Ok thanks André and Luis for your helps and feedbacks. 
-------- Message initial --------
De: André Warnier (tomcat/perl) <a...@ice-sa.com>
Répondre à: Tomcat Users List <users@tomcat.apache.org>
À: users@tomcat.apache.org
Objet: Re: OpenId with apache and tomcat
Date: Fri, 13 Mar 2020 23:47:08 +0100

On 13.03.2020 17:53, Stephane Passignat wrote:
Actually I have Apache2 operating as proxy and authenticate layer
(HTTPForm and HTTP Basic), in front of several Tomcat instances and
webapps.Apache pushes the userId to tomcat through AJP.On tomcat side,
the webapp has a Basic login-module in web.xml.
I'm quite satisfied of the result, authentication and authorization
areout of the application scope. The deployment and maintenance
ofapplication is super easy. The sensitive maintenance of
authenticationis made by a dedicated team...
I wish to improve that adding OpenId Authentication, keeping apache
asauthentication layer with an openid connector, but the one I
sawdoesn't seems to be used a lot and is not available as precompiled
formy os...
Actually, mod_auth_openidc (which I have not used myself), available
from(https://github.com/zmartzone/mod_auth_openidc)at least on the face
of it, seems to be fairly complete, well-documented (with examples),
supported, and regularly worked on.
Considering your current architecture, and considering that OpenID
itself (like anything to do with OAuth) is quite a nightmare in terms
of readable and understandable-by-common-mortals documentation, I would
think that you might save yourself a lot of time by trying it out.It
seems to have its own help forums too, which may help in terms of
obtaining or creating the appropriate binaries.

I'm looking also at moving authentication at tomcat level with anopenid
Realm. It's not ideal because of the large number ofapplications are
servers do impact and network configuration to change,
Exactly, see above.I think that mod_auth_openidc would fit right in
(and along) with your existing form and Basic authentication in Apache
httpd. And you would not have to change anything at the Tomcat or
applications level.
Just make sure to properly secure your AJP connections.(see quite a few
discussions on that topic in the last month, in the archives of this

Does someone have experience in this architecture ? Do you have
somerecommendation for Apache Module or Tomcat Realm to use ?

Make sure that you know exactly what *version* of OpenID you need.As
far as I know, the current version is "OpenID Connect", and anything
else is obsolete and even worse in terms of documentation.


unsubscribe, e-mail: users-unsubscribe@tomcat.apache.orgFor additional
commands, e-mail: users-h...@tomcat.apache.org

Reply via email to