AW: OpenId with apache and tomcat
Hi Stephane, > -Ursprüngliche Nachricht- > Von: Stephane Passignat > Gesendet: 13 March 2020 17:53 > An: Tomcat Users List > Actually I have Apache2 operating as proxy and authenticate layer (HTTP > Form and HTTP Basic), in front of several Tomcat instances and webapps. > Apache pushes the userId to tomcat through AJP. > On tomcat side, the webapp has a Basic login-module in web.xml. > > I'm quite satisfied of the result, authentication and authorization are > out of the application scope. The deployment and maintenance of > application is super easy. The sensitive maintenance of authentication > is made by a dedicated team... > > I wish to improve that adding OpenId Authentication, keeping apache as > authentication layer with an openid connector, but the one I saw > doesn't seems to be used a lot and is not available as precompiled for > my os... > I'm looking also at moving authentication at tomcat level with an > openid Realm. It's not ideal because of the large number of > applications are servers do impact and network configuration to change, > ... > > > > Does someone have experience in this architecture ? Do you have some > recommendation for Apache Module or Tomcat Realm to use ? We implement a server extension (with help of nimbusd-library on top of jaspic), that works on tomcat9 (and all other java-ee application server). See here ==> https://connect2id.com/products/nimbus-oauth-openid-connect-sdk Unfortunately it is not open source, yet. -- Mit freundlichen Grüßen / Kind Regards/ नमस्ते(Namaste) Bernd Schatz ITT/FT - Java Free and Open Source Software (JFoSS) HPC Z252 Gebäude VDZ Ost 1.OG Plieninger Str. 150 70567 Stuttgart Bernd Schatz Büro: +49 711 17 41463 Mobile: +49 151 5862 6591 FAX: +49 711 17 7904 1252 mailto:bernd.sch...@daimler.com https://git.daimler.com/jfoss https://matter.i.daimler.com https://matter.i.daimler.com/daimler-ag/channels/jfoss If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
Re: OpenId with apache and tomcat
Ok thanks André and Luis for your helps and feedbacks. Message initial De: André Warnier (tomcat/perl) Répondre à: Tomcat Users List À: users@tomcat.apache.org Objet: Re: OpenId with apache and tomcat Date: Fri, 13 Mar 2020 23:47:08 +0100 On 13.03.2020 17:53, Stephane Passignat wrote: Hi, Actually I have Apache2 operating as proxy and authenticate layer (HTTPForm and HTTP Basic), in front of several Tomcat instances and webapps.Apache pushes the userId to tomcat through AJP.On tomcat side, the webapp has a Basic login-module in web.xml. I'm quite satisfied of the result, authentication and authorization areout of the application scope. The deployment and maintenance ofapplication is super easy. The sensitive maintenance of authenticationis made by a dedicated team... I wish to improve that adding OpenId Authentication, keeping apache asauthentication layer with an openid connector, but the one I sawdoesn't seems to be used a lot and is not available as precompiled formy os... Actually, mod_auth_openidc (which I have not used myself), available from(https://github.com/zmartzone/mod_auth_openidc)at least on the face of it, seems to be fairly complete, well-documented (with examples), supported, and regularly worked on. Considering your current architecture, and considering that OpenID itself (like anything to do with OAuth) is quite a nightmare in terms of readable and understandable-by-common-mortals documentation, I would think that you might save yourself a lot of time by trying it out.It seems to have its own help forums too, which may help in terms of obtaining or creating the appropriate binaries. I'm looking also at moving authentication at tomcat level with anopenid Realm. It's not ideal because of the large number ofapplications are servers do impact and network configuration to change, Exactly, see above.I think that mod_auth_openidc would fit right in (and along) with your existing form and Basic authentication in Apache httpd. And you would not have to change anything at the Tomcat or applications level. Just make sure to properly secure your AJP connections.(see quite a few discussions on that topic in the last month, in the archives of this list) ... Does someone have experience in this architecture ? Do you have somerecommendation for Apache Module or Tomcat Realm to use ? Make sure that you know exactly what *version* of OpenID you need.As far as I know, the current version is "OpenID Connect", and anything else is obsolete and even worse in terms of documentation. ThanksStephane -To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.orgFor additional commands, e-mail: users-h...@tomcat.apache.org
Re: OpenId with apache and tomcat
On 13.03.2020 17:53, Stephane Passignat wrote: Hi, Actually I have Apache2 operating as proxy and authenticate layer (HTTP Form and HTTP Basic), in front of several Tomcat instances and webapps. Apache pushes the userId to tomcat through AJP. On tomcat side, the webapp has a Basic login-module in web.xml. I'm quite satisfied of the result, authentication and authorization are out of the application scope. The deployment and maintenance of application is super easy. The sensitive maintenance of authentication is made by a dedicated team... I wish to improve that adding OpenId Authentication, keeping apache as authentication layer with an openid connector, but the one I saw doesn't seems to be used a lot and is not available as precompiled for my os... Actually, mod_auth_openidc (which I have not used myself), available from (https://github.com/zmartzone/mod_auth_openidc) at least on the face of it, seems to be fairly complete, well-documented (with examples), supported, and