Re: decouple authentication and authorization of TOMCAT

2009-09-17 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, On 9/16/2009 5:33 PM, John Chen wrote: I think we will add the roles to AD and use AD to do the authorization as well. Because of the naming convention applied in the agency, we need to map the role defined in AD to the security-role

Re: decouple authentication and authorization of TOMCAT

2009-09-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 9/14/2009 3:33 PM, André Warnier wrote: John Chen wrote: Apache front-end will do the authentication, does tomcat still use tomcat-users.xml for the authorization part? I am not quite sure. I'm not sure which is the important part of

RE: decouple authentication and authorization of TOMCAT

2009-09-16 Thread John Chen
security-role-ref, but I have to go to each web.xml and add the information over there. Thanks John -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, September 16, 2009 5:24 PM To: Tomcat Users List Subject: Re: decouple authentication

Re: decouple authentication and authorization of TOMCAT

2009-09-14 Thread André Warnier
John Chen wrote: ... I am also thinking using Apache Web Server to do the authentication and use tomcat for authorization, do you think it would work? With the Apache/mod_jk/Tomcat combination it can, certainly. There exists (I believe in the Connector element of Tomcat), an attribute

Re: decouple authentication and authorization of TOMCAT

2009-09-14 Thread André Warnier
John Chen wrote: Hi, We have installed a third-party software running on tomcat. Is there anyway to decouple tomcat authentication and authorization? We have to use AD for authentication and we are not encouraged to add groups to AD just for the new software. Any help would be

RE: decouple authentication and authorization of TOMCAT

2009-09-14 Thread John Chen
: Re: decouple authentication and authorization of TOMCAT 2009/9/14 John Chen jzc...@bstonetech.com I am also thinking using Apache Web Server to do the authentication and use tomcat for authorization, do you think it would work? Most things can be made to work - with sufficient thrust, pigs fly

RE: decouple authentication and authorization of TOMCAT

2009-09-14 Thread John Chen
: decouple authentication and authorization of TOMCAT John Chen wrote: Hi, We have installed a third-party software running on tomcat. Is there anyway to decouple tomcat authentication and authorization? We have to use AD for authentication and we are not encouraged to add groups to AD just

Re: decouple authentication and authorization of TOMCAT

2009-09-14 Thread Peter Crowther
2009/9/14 John Chen jzc...@bstonetech.com I am also thinking using Apache Web Server to do the authentication and use tomcat for authorization, do you think it would work? Most things can be made to work - with sufficient thrust, pigs fly just fine. This approach was used for early

Re: decouple authentication and authorization of TOMCAT

2009-09-14 Thread Pid
On 14/09/2009 17:40, André Warnier wrote: John Chen wrote: ... I am also thinking using Apache Web Server to do the authentication and use tomcat for authorization, do you think it would work? With the Apache/mod_jk/Tomcat combination it can, certainly. There exists (I believe in the

RE: decouple authentication and authorization of TOMCAT

2009-09-14 Thread John Chen
authentication and authorization of TOMCAT John Chen wrote: ... I am also thinking using Apache Web Server to do the authentication and use tomcat for authorization, do you think it would work? With the Apache/mod_jk/Tomcat combination it can, certainly. There exists (I believe in the Connector element

Re: decouple authentication and authorization of TOMCAT

2009-09-14 Thread André Warnier
John Chen wrote: Apache front-end will do the authentication, does tomcat still use tomcat-users.xml for the authorization part? I am not quite sure. I believe Tomcat's integrated AAA is pretty much an all-or-nothing proposition. But maybe, if the request is authenticated by Apache