You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Doug Gschwind <do...@gmail.com> on 2016/08/26 05:54:54 UTC
Custom Authentication in Tomcat 8.5.4 using JDK 1.8.0_92?
Hello,
I am attempting to migrate our web app from Resin 3.1 to Tomcat 8.5.4.
Ultimately, the intent is to be able to run our web app within Tomcat 8.5
on MAC OS X (in dev mode) or on a CentOS 7 box for production. With Resin
3.1, you can use a subclass of the Resin AbstractAuthenticator class to do
custom authentication. The AbstractAuthenticator instance is presented with
the login credentials of the end user attempting to login, as well as the
HttpServletRequest instance itself so that any and all HTTP request state
such as parameters can also be interrogated if necessary. This is the case
for our application, we need to be able to interrogate those additional
HTTP request parameters in some cases. So, I am trying to implement this
same behavior in Tomcat 8.5.4.
In my research today on the topic, this appears to be much more difficult
than I would expect in Tomcat 8.5, so I can only conclude I am missing
something. Here are the two potential solutions I have found :
1) Provide our own implementation of the org.apache.catalina.Realm
interface. While this would seem like "this must be the right approach" at
first, I don't see where the Realm implementor has access to the
HttpServletRequest instance when an inbound authentication attempt is
occurring. True, there are overloaded authenticate() operations that must
be implemented, but I don't see where any of them can obtain a reference to
the inbound HttpServletRequest instance. I thought maybe the Container
instance available to the Realm might contain it, but it looks to contain
information that doesn't vary per HTTP request.
2) Introduce a ServletFilter, and of course this should work since the
ServletFilter has full access to the inbound HttpServletRequest. However,
this doesn't seem as appropriate as that Servlet filter then needs to do
other things (e.g. Create a Subject and bind it to the Session, what to do
with Principal instance, etc.) than just the raw authentication step and I
don't find supporting information on how that should be implemented.
Am hoping someone on the list has faced this problem in a recent version of
Tomcat and can point me in the right direction.
Thank you,
Doug
Re: Custom Authentication in Tomcat 8.5.4 using JDK 1.8.0_92?
Posted by Doug Gschwind <do...@gmail.com>.
Hi Mark,
Very good, thank you for that direction. Both approaches you suggest seem
appropriate, but I was unable to find any guide that describes how to
provide/implement a JASPIC module, let alone that within Tomcat. I am
hoping a custom Authenticator via extending AuthenticatorBase
(FormAuthenticator in particular) will do the trick, but I don't know just
yet.
Thank you for the help.
Doug
On Fri, Aug 26, 2016 at 5:07 AM, Mark Thomas <ma...@apache.org> wrote:
> On 26/08/2016 06:54, Doug Gschwind wrote:
> > Hello,
>
> <snip/>
>
> > In my research today on the topic, this appears to be much more difficult
> > than I would expect in Tomcat 8.5, so I can only conclude I am missing
> > something. Here are the two potential solutions I have found :
> >
> > 1) Provide our own implementation of the org.apache.catalina.Realm
>
> The split isn't completely clean but generally Realm's provide
> authorization, not authentication.
>
> Very roughly, Authenticators obtain the user name, password etc and
> Realms validate them against a credential store.
>
> You probably want to implement a custom Authenticator (extending
> AuthenticatorBase).
>
> Depending on what you are trying to do, you might need a custom
> Authenticator and a custom Realm.
>
> A more portable solution would be to implement a JASPIC module.
>
> HTH,
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Custom Authentication in Tomcat 8.5.4 using JDK 1.8.0_92?
Posted by Mark Thomas <ma...@apache.org>.
On 26/08/2016 06:54, Doug Gschwind wrote:
> Hello,
<snip/>
> In my research today on the topic, this appears to be much more difficult
> than I would expect in Tomcat 8.5, so I can only conclude I am missing
> something. Here are the two potential solutions I have found :
>
> 1) Provide our own implementation of the org.apache.catalina.Realm
The split isn't completely clean but generally Realm's provide
authorization, not authentication.
Very roughly, Authenticators obtain the user name, password etc and
Realms validate them against a credential store.
You probably want to implement a custom Authenticator (extending
AuthenticatorBase).
Depending on what you are trying to do, you might need a custom
Authenticator and a custom Realm.
A more portable solution would be to implement a JASPIC module.
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org