I'm looking to use some kind of combined realm where I can authenticate (and authorize) users both using the built-in login-config and externally using oauth. Ideally, in both cases, I'd be able to have access to roles, but this isn't a necessity.
You see this sort of thing a lot now, where you have the option to "login with google" or "login with facebook" or even login using the site's own credentials. There seems to be very little information about this out there, though, for use in tomcat or java ee. All queries about oauth and tomcat lead to JASPIC. I found this question, which is nearly my exact situation, and the accepted solution there was indeed JASPIC: https://stackoverflow.com/questions/39058200/tomcat-realm-for-oauth2 But I can find almost no examples of how JASPIC works or what it offers (beyond the tomcat docs), but only that it is supported in tomcat starting with 8.5. I can use tomcat 8.5, so that isn't a problem, but the only example provider seems to be the one for google, and it isn't super clear how it all works. So I'm just looking for any guidance on what road to start down, given my requirements. It seems I could write my own realm, but then I'm not sure how I'd fit in the oauth token flow. I could use jaspic, but then I'm not sure if I'd be able to use the regular security-constraints. Or I could manage all of the auth myself with various filters and sessions, but that seems silly given the java ee machinery that's already available. Any suggestions? Thanks! Robert
