On 08/12/17 08:32, Robert J. Carr wrote: > Hi Mark- > > Thanks for the quick reply and I'll look into Authenticators. > > Since you suggest 8.5.x, does that mean I was on the right track with > JASPIC?
Yes, you can do this with JASPIC and a third-party JASPIC module: http://tomcat.apache.org/tomcat-9.0-doc/config/jaspic.html#Philip_Green_II's_module_for_Google_OAuth_2 That one is Google specific but you should be able to use it as a basis for any provider. Mark > > Thanks again! > > Robert > > > On Fri, Dec 8, 2017 at 12:26 AM, Mark Thomas <ma...@apache.org> wrote: > >> On 08/12/17 07:08, Robert J. Carr wrote: >>> [tomcat 8, java 8, ubuntu xenial] >>> >>> I have setup security constraints that allow certain resources to only be >>> accessed by authorized users. The users are authenticated using either >>> BASIC or FORM, where a username and password is provided, and this works >>> great. >>> >>> However, I'd also like to allow users to authenticate externally using an >>> oauth provider. Is this possible? Note that I can already acquire the >>> access tokens for the user, and from there I can get the username and >> other >>> profile metadata as necessary. >>> >>> But how do I then log the user into tomcat? The only way I can think to >>> make this work is to take this username and create a tomcat account, >> maybe >>> setting the access token as the password if it matters. Then I could do a >>> programmatic tomcat login on behalf of the user, so she is locally >>> authenticated and a session is created. On subsequent logins I'd just >>> update the password to the new access token. >>> >>> But this seems like a hack, and when it comes to users and security I'd >>> prefer to avoid hacks. >>> >>> It looks like JASPIC might offer a solution for this? Unfortunately, it >>> looks like it became available starting at 8.5 but I'm stuck using 8. >>> >>> Are there any other options? >> >> A custom Authenticator (that extends AuthenticatorBase) would be the >> standard way of handling this. >> >> Given 8.0.x is approaching end of life (2018-06-30), it might be less >> effort to look at switching to 8.5.x. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
