-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sebastian,
On 3/30/16 4:42 AM, Sebastian Trost wrote: > Well, it seems that I will have to use a Valve + Realm combination. > Thanks! What does the Valve add? - -chris > -----Ursprüngliche Nachricht----- Von: Christopher Schultz > [mailto:ch...@christopherschultz.net] Gesendet: Dienstag, 29. März > 2016 19:57 An: Tomcat Users List <users@tomcat.apache.org> Betreff: > Re: OpenID Connect with Tomcat 8 > > Sebastien, > > On 3/29/16 12:57 PM, Sebastian Trost wrote: >> Hi, > >> I am looking for a way to use OpenID Connect (authentication AND >> authorization) with Tomcat 8. I found two ways to get >> authentication working, but not authorization. Here's what I >> tested so far: > >> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth >> This extension works very well for authentication. It isn't >> possible to authorize users, though. You can configure a realm >> which authorizes the user against LDAP or a database. > >> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc >> + Tomcat 8 This mod works pretty well, too. But the AJP >> Connector doesn't seem to receive the roles from the web server >> and also relies on the realm to fetch the roles for each user. > >> With both methods I failed to read the roles OpenID Connect >> supplies with the id token. > >> I experimented a bit with botching around in tomcat8-oidcauth. I >> removed the authenticate()-call and instead built the >> GenericPrincipal object with hard-coded roles on my own. That >> seems to work. But is this safe? Can I just read the token id and >> assume that it is correct and set the roles in the >> GenericPrincipal? Are there any other methods to use both >> authentication AND authorization with tomcat 8? > > I haven't looked at any of the above projects but if you want to > authenticate and authorize against a different type of backing > database, then you need to create your own Realm. RealmBase > provides some nice utilities, but you aren't required to actually > extend it. > > The Realm has complete control over how the Principal objects are > created, so if you have a way to identify the user and their > roles, then you can simply create a GenericPrincipal and return > that on login, and its roles will be used for authentication > later. > > Hope that helps, -chris > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlb76p8ACgkQ9CaO5/Lv0PABXwCgvEX9iIRA9n9IOdqpOtEgYQ4y 358An08Itleb8FBUrjkpQdenC6HYBP7R =E8GZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
