You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Sebastian Trost <se...@dms-ag.ch> on 2016/03/29 18:57:57 UTC

OpenID Connect with Tomcat 8

Hi,

I am looking for a way to use OpenID Connect (authentication AND authorization) with Tomcat 8. I found two ways to get authentication working, but not authorization. Here's what I tested so far:

Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth
This extension works very well for authentication. It isn't possible to authorize users, though. You can configure a realm which authorizes the user against LDAP or a database.

Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc + Tomcat 8 
This mod works pretty well, too. But the AJP Connector doesn't seem to receive the roles from the web server and also relies on the realm to fetch the roles for each user.

With both methods I failed to read the roles OpenID Connect supplies with the id token. 

I experimented a bit with botching around in tomcat8-oidcauth. I removed the authenticate()-call and instead built the GenericPrincipal object with hard-coded roles on my own. That seems to work. But is this safe? Can I just read the token id and assume that it is correct and set the roles in the GenericPrincipal?
Are there any other methods to use both authentication AND authorization with tomcat 8?

Thanks and kind regards
Sebastian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: AW: AW: OpenID Connect with Tomcat 8

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sebastian,

On 3/30/16 12:06 PM, Sebastian Trost wrote:
> This is an OpenID Connect implementation for tomcat 8: 
> https://github.com/boylesoftware/tomcat8-oidcauth
> 
> And as far as I know (I'm very new to this, so please correct me
> if I'm wrong) the Valve redirects the user to the OIDC provider
> before he reaches the login form of the tomcat. The Valve also
> sends a redirect_uri to the OIDC provider which he then uses to
> redirect the user back to the tomcat's j_security_check after a
> successfully authentication. This redirect contains a token and a
> token id which contains information of the user in JSON format. If
> something went wrong with the authentication on the OIDC provider's
> side, the user will be redirected to the form - I think.
> 
> If I would only use a realm I couldn't redirect the user before he 
> reaches the login form. I think.

Yep, anything that interacts with the request/response needs to be in
Valve format. You probably need to implement the Authenticator
interface, otherwise Tomcat will add an authenticator for you into
your valve chain unless you specify "NONE" as your application's
auth-method.

- -chris

> -----Ursprüngliche Nachricht----- Von: Christopher Schultz 
> [mailto:chris@christopherschultz.net] Gesendet: Mittwoch, 30. März 
> 2016 17:03 An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: Re: AW: OpenID Connect with Tomcat 8
> 
> Sebastian,
> 
> On 3/30/16 4:42 AM, Sebastian Trost wrote:
>> Well, it seems that I will have to use a Valve + Realm 
>> combination. Thanks!
> 
> What does the Valve add?
> 
> -chris
> 
>> -----Ursprüngliche Nachricht----- Von: Christopher Schultz 
>> [mailto:chris@christopherschultz.net] Gesendet: Dienstag, 29.
>> März 2016 19:57 An: Tomcat Users List <us...@tomcat.apache.org> 
>> Betreff: Re: OpenID Connect with Tomcat 8
> 
>> Sebastien,
> 
>> On 3/29/16 12:57 PM, Sebastian Trost wrote:
>>> Hi,
> 
>>> I am looking for a way to use OpenID Connect (authentication
>>> AND authorization) with Tomcat 8. I found two ways to get 
>>> authentication working, but not authorization. Here's what I 
>>> tested so far:
> 
>>> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth
>>> This extension works very well for authentication. It isn't
>>> possible to authorize users, though. You can configure a realm
>>> which authorizes the user against LDAP or a database.
> 
>>> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc
>>> + Tomcat 8 This mod works pretty well, too. But the AJP
>>> Connector doesn't seem to receive the roles from the web server
>>> and also relies on the realm to fetch the roles for each user.
> 
>>> With both methods I failed to read the roles OpenID Connect 
>>> supplies with the id token.
> 
>>> I experimented a bit with botching around in tomcat8-oidcauth.
>>> I removed the authenticate()-call and instead built the 
>>> GenericPrincipal object with hard-coded roles on my own. That 
>>> seems to work. But is this safe? Can I just read the token id 
>>> and assume that it is correct and set the roles in the 
>>> GenericPrincipal? Are there any other methods to use both 
>>> authentication AND authorization with tomcat 8?
> 
>> I haven't looked at any of the above projects but if you want to
>>  authenticate and authorize against a different type of backing 
>> database, then you need to create your own Realm. RealmBase 
>> provides some nice utilities, but you aren't required to actually
>>  extend it.
> 
>> The Realm has complete control over how the Principal objects are
>>  created, so if you have a way to identify the user and their
>> roles, then you can simply create a GenericPrincipal and return
>> that on login, and its roles will be used for authentication
>> later.
> 
>> Hope that helps, -chris
> 
>> ---------------------------------------------------------------------
>
>>
>> 
> 
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
>> ---------------------------------------------------------------------
>
>>
>> 
> 
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb8BH8ACgkQ9CaO5/Lv0PA/wwCdHiaFYSiRNzm/27N3y9Wl1gPB
SBIAoKWypSpPnR36o3Sq3Sv0hoXlCS08
=Gkmy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

AW: AW: OpenID Connect with Tomcat 8

Posted by Sebastian Trost <se...@dms-ag.ch>.

