Multi-instance authentication

[David kerber <dc...@verizon.net>]

I have several instances of TC 7.x on windows, running the same in-house 
developed application for different outside customers.  Those instances 
are each tied to a specific database, and cannot talk to any other dbs.

My in-house users occasionally need to log into the application instance 
for a specific customer to do administrative tasks for them, and the 
authentication is tied to the specific instance they are working with 
(the database for that instance).  I am trying to work out a way of 
letting them log into any instance with a single "master" login, which 
would require all of the instances to authenticate against the same 
server/source/whatever you call it.

I can only come up with two options:  LDAP authentication against my 
Windows domain controller, or a separate database that any of the 
instances can connect to.  I know either of these would require 
additional code work, which isn't a problem, and I have a good feel for 
what's involved in db authentication.

But I don't have a good feel for LDAP auth.  How difficult is that to 
get working in TC 7.x?

I am also open to other suggestions that I might be missing.

Thanks for any help!
Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Multi-instance authentication

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

David,

On 2/20/15 11:35 AM, David kerber wrote:
> I have several instances of TC 7.x on windows, running the same
> in-house developed application for different outside customers.
> Those instances are each tied to a specific database, and cannot
> talk to any other dbs.
> 
> My in-house users occasionally need to log into the application
> instance for a specific customer to do administrative tasks for
> them, and the authentication is tied to the specific instance they
> are working with (the database for that instance).  I am trying to
> work out a way of letting them log into any instance with a single
> "master" login, which would require all of the instances to
> authenticate against the same server/source/whatever you call it.
> 
> I can only come up with two options:  LDAP authentication against
> my Windows domain controller, or a separate database that any of
> the instances can connect to.  I know either of these would
> require additional code work, which isn't a problem, and I have a
> good feel for what's involved in db authentication.
> 
> But I don't have a good feel for LDAP auth.  How difficult is that
> to get working in TC 7.x?

It shouldn't be too hard.

You can probably do this all with configuration of existing
components: you can use the CombinedRealm to first try your local data
source, and then try an LDAP data source for authentication (or the
other way around, whichever you prefer).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJU52Q9AAoJEBzwKT+lPKRYmAIP/iWfYp86p0fpI81ip4ku+/Fl
f3spMlRnCVczd1j4wIy6o6Zi37G79q6XPBraFLHrJ9hLlpJWFhGW9f+zZd9EsJQ7
ttW+ddhCI92kSVQ4g5McLGj3MHk3x2JJnYgWJfvMRf6RGPI9WhPX901KXBsmam/l
mjQKszl9rmQMe6YO9AZNzvQ6kro/qSChywOZXoRHW3oLePXw9qv8ImNL9JhfD/xa
VxRobsEGpCN7WTWUXx9Y9nFdkWIUF1JqIR4F+szj6EN+YA5UVSy5BuPcCpDKMddI
0aOUFwtrTj9J6QA0xuXbMrUakdgPNYGTZesC9n9AyPKWAUE8/cXGbxJFUx+QbXhz
E9+Mgkf2b+/qowoDbaOLUuzCX2V76Bce1lQnM4umoxyPfTLwmqzNXqXsLjF1leit
Wf7f5jn99LpLyhpVajq9s+U0z4/jpZZQzb1I2BkWZ3v1bf+WcIFo/g3HaHyGoZ64
Fpglz6BDxqR8NsmFmYQ4pYZlA+8s/KR/IgI10W0GlCTnxWtuGyNG65kXqpUgfjjq
O96l+G72qZHNYbmJr7KWMaoMDzqKYjz7FIwUQ3BztZlx5QYvMO+951da0GuclpzK
9aEhSz/uMzcE59WGMsUZmLg0d1Q/LfF6tEOfP//BBFLyvTI0zqojahz/067T5rTJ
Bb2DTkeZGCR+lWe6KISX
=KURn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Multi-instance authentication

[André Warnier <aw...@ice-sa.com>]

David kerber wrote:
> I have several instances of TC 7.x on windows, running the same in-house 
> developed application for different outside customers.  Those instances 
> are each tied to a specific database, and cannot talk to any other dbs.
> 
> My in-house users occasionally need to log into the application instance 
> for a specific customer to do administrative tasks for them, and the 
> authentication is tied to the specific instance they are working with 
> (the database for that instance).  I am trying to work out a way of 
> letting them log into any instance with a single "master" login, which 
> would require all of the instances to authenticate against the same 
> server/source/whatever you call it.
> 
> I can only come up with two options:  LDAP authentication against my 
> Windows domain controller, or a separate database that any of the 
> instances can connect to.  I know either of these would require 
> additional code work, which isn't a problem, and I have a good feel for 
> what's involved in db authentication.
> 
> But I don't have a good feel for LDAP auth.  How difficult is that to 
> get working in TC 7.x?
> 
> I am also open to other suggestions that I might be missing.
> 

An out-of-the-tomcat-box suggestion :

Install one front-end Apache httpd which does the authentication, then forwards to any of 
the back-end tomcats in function of the URL, via mod_jk.(*)
Configure the AJP Connector at the Tomcat side to say : tomcatAuthentication=false.
mod_jk forwards to Tomcat (as part of the AJP protocol) the authenticated Apache user-id.
The above attribute in the Connector causes Tomcat to just accept this id as the user's 
already-authenticated id (which means that Tomcat won't double-check with whatever 
authentication backup it has already and uses normally).

LDAP authentication is quite standard in httpd, but if you have a limited number of 
user-ids who need to do that, you might even set this up with Basic Auth and a file 
back-end at the httpd level (**).  As long as your Tomcats accept AJP connections only 
from the internal httpd front-end, and the users doing that are only internal users, this 
would not impact security.


(*) you can use mod_rewrite or even SetEnvIf at the httpd level, to trigger the proxying 
to the appropriate Tomcat, in function of the original requestd hostname e.g.
(**) with this scheme, it does not really matter *how* Apache does the authentication, as 
long as it results in a user-id that is valid for the back-end Tomcat.
It does not even have to use the same password e.g.
The httpd password does not get forwarded to Tomcat, just the user-id.

It would even allow you to login to the Tomcats using real user-ids of the customer users, 
which may matter if different users have different roles or permissions.

Caveat and hand-washing : I have never tried this. It just popped up when I read your post 
and I imagined with terror having to modify some standard Tomcat component, or implement 
something which would leave holes in the customer Tomcat's security.
But I am doing some things already in that area, which might be considered of a similar 
enough nature, and they work.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org