, June 21, 2012 7:01 PM
To: Tomcat Users List
Subject: Re: mixing authentication schemes

On 21/06/2012 20:34, Aggarwal, Ajay wrote:
> Sorry about the poor formatting of my message.

Research OAuth.


p

> -----Original Message-----
> From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
> Sent: Thursday, June 21, 2012 3:27 PM
> To: users@tomcat.apache.org
> Subject: mixing authentication schemes
> 
> CURRENT ENVIRONMENT
> 
>  
> 
> Our device is managed via a tomcat 6 based web-server that runs on the

> device. We have a proprietary XML/JSON API that web based UI client 
> uses to talk to web-server. We are NOT using container managed
security.
> Instead our application has implemented its own authentication.
> Essentially client uses a proprietary login request and after a 
> successful authentication, server marks the HTTP session as 
> authenticated.
> 
>  
> 
> NEW SITUATION
> 
>  
> 
> Now we are looking to build a new multi-device management application,

> which would have its own UI and server. As the name implies this 
> application is for managing multiple devices.
> 
>  
> 
> How should this multi-device service authenticate itself with the 
> individual devices? We do not want user to enter credentials for each 
> device every time this service wants to talk to a managed device. We 
> also do not want to store each managed device's credentials with the 
> multi-device service.
> 
>  
> 
> One of the possibility is to use SSL certificate based authentication.
> So multi-device application can authenticate itself with individual 
> devices using a SSL certificate.  We only need to import multi-device 
> application's certificate into each managed device's trust-store once.
> 
>  
> 
> QUESTIONS
> 
>  
> 
> Few questions for those of you who have dealt with this type of 3-tier

> applications
> 
>  
> 
> Q1. How to get above scheme working in tomcat, such that the existing 
> device specific UI clients can continue to authenticate using 
> proprietary login request, whereas multi-device application uses SSL 
> certificate based authentication?
> 
>  
> 
> Q2. What are some of the other suggestions and/or best practices that 
> you would recommend to solve this problem?
> 
>  
> 
> Thanks.
> 
>  
> 
> -Ajay
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


-- 

[key:62590808]




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message