Hi Chris,

This is an OpenID Connect implementation for tomcat 8: https://github.com/boylesoftware/tomcat8-oidcauth

And as far as I know (I'm very new to this, so please correct me if I'm wrong) the Valve redirects the user to the OIDC provider before he reaches the login form of the tomcat. The Valve also sends a redirect_uri to the OIDC provider which he then uses to redirect the user back to the tomcat's j_security_check after a successfully authentication. This redirect contains a token and a token id which contains information of the user in JSON format. If something went wrong with the authentication on the OIDC provider's side, the user will be redirected to the form - I think. 

If I would only use a realm I couldn't redirect the user before he reaches the login form. I think. 

Regards
Sebastian


-----Ursprüngliche Nachricht-----
Von: Christopher Schultz [mailto:chris@christopherschultz.net] 
Gesendet: Mittwoch, 30. März 2016 17:03
An: Tomcat Users List <us...@tomcat.apache.org>
Betreff: Re: AW: OpenID Connect with Tomcat 8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sebastian,

On 3/30/16 4:42 AM, Sebastian Trost wrote:
> Well, it seems that I will have to use a Valve + Realm combination.
> Thanks!

What does the Valve add?

- -chris

> -----Ursprüngliche Nachricht----- Von: Christopher Schultz
> [mailto:chris@christopherschultz.net] Gesendet: Dienstag, 29. März
> 2016 19:57 An: Tomcat Users List <us...@tomcat.apache.org> Betreff:
> Re: OpenID Connect with Tomcat 8
> 
> Sebastien,
> 
> On 3/29/16 12:57 PM, Sebastian Trost wrote:
>> Hi,
> 
>> I am looking for a way to use OpenID Connect (authentication AND 
>> authorization) with Tomcat 8. I found two ways to get 
>> authentication working, but not authorization. Here's what I
>> tested so far:
> 
>> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth
>> This extension works very well for authentication. It isn't
>> possible to authorize users, though. You can configure a realm
>> which authorizes the user against LDAP or a database.
> 
>> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc
>> + Tomcat 8 This mod works pretty well, too. But the AJP
>> Connector doesn't seem to receive the roles from the web server
>> and also relies on the realm to fetch the roles for each user.
> 
>> With both methods I failed to read the roles OpenID Connect 
>> supplies with the id token.
> 
>> I experimented a bit with botching around in tomcat8-oidcauth. I 
>> removed the authenticate()-call and instead built the 
>> GenericPrincipal object with hard-coded roles on my own. That
>> seems to work. But is this safe? Can I just read the token id and
>> assume that it is correct and set the roles in the
>> GenericPrincipal? Are there any other methods to use both
>> authentication AND authorization with tomcat 8?
> 
> I haven't looked at any of the above projects but if you want to 
> authenticate and authorize against a different type of backing 
> database, then you need to create your own Realm. RealmBase
> provides some nice utilities, but you aren't required to actually
> extend it.
> 
> The Realm has complete control over how the Principal objects are 
> created, so if you have a way to identify the user and their
> roles, then you can simply create a GenericPrincipal and return
> that on login, and its roles will be used for authentication
> later.
> 
> Hope that helps, -chris
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb76p8ACgkQ9CaO5/Lv0PABXwCgvEX9iIRA9n9IOdqpOtEgYQ4y
358An08Itleb8FBUrjkpQdenC6HYBP7R
=E8GZ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: AW: OpenID Connect with Tomcat 8

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sebastian,

On 3/30/16 4:42 AM, Sebastian Trost wrote:
> Well, it seems that I will have to use a Valve + Realm combination.
> Thanks!

What does the Valve add?

- -chris

> -----Ursprüngliche Nachricht----- Von: Christopher Schultz
> [mailto:chris@christopherschultz.net] Gesendet: Dienstag, 29. März
> 2016 19:57 An: Tomcat Users List <us...@tomcat.apache.org> Betreff:
> Re: OpenID Connect with Tomcat 8
> 
> Sebastien,
> 
> On 3/29/16 12:57 PM, Sebastian Trost wrote:
>> Hi,
> 
>> I am looking for a way to use OpenID Connect (authentication AND 
>> authorization) with Tomcat 8. I found two ways to get 
>> authentication working, but not authorization. Here's what I
>> tested so far:
> 
>> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth
>> This extension works very well for authentication. It isn't
>> possible to authorize users, though. You can configure a realm
>> which authorizes the user against LDAP or a database.
> 
>> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc
>> + Tomcat 8 This mod works pretty well, too. But the AJP
>> Connector doesn't seem to receive the roles from the web server
>> and also relies on the realm to fetch the roles for each user.
> 
>> With both methods I failed to read the roles OpenID Connect 
>> supplies with the id token.
> 
>> I experimented a bit with botching around in tomcat8-oidcauth. I 
>> removed the authenticate()-call and instead built the 
>> GenericPrincipal object with hard-coded roles on my own. That
>> seems to work. But is this safe? Can I just read the token id and
>> assume that it is correct and set the roles in the
>> GenericPrincipal? Are there any other methods to use both
>> authentication AND authorization with tomcat 8?
> 
> I haven't looked at any of the above projects but if you want to 
> authenticate and authorize against a different type of backing 
> database, then you need to create your own Realm. RealmBase
> provides some nice utilities, but you aren't required to actually
> extend it.
> 
> The Realm has complete control over how the Principal objects are 
> created, so if you have a way to identify the user and their
> roles, then you can simply create a GenericPrincipal and return
> that on login, and its roles will be used for authentication
> later.
> 
> Hope that helps, -chris
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb76p8ACgkQ9CaO5/Lv0PABXwCgvEX9iIRA9n9IOdqpOtEgYQ4y
358An08Itleb8FBUrjkpQdenC6HYBP7R
=E8GZ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

