---- "André Warnier" <a...@ice-sa.com> wrote: > Hi Jim. > > As I recall, your original issue was that there is no "OAM plugin" for > Tomcat, and > therefore, you are doing the OAM authentication within the front-end Apache, > and then > passing the user-id to Tomcat. > And then, you find yourself in Tomcat with a user-id, but without any "roles" > corresponding to this user-id. > And in order to get such roles, you are now facing a rather complex > programming issue at > the Tomcat level. > > I wrote this before, but let me repeat it : are you not doing a lot of work > un-necessarily > there, and should you not look at this another way ? > > As far as I understand these Tomcat-level matters, a "role" in Tomcat is used > to control > access to resources. > And you seem to use Tomcat's "declarative" type of acess-control, which means > that you > allow access or not to a given webapp, in function of whether the user-id > (which is passed > to Tomcat by the front-end) has or not a particular "role". > > And, in the OAM system globally, the fact that a user has or not access to a > particular > resource, is already managed at the OAM level; but to which OAM level, > unfortunately right > now, you do not have access from Tomcat. > > But in this case, all your accesses to Tomcat webapps *always* happen through > the > front-end, because it is this front-end which obtains the user-id (from OAM) > and later > passes it to Tomcat. And this front-end thus *has* access to the OAM data. > > So what is stopping you from : > - not using any authentication/access-control at the Tomcat level > - but checking all this at the Apache httpd front-end level > ? > > Example : suppose you have 3 webapps app1, app2, app3. > You could have at the front-end level these sections : > <Location /app1> > SetHandler jakarta-servlet (same as "JkMount /app1") > AuthType Oblix > require valid-user > require .. (whatever) > </Location> > <Location /app2> > SetHandler jakarta-servlet (same as "JkMount /app2") > AuthType Oblix > require valid-user > require .. (whatever) > </Location> > <Location /app3> > SetHandler jakarta-servlet (same as "JkMount /app3") > AuthType Oblix > require valid-user > require .. (whatever) > </Location> > > If the user "does not pass muster" for /app1 according to OAM, then the call > will never > even make it Tomcat. > If the user passes muster, then you can let them access Tomcat's /app1 > application, as > they have been checked for it. > > Or am I missing something ?
Hi, Yes, you are missing something, something akin to the "last mile". Following your example, of /app1, suppose that that is a webapp that requires a known user (principal). The "security" JSP example in Tomcat is an example of this. You can use something like OAM to protect (permit or deny) access, but once you get to the /app1, you wouldn't be "logged into" the app itself, not only for declarative type constraints, but also, for example, if the app does things like give you access to only specified resources (e.g., database tables, etc.) based on "who you are". So, for example with the "security" example, with just OAM, and without anything else, you end up on the form login page, instead of it saying "Hi, xxxxx". Just some examples there... Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
