CURRENT ENVIRONMENT
Our device is managed via a tomcat 6 based web-server that runs on the device. We have a proprietary XML/JSON API that web based UI client uses to talk to web-server. We are NOT using container managed security. Instead our application has implemented its own authentication. Essentially client uses a proprietary login request and after a successful authentication, server marks the HTTP session as authenticated. NEW SITUATION Now we are looking to build a new multi-device management application, which would have its own UI and server. As the name implies this application is for managing multiple devices. How should this multi-device service authenticate itself with the individual devices? We do not want user to enter credentials for each device every time this service wants to talk to a managed device. We also do not want to store each managed device's credentials with the multi-device service. One of the possibility is to use SSL certificate based authentication. So multi-device application can authenticate itself with individual devices using a SSL certificate. We only need to import multi-device application's certificate into each managed device's trust-store once. QUESTIONS Few questions for those of you who have dealt with this type of 3-tier applications Q1. How to get above scheme working in tomcat, such that the existing device specific UI clients can continue to authenticate using proprietary login request, whereas multi-device application uses SSL certificate based authentication? Q2. What are some of the other suggestions and/or best practices that you would recommend to solve this problem? Thanks. -Ajay
