tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert J. Carr" <>
Subject Is it possible to externally authenticate using OAuth?
Date Fri, 08 Dec 2017 07:08:21 GMT
[tomcat 8, java 8, ubuntu xenial]

I have setup security constraints that allow certain resources to only be
accessed by authorized users. The users are authenticated using either
BASIC or FORM, where a username and password is provided, and this works

However, I'd also like to allow users to authenticate externally using an
oauth provider. Is this possible?  Note that I can already acquire the
access tokens for the user, and from there I can get the username and other
profile metadata as necessary.

But how do I then log the user into tomcat? The only way I can think to
make this work is to take this username and create a tomcat account, maybe
setting the access token as the password if it matters. Then I could do a
programmatic tomcat login on behalf of the user, so she is locally
authenticated and a session is created. On subsequent logins I'd just
update the password to the new access token.

But this seems like a hack, and when it comes to users and security I'd
prefer to avoid hacks.

It looks like JASPIC might offer a solution for this? Unfortunately, it
looks like it became available starting at 8.5 but I'm stuck using 8.

Are there any other options?



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message