regularly worked on. Considering your current architecture, and considering that OpenID itself (like anything to do with OAuth) is quite a nightmare in terms of readable and understandable-by-common-mortals documentation, I would think that you might save yourself a lot of time by trying it out. It seems to have its own help forums too, which may help in terms of obtaining or creating the appropriate binaries. I'm looking also at moving authentication at tomcat level with an openid Realm. It's not ideal because of the large number of applications are servers do impact and network configuration to change, Exactly, see above. I think that mod_auth_openidc would fit right in (and along) with your existing form and Basic authentication in Apache httpd. And you would not have to change anything at the Tomcat or applications level. Just make sure to properly secure your AJP connections. (see quite a few discussions on that topic in the last month, in the archives of this list) ... Does someone have experience in this architecture ? Do you have some recommendation for Apache Module or Tomcat Realm to use ? Make sure that you know exactly what *version* of OpenID you need. As far as I know, the current version is "OpenID Connect", and anything else is obsolete and even worse in terms of documentation. Thanks Stephane - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OpenId with apache and tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Luis, On 3/13/20 14:28, Luis Rodríguez Fernández wrote: > Hello Stephane, > >> moving authentication at tomcat level with an openid Realm > > If I understand you correctly you want to make the authentication > process in tomcat instead of delegating in your apache proxy, don't > you ? I would have a look then at the tomcat keycloak adapter [1]. > Me I am using the SAML one in tomcat 8.5 & 9 and it works like a > charm! Unfortunately for the OP, your answer isn't helpful because OpenID doesn't use SAML. Single-legged SAML is indeed very simple but you can't achieve OpenID with it. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5r3B8ACgkQHPApP6U8 pFjREhAApEquPGQXiP662k7AFgVDuHKjgb4OWW/BHHh78jr3+TwnkgkJYuoJPXNH SQmYHfpUyVXSGxMflxYnUk03u2oOY+TPZfpOzZHf8CV4zSwExCsuk9oq/ZGv32yX GFtNIh/A7T5Bcn+NYrHs9y2Nxf4q0xZcS22R70ok1LxAC8wp6uwTGSDLnzAc+Y3z PDewwQnOWh7jQnhQDZTJWhNhLQx8w0lK0cNkWtr/QoUQcxJEo7E9PFyEXsFZ9v9o o2yTv1BclqDSP+SZyCkdbECWcPR1MLtKqaeTiJRZo5qQsMXeElR6xWcq+CbYZR1w mSKqRCDrttB6hO8u66gVdTpei1a1KWO4Q7aVNp+KulwITk3hOcmGuEzf1d29e1z5 aEDRhqJ+BDTblQnUpGpRXfsuj9DzCkIS6tD5fiqfFJgcpuxz7+O55FrRt8qZ7Hip fTD1Kifmx/H8lzHEeT9nIVv+ljYMuluwueVMRj1QORCuvzj65wZxjV2ZJYN/r+nm m0xi5M/MIl328/bc9aBsoFnAARpRvFkyTjx5M+n4mbdKr2/pXQGCYiOpOuUxgq8O 43w16fef18fLptMQ0QxCxkBySU/1qV8Yc7ZgXGs280JEa8EeLg+74V1CW4wgoUVS AhApnTPEwtUy2+hDBeIpETdIwlmUUF/3rQrVDUnEhxNapLvoWEc= =YRnI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OpenId with apache and tomcat
Hello Stephane, > moving authentication at tomcat level with an openid Realm If I understand you correctly you want to make the authentication process in tomcat instead of delegating in your apache proxy, don't you ? I would have a look then at the tomcat keycloak adapter [1]. Me I am using the SAML one in tomcat 8.5 & 9 and it works like a charm! Hope it helps, Luis [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_adapter El vie., 13 mar. 2020 a las 17:53, Stephane Passignat (< passig...@hotmail.com>) escribió: > Hi, > > Actually I have Apache2 operating as proxy and authenticate layer (HTTP > Form and HTTP Basic), in front of several Tomcat instances and webapps. > Apache pushes the userId to tomcat through AJP. > On tomcat side, the webapp has a Basic login-module in web.xml. > > I'm quite satisfied of the result, authentication and authorization are > out of the application scope. The deployment and maintenance of > application is super easy. The sensitive maintenance of authentication > is made by a dedicated team... > > I wish to improve that adding OpenId Authentication, keeping apache as > authentication layer with an openid connector, but the one I saw > doesn't seems to be used a lot and is not available as precompiled for > my os... > I'm looking also at moving authentication at tomcat level with an > openid Realm. It's not ideal because of the large number of > applications are servers do impact and network configuration to change, > ... > > > > Does someone have experience in this architecture ? Do you have some > recommendation for Apache Module or Tomcat Realm to use ? > > > Thanks > Stephane > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
OpenId with apache and tomcat
Hi, Actually I have Apache2 operating as proxy and authenticate layer (HTTP Form and HTTP Basic), in front of several Tomcat instances and webapps. Apache pushes the userId to tomcat through AJP. On tomcat side, the webapp has a Basic login-module in web.xml. I'm quite satisfied of the result, authentication and authorization are out of the application scope. The deployment and maintenance of application is super easy. The sensitive maintenance of authentication is made by a dedicated team... I wish to improve that adding OpenId Authentication, keeping apache as authentication layer with an openid connector, but the one I saw doesn't seems to be used a lot and is not available as precompiled for my os... I'm looking also at moving authentication at tomcat level with an openid Realm. It's not ideal because of the large number of applications are servers do impact and network configuration to change, ... Does someone have experience in this architecture ? Do you have some recommendation for Apache Module or Tomcat Realm to use ? Thanks Stephane
