----- Original Message ----- > From: sodastream <programvaruverks...@yahoo.se> > To: users@tomcat.apache.org > Cc: > Sent: Tuesday, August 9, 2011 12:52 PM > Subject: Adding two-factor authentication to a Tomcat app?? > > > Given: Commercial application running as a servlet on Tomcat. Tomcat > configuration (server.xml, web.xml) is open and may be modified. The app > handles its own authentication via a conventional username/password form on > a login page. I wanted to add a second factor to the authentication without > modifying the app (except for its Tomcat/servlet conf). > > My idea was to tack on a custom Realm to Tomcat. It would be independent > from the application except I had to add a security constraint to its > web.xml. The Realm would authenticate the user using a password provided to > the user over a separate channel (SMS). After authentication the Realm would > be transparent and let the user interact with the application as usual -- > all according to my theory. > > After some hacking my custom Realm was in place. Following the logic in a > debugger I could see it worked as expected and reported successful > authentication back to the Tomcat machinery. To my disappointment my browser > still showed 403 Forbidden. > > At this point I was stumped and realized I don't know enough about Tomcat. > Is my theory viable or flawed? Overlooked something? What's some better way > to add a second factor to authentication of an opaque application running on > Tomcat? > > All kinds of ideas and pointers are appreciated, thanks a lot.
A quick search turns up the following: http://directory.apache.org/triplesec/index.html https://cwiki.apache.org/DIRxTRIPLESEC/simple-demo-servlet-application.html I've not explored it any further, so I cannot answer questions. Take a look and see if that doesn't meet your needs. . . . . just my two cents. /mde/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
