OK, come context first: What I'm trying to do is integrate a Commercial Off The Shelf (COTS) application that relies on container security into a Web Access Manager (WAM). In a typical WAM deployment there are AAA is broken up into multiple layers:
Web Server - Authentication (via the WAM) and course grained Authorization (can the user access this app?) Application - Fine grained Authorization aka Entitlements (can the user perform task x?) Since the authentication is done at the web server but the entitlements are done by the application the web server needs to tell the application server who the user is and the application server then needs to fulfill the J2EE contract by providing information about the user to the application. In commercial application servers (Weblogic, WebSphere, JBoss) this is done with an agent of some kind that satisfies the application server's security requirements (usually by phoning home to the WAM to validate the request). However commercial WAM products (SiteMinder, OAM, etc) don't provide an "agent" for Tomcat. Given that what I'm working on is a POC I'm not overly concerned with security as in production this app will likely run on weblogic but for my purposes Tomcat is a better pick for now. That being said, the sequence of events should be: 1. Web server authenticates the user (works) 2. Pass the context to Tomcat (works) 3. Tomcat calls the realm to retrieve the user information and set the context (doesn't presently occur) #3 appears to be the issue. Authenticaiton and Authorization should be separate steps entirely in order to satisfy the J2EE contract in an enterprise environment (which often involves WAMs). So it doesn't sound like there is a configuration way to handle this. I think I'll try hacking around to see if I can solve this with some kind of custom Realm. >> >> As for the versions, thanks for the reminder: >> Tomcat 6.0.26 >> Apache 2.2.15 >> mod_jk 1.2 <== you are missing a number here, and for some things it >> really matters >> CentOS 5.5 >> > mod_jk 1.2.30 > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
