On 08/12/17 07:08, Robert J. Carr wrote:
> [tomcat 8, java 8, ubuntu xenial]
> 
> I have setup security constraints that allow certain resources to only be
> accessed by authorized users. The users are authenticated using either
> BASIC or FORM, where a username and password is provided, and this works
> great.
> 
> However, I'd also like to allow users to authenticate externally using an
> oauth provider. Is this possible?  Note that I can already acquire the
> access tokens for the user, and from there I can get the username and other
> profile metadata as necessary.
> 
> But how do I then log the user into tomcat? The only way I can think to
> make this work is to take this username and create a tomcat account, maybe
> setting the access token as the password if it matters. Then I could do a
> programmatic tomcat login on behalf of the user, so she is locally
> authenticated and a session is created. On subsequent logins I'd just
> update the password to the new access token.
> 
> But this seems like a hack, and when it comes to users and security I'd
> prefer to avoid hacks.
> 
> It looks like JASPIC might offer a solution for this? Unfortunately, it
> looks like it became available starting at 8.5 but I'm stuck using 8.
> 
> Are there any other options?

A custom Authenticator (that extends AuthenticatorBase) would be the
standard way of handling this.

Given 8.0.x is approaching end of life (2018-06-30), it might be less
effort to look at switching to 8.5.x.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to