Hi Chris, This is an OpenID Connect implementation for tomcat 8: https://github.com/boylesoftware/tomcat8-oidcauth
And as far as I know (I'm very new to this, so please correct me if I'm wrong) the Valve redirects the user to the OIDC provider before he reaches the login form of the tomcat. The Valve also sends a redirect_uri to the OIDC provider which he then uses to redirect the user back to the tomcat's j_security_check after a successfully authentication. This redirect contains a token and a token id which contains information of the user in JSON format. If something went wrong with the authentication on the OIDC provider's side, the user will be redirected to the form - I think. If I would only use a realm I couldn't redirect the user before he reaches the login form. I think. Regards Sebastian -----Ursprüngliche Nachricht----- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 30. März 2016 17:03 An: Tomcat Users List <users@tomcat.apache.org> Betreff: Re: AW: OpenID Connect with Tomcat 8 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sebastian, On 3/30/16 4:42 AM, Sebastian Trost wrote: > Well, it seems that I will have to use a Valve + Realm combination. > Thanks! What does the Valve add? - -chris > -----Ursprüngliche Nachricht----- Von: Christopher Schultz > [mailto:ch...@christopherschultz.net] Gesendet: Dienstag, 29. März > 2016 19:57 An: Tomcat Users List <users@tomcat.apache.org> Betreff: > Re: OpenID Connect with Tomcat 8 > > Sebastien, > > On 3/29/16 12:57 PM, Sebastian Trost wrote: >> Hi, > >> I am looking for a way to use OpenID Connect (authentication AND >> authorization) with Tomcat 8. I found two ways to get >> authentication working, but not authorization. Here's what I >> tested so far: > >> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth >> This extension works very well for authentication. It isn't >> possible to authorize users, though. You can configure a realm >> which authorizes the user against LDAP or a database. > >> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc >> + Tomcat 8 This mod works pretty well, too. But the AJP >> Connector doesn't seem to receive the roles from the web server >> and also relies on the realm to fetch the roles for each user. > >> With both methods I failed to read the roles OpenID Connect >> supplies with the id token. > >> I experimented a bit with botching around in tomcat8-oidcauth. I >> removed the authenticate()-call and instead built the >> GenericPrincipal object with hard-coded roles on my own. That >> seems to work. But is this safe? Can I just read the token id and >> assume that it is correct and set the roles in the >> GenericPrincipal? Are there any other methods to use both >> authentication AND authorization with tomcat 8? > > I haven't looked at any of the above projects but if you want to > authenticate and authorize against a different type of backing > database, then you need to create your own Realm. RealmBase > provides some nice utilities, but you aren't required to actually > extend it. > > The Realm has complete control over how the Principal objects are > created, so if you have a way to identify the user and their > roles, then you can simply create a GenericPrincipal and return > that on login, and its roles will be used for authentication > later. > > Hope that helps, -chris > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlb76p8ACgkQ9CaO5/Lv0PABXwCgvEX9iIRA9n9IOdqpOtEgYQ4y 358An08Itleb8FBUrjkpQdenC6HYBP7R =E8GZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
