Hi Jim.
As I recall, your original issue was that there is no "OAM plugin" for Tomcat, and
therefore, you are doing the OAM authentication within the front-end Apache, and then
passing the user-id to Tomcat.
And then, you find yourself in Tomcat with a user-id, but without any "roles"
corresponding to this user-id.
And in order to get such roles, you are now facing a rather complex programming issue at
the Tomcat level.
I wrote this before, but let me repeat it : are you not doing a lot of work un-necessarily
there, and should you not look at this another way ?
As far as I understand these Tomcat-level matters, a "role" in Tomcat is used to control
access to resources.
And you seem to use Tomcat's "declarative" type of acess-control, which means that you
allow access or not to a given webapp, in function of whether the user-id (which is passed
to Tomcat by the front-end) has or not a particular "role".
And, in the OAM system globally, the fact that a user has or not access to a particular
resource, is already managed at the OAM level; but to which OAM level, unfortunately right
now, you do not have access from Tomcat.
But in this case, all your accesses to Tomcat webapps *always* happen through the
front-end, because it is this front-end which obtains the user-id (from OAM) and later
passes it to Tomcat. And this front-end thus *has* access to the OAM data.
So what is stopping you from :
- not using any authentication/access-control at the Tomcat level
- but checking all this at the Apache httpd front-end level
?
Example : suppose you have 3 webapps app1, app2, app3.
You could have at the front-end level these sections :
<Location /app1>
SetHandler jakarta-servlet (same as "JkMount /app1")
AuthType Oblix
require valid-user
require .. (whatever)
</Location>
<Location /app2>
SetHandler jakarta-servlet (same as "JkMount /app2")
AuthType Oblix
require valid-user
require .. (whatever)
</Location>
<Location /app3>
SetHandler jakarta-servlet (same as "JkMount /app3")
AuthType Oblix
require valid-user
require .. (whatever)
</Location>
If the user "does not pass muster" for /app1 according to OAM, then the call will never
even make it Tomcat.
If the user passes muster, then you can let them access Tomcat's /app1 application, as
they have been checked for it.
Or am I missing something ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
