Re: mixing authentication schemes

Thu, 21 Jun 2012 16:01:37 -0700 

On 21/06/2012 20:34, Aggarwal, Ajay wrote:
> Sorry about the poor formatting of my message.

Research OAuth.


p

> -----Original Message-----
> From: Aggarwal, Ajay [mailto:ajay.aggar...@stratus.com] 
> Sent: Thursday, June 21, 2012 3:27 PM
> To: users@tomcat.apache.org
> Subject: mixing authentication schemes
> 
> CURRENT ENVIRONMENT
> 
>  
> 
> Our device is managed via a tomcat 6 based web-server that runs on the
> device. We have a proprietary XML/JSON API that web based UI client uses
> to talk to web-server. We are NOT using container managed security.
> Instead our application has implemented its own authentication.
> Essentially client uses a proprietary login request and after a
> successful authentication, server marks the HTTP session as
> authenticated.
> 
>  
> 
> NEW SITUATION
> 
>  
> 
> Now we are looking to build a new multi-device management application,
> which would have its own UI and server. As the name implies this
> application is for managing multiple devices. 
> 
>  
> 
> How should this multi-device service authenticate itself with the
> individual devices? We do not want user to enter credentials for each
> device every time this service wants to talk to a managed device. We
> also do not want to store each managed device's credentials with the
> multi-device service.
> 
>  
> 
> One of the possibility is to use SSL certificate based authentication.
> So multi-device application can authenticate itself with individual
> devices using a SSL certificate.  We only need to import multi-device
> application's certificate into each managed device's trust-store once.
> 
>  
> 
> QUESTIONS
> 
>  
> 
> Few questions for those of you who have dealt with this type of 3-tier
> applications
> 
>  
> 
> Q1. How to get above scheme working in tomcat, such that the existing
> device specific UI clients can continue to authenticate using
> proprietary login request, whereas multi-device application uses SSL
> certificate based authentication?
> 
>  
> 
> Q2. What are some of the other suggestions and/or best practices that
> you would recommend to solve this problem?
> 
>  
> 
> Thanks.
> 
>  
> 
> -Ajay
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-- 

[key:62590808]

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to