AW: OpenID Connect with Tomcat 8

Posted by Sebastian Trost <se...@dms-ag.ch>.

Hi Chris,

Well, it seems that I will have to use a Valve + Realm combination. Thanks!

Regards
Sebastian

-----Ursprüngliche Nachricht-----
Von: Christopher Schultz [mailto:chris@christopherschultz.net] 
Gesendet: Dienstag, 29. März 2016 19:57
An: Tomcat Users List <us...@tomcat.apache.org>
Betreff: Re: OpenID Connect with Tomcat 8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sebastien,

On 3/29/16 12:57 PM, Sebastian Trost wrote:
> Hi,
> 
> I am looking for a way to use OpenID Connect (authentication AND
> authorization) with Tomcat 8. I found two ways to get
> authentication working, but not authorization. Here's what I tested
> so far:
> 
> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth This
> extension works very well for authentication. It isn't possible to
> authorize users, though. You can configure a realm which authorizes
> the user against LDAP or a database.
> 
> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc +
> Tomcat 8 This mod works pretty well, too. But the AJP Connector
> doesn't seem to receive the roles from the web server and also
> relies on the realm to fetch the roles for each user.
> 
> With both methods I failed to read the roles OpenID Connect
> supplies with the id token.
> 
> I experimented a bit with botching around in tomcat8-oidcauth. I
> removed the authenticate()-call and instead built the
> GenericPrincipal object with hard-coded roles on my own. That seems
> to work. But is this safe? Can I just read the token id and assume
> that it is correct and set the roles in the GenericPrincipal? Are
> there any other methods to use both authentication AND
> authorization with tomcat 8?

I haven't looked at any of the above projects but if you want to
authenticate and authorize against a different type of backing
database, then you need to create your own Realm. RealmBase provides
some nice utilities, but you aren't required to actually extend it.

The Realm has complete control over how the Principal objects are
created, so if you have a way to identify the user and their roles,
then you can simply create a GenericPrincipal and return that on
login, and its roles will be used for authentication later.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb6wd4ACgkQ9CaO5/Lv0PDbYwCaAwKxMmUKPQWU9Vz/86xio4T2
/FwAn3kmrN6wJY1Fik4/Vcp6K62AF/tt
=30NH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: OpenID Connect with Tomcat 8

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sebastien,

On 3/29/16 12:57 PM, Sebastian Trost wrote:
> Hi,
> 
> I am looking for a way to use OpenID Connect (authentication AND
> authorization) with Tomcat 8. I found two ways to get
> authentication working, but not authorization. Here's what I tested
> so far:
> 
> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth This
> extension works very well for authentication. It isn't possible to
> authorize users, though. You can configure a realm which authorizes
> the user against LDAP or a database.
> 
> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc +
> Tomcat 8 This mod works pretty well, too. But the AJP Connector
> doesn't seem to receive the roles from the web server and also
> relies on the realm to fetch the roles for each user.
> 
> With both methods I failed to read the roles OpenID Connect
> supplies with the id token.
> 
> I experimented a bit with botching around in tomcat8-oidcauth. I
> removed the authenticate()-call and instead built the
> GenericPrincipal object with hard-coded roles on my own. That seems
> to work. But is this safe? Can I just read the token id and assume
> that it is correct and set the roles in the GenericPrincipal? Are
> there any other methods to use both authentication AND
> authorization with tomcat 8?

I haven't looked at any of the above projects but if you want to
authenticate and authorize against a different type of backing
database, then you need to create your own Realm. RealmBase provides
some nice utilities, but you aren't required to actually extend it.

The Realm has complete control over how the Principal objects are
created, so if you have a way to identify the user and their roles,
then you can simply create a GenericPrincipal and return that on
login, and its roles will be used for authentication later.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb6wd4ACgkQ9CaO5/Lv0PDbYwCaAwKxMmUKPQWU9Vz/86xio4T2
/FwAn3kmrN6wJY1Fik4/Vcp6K62AF/tt
=30NH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org