On 13.03.2020 17:53, Stephane Passignat wrote:

Actually I have Apache2 operating as proxy and authenticate layer (HTTP
Form and HTTP Basic), in front of several Tomcat instances and webapps.
Apache pushes the userId to tomcat through AJP.
On tomcat side, the webapp has a Basic login-module in web.xml.

I'm quite satisfied of the result, authentication and authorization are
out of the application scope. The deployment and maintenance of
application is super easy. The sensitive maintenance of authentication
is made by a dedicated team...

I wish to improve that adding OpenId Authentication, keeping apache as
authentication layer with an openid connector, but the one I saw
doesn't seems to be used a lot and is not available as precompiled for
my os...

Actually, mod_auth_openidc (which I have not used myself), available from
at least on the face of it, seems to be fairly complete, well-documented (with examples), supported, and regularly worked on.

Considering your current architecture, and considering that OpenID itself (like anything to do with OAuth) is quite a nightmare in terms of readable and understandable-by-common-mortals documentation, I would think that you might save yourself a lot of time by trying it out. It seems to have its own help forums too, which may help in terms of obtaining or creating the appropriate binaries.

I'm looking also at moving authentication at tomcat level with an
openid Realm. It's not ideal because of the large number of
applications are servers do impact and network configuration to change,

Exactly, see above.
I think that mod_auth_openidc would fit right in (and along) with your existing form and Basic authentication in Apache httpd. And you would not have to change anything at the Tomcat or applications level.

Just make sure to properly secure your AJP connections.
(see quite a few discussions on that topic in the last month, in the archives 
of this list)


Does someone have experience in this architecture ? Do you have some
recommendation for Apache Module or Tomcat Realm to use ?

Make sure that you know exactly what *version* of OpenID you need.
As far as I know, the current version is "OpenID Connect", and anything else is obsolete and even worse in terms of documentation.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to