You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by be...@thomsonreuters.com on 2011/01/26 19:10:10 UTC
Tomcat Form Authentication that requires no password for third party SSO
Hello:
I am trying to integrate my application with an SSO partner application.
After successfully logging into the partner app, I will be redirected
and only provided a username to log into my tomcat Form Authentication
app. I am using a DataSourceRealm to check for both Users and User
Roles.
Are there any suggestions as to how I can still authenticate() through
the tomcat container without providing a password?
Thanks for your attention,
Beau
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Form Authentication that requires no password for third
party SSO
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
I think that you should be a bit more specific about the exact scheme below.
Can you describe exactly, step by step, what happens just before and "After successfully
logging into the partner app, I will be redirected
and only provided a username to log into my tomcat Form Authentication
" ?
I am asking because I just dealt with an SSO system which works as follows :
- the user sends a request for a protected URL
- the server sends back a login form
- the SSO system somehow "recognises" this login form, "fills it in" with the user's
domain user-id, and submits the login form to the server
- the server performs the authentication "as if" it was the user himself who submitted the
login form
It's pretty neat in fact, but a bit mysterious as to how it works. But it works.
No password is submitted, but cannot a password be blank ?
beau.hutcheson@thomsonreuters.com wrote:
> Hello:
> I am trying to integrate my application with an SSO partner application.
>
> After successfully logging into the partner app, I will be redirected
> and only provided a username to log into my tomcat Form Authentication
> app. I am using a DataSourceRealm to check for both Users and User
> Roles.
>
> Are there any suggestions as to how I can still authenticate() through
> the tomcat container without providing a password?
>
> Thanks for your attention,
>
> Beau
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Form Authentication that requires no password for third
party SSO
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
There is a file called Authenticators.properties, in there it maps what
you specify in web.xml, to a specific authenticator.
So you write your own authenticator, you add an entry into this file,
change web.xml with your new auth-method
tc server does not come with something like this
best
Filip
On 01/27/2011 10:56 AM, beau.hutcheson@thomsonreuters.com wrote:
> Filip:
> Thanks, I'll get going on my own authenticator right quick.
> Does tcserver come with something like this out of the box?
>
> Beau
>
> -----Original Message-----
> From: Filip Hanik - Dev Lists [mailto:devlists@hanik.com]
> Sent: Thursday, January 27, 2011 12:41 PM
> To: Tomcat Users List
> Subject: Re: Tomcat Form Authentication that requires no password for
> third party SSO
>
> You could implement your own authenticator,
> extending the class org.apache.catalina.authenticator.AuthenticatorBase
>
> https://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catal
> ina/authenticator/AuthenticatorBase.java?view=markup
> protected abstract boolean authenticate(Request request, Response
> response, LoginConfig config) throws IOException;
>
> This would require a bit customization of Tomcat, but I would implement
> my own class, and my own authentication scheme
>
> Filip
>
>
> On 01/26/2011 11:10 AM, beau.hutcheson@thomsonreuters.com wrote:
>
>> Hello:
>> I am trying to integrate my application with an SSO partner
>>
> application.
>
>> After successfully logging into the partner app, I will be redirected
>> and only provided a username to log into my tomcat Form Authentication
>> app. I am using a DataSourceRealm to check for both Users and User
>> Roles.
>>
>> Are there any suggestions as to how I can still authenticate() through
>> the tomcat container without providing a password?
>>
>> Thanks for your attention,
>>
>> Beau
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail:users-help@tomcat.apache.org
>>
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat Form Authentication that requires no password for third party SSO
Posted by be...@thomsonreuters.com.
Filip:
Thanks, I'll get going on my own authenticator right quick.
Does tcserver come with something like this out of the box?
Beau
-----Original Message-----
From: Filip Hanik - Dev Lists [mailto:devlists@hanik.com]
Sent: Thursday, January 27, 2011 12:41 PM
To: Tomcat Users List
Subject: Re: Tomcat Form Authentication that requires no password for
third party SSO
You could implement your own authenticator,
extending the class org.apache.catalina.authenticator.AuthenticatorBase
https://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catal
ina/authenticator/AuthenticatorBase.java?view=markup
protected abstract boolean authenticate(Request request, Response
response, LoginConfig config) throws IOException;
This would require a bit customization of Tomcat, but I would implement
my own class, and my own authentication scheme
Filip
On 01/26/2011 11:10 AM, beau.hutcheson@thomsonreuters.com wrote:
> Hello:
> I am trying to integrate my application with an SSO partner
application.
>
> After successfully logging into the partner app, I will be redirected
> and only provided a username to log into my tomcat Form Authentication
> app. I am using a DataSourceRealm to check for both Users and User
> Roles.
>
> Are there any suggestions as to how I can still authenticate() through
> the tomcat container without providing a password?
>
> Thanks for your attention,
>
> Beau
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail:users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Form Authentication that requires no password for third
party SSO
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
You could implement your own authenticator,
extending the class org.apache.catalina.authenticator.AuthenticatorBase
https://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?view=markup
protected abstract boolean authenticate(Request request, Response
response, LoginConfig config) throws IOException;
This would require a bit customization of Tomcat, but I would implement
my own class, and my own authentication scheme
Filip
On 01/26/2011 11:10 AM, beau.hutcheson@thomsonreuters.com wrote:
> Hello:
> I am trying to integrate my application with an SSO partner application.
>
> After successfully logging into the partner app, I will be redirected
> and only provided a username to log into my tomcat Form Authentication
> app. I am using a DataSourceRealm to check for both Users and User
> Roles.
>
> Are there any suggestions as to how I can still authenticate() through
> the tomcat container without providing a password?
>
> Thanks for your attention,
>
> Beau
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail:users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Pid OpenSSO request for Tomcat Form Authentication that requires
no password for third party SSO
Posted by André Warnier <aw...@ice-sa.com>.
It is more curiosity now on my part, but I have a couple of questions :
Where does this SSO third-party app actually "live" ? Is it on another webserver which
acts as a proxy to your Tomcat ? Or inside of Tomcat itself ?
And you mention that you are supplied a token; how ? Is it in the form of a HTTP header
added to the request ? or does the third-party app actually fill-in the login form ?
Or does it add a query-string parameter with this token ?
Pid * wrote:
> On 28 Jan 2011, at 18:53, "beau.hutcheson@thomsonreuters.com"
> <be...@thomsonreuters.com> wrote:
>
>> @Pid: The SSo third party app knows the SSO entry point into my Tomcat app. I am supplied an encrypted token which contains the username and my tomcat app has the libraries to unencrypt that token and unveil the username
>
> If you're using Tomcat 6 the only safe* way to do this is to implement JAAS.
>
> It's a bit of a hassle but the result will be worth it.
>
>
> p
>
> *IMHO
>
>> @Andre: Ideally it would seem most convenient to access j_security_check with a valid j_username and a j_password with a blank value, so then the tomcat container would generate the proper principal and roles information.
>> I want to be able to use request.getRemoteUser() and request.isUserInRole(String role).
>>
>> It would seem that I can extend AuthenticatorBase and mimic everything that FormAuthenticator does except for the password query part.
>>
>> Or I can use a hack for the DataSourceRealm and use my "UserName" