Hello Stephane, > moving authentication at tomcat level with an openid Realm
If I understand you correctly you want to make the authentication process in tomcat instead of delegating in your apache proxy, don't you ? I would have a look then at the tomcat keycloak adapter [1]. Me I am using the SAML one in tomcat 8.5 & 9 and it works like a charm! Hope it helps, Luis [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_adapter El vie., 13 mar. 2020 a las 17:53, Stephane Passignat (< passig...@hotmail.com>) escribió: > Hi, > > Actually I have Apache2 operating as proxy and authenticate layer (HTTP > Form and HTTP Basic), in front of several Tomcat instances and webapps. > Apache pushes the userId to tomcat through AJP. > On tomcat side, the webapp has a Basic login-module in web.xml. > > I'm quite satisfied of the result, authentication and authorization are > out of the application scope. The deployment and maintenance of > application is super easy. The sensitive maintenance of authentication > is made by a dedicated team... > > I wish to improve that adding OpenId Authentication, keeping apache as > authentication layer with an openid connector, but the one I saw > doesn't seems to be used a lot and is not available as precompiled for > my os... > I'm looking also at moving authentication at tomcat level with an > openid Realm. It's not ideal because of the large number of > applications are servers do impact and network configuration to change, > ... > > > > Does someone have experience in this architecture ? Do you have some > recommendation for Apache Module or Tomcat Realm to use ? > > > Thanks > Stephane > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
