Hello Stephane,

> moving authentication at tomcat level with an openid Realm

If I understand you correctly you want to make the authentication process
in tomcat instead of delegating in your apache proxy, don't you ? I would
have a look then at the tomcat keycloak adapter [1]. Me I am using the SAML
one in tomcat 8.5 & 9 and it works like a charm!

Hope it helps,



El vie., 13 mar. 2020 a las 17:53, Stephane Passignat (<
passig...@hotmail.com>) escribió:

> Hi,
> Actually I have Apache2 operating as proxy and authenticate layer (HTTP
> Form and HTTP Basic), in front of several Tomcat instances and webapps.
> Apache pushes the userId to tomcat through AJP.
> On tomcat side, the webapp has a Basic login-module in web.xml.
> I'm quite satisfied of the result, authentication and authorization are
> out of the application scope. The deployment and maintenance of
> application is super easy. The sensitive maintenance of authentication
> is made by a dedicated team...
> I wish to improve that adding OpenId Authentication, keeping apache as
> authentication layer with an openid connector, but the one I saw
> doesn't seems to be used a lot and is not available as precompiled for
> my os...
> I'm looking also at moving authentication at tomcat level with an
> openid Realm. It's not ideal because of the large number of
> applications are servers do impact and network configuration to change,
> ...
> Does someone have experience in this architecture ? Do you have some
> recommendation for Apache Module or Tomcat Realm to use ?
> Thanks
> Stephane


"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Reply via email to