On 02/01/18 00:51, Robert J. Carr wrote: > I'm looking to use some kind of combined realm where I can authenticate > (and authorize) users both using the built-in login-config and externally > using oauth. Ideally, in both cases, I'd be able to have access to roles, > but this isn't a necessity. > > You see this sort of thing a lot now, where you have the option to "login > with google" or "login with facebook" or even login using the site's own > credentials. > > There seems to be very little information about this out there, though, for > use in tomcat or java ee. All queries about oauth and tomcat lead to > JASPIC. I found this question, which is nearly my exact situation, and the > accepted solution there was indeed JASPIC: > > https://stackoverflow.com/questions/39058200/tomcat-realm-for-oauth2 > > But I can find almost no examples of how JASPIC works or what it offers > (beyond the tomcat docs), but only that it is supported in tomcat starting > with 8.5. I can use tomcat 8.5, so that isn't a problem, but the only > example provider seems to be the one for google, and it isn't super clear > how it all works.
I put that together. It was only ever the bare minimum you needed to to to integrate with Google OAuth. If you have specific questions this is the place to ask. If the answers are helpful any suggestions to improve the docs would be appreciated. Suggestions in the form of patches to the docs even more so. The JASPIC spec might be worth a read although it is fairly hard going in places. > So I'm just looking for any guidance on what road to start down, given my > requirements. It seems I could write my own realm, but then I'm not sure > how I'd fit in the oauth token flow. I could use jaspic, but then I'm not > sure if I'd be able to use the regular security-constraints. Or I could > manage all of the auth myself with various filters and sessions, but that > seems silly given the java ee machinery that's already available. > > Any suggestions? I'd suggest the JASPIC Realm. You might need to write a custom provider (or whatever the terminology is) for your local auth. If it is a common one it could potentially be added to the Tomcat code base. Feel free to ask questions here as you go. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
