On 08/12/17 07:08, Robert J. Carr wrote: > [tomcat 8, java 8, ubuntu xenial] > > I have setup security constraints that allow certain resources to only be > accessed by authorized users. The users are authenticated using either > BASIC or FORM, where a username and password is provided, and this works > great. > > However, I'd also like to allow users to authenticate externally using an > oauth provider. Is this possible? Note that I can already acquire the > access tokens for the user, and from there I can get the username and other > profile metadata as necessary. > > But how do I then log the user into tomcat? The only way I can think to > make this work is to take this username and create a tomcat account, maybe > setting the access token as the password if it matters. Then I could do a > programmatic tomcat login on behalf of the user, so she is locally > authenticated and a session is created. On subsequent logins I'd just > update the password to the new access token. > > But this seems like a hack, and when it comes to users and security I'd > prefer to avoid hacks. > > It looks like JASPIC might offer a solution for this? Unfortunately, it > looks like it became available starting at 8.5 but I'm stuck using 8. > > Are there any other options?
A custom Authenticator (that extends AuthenticatorBase) would be the standard way of handling this. Given 8.0.x is approaching end of life (2018-06-30), it might be less effort to look at switching to 8.5.x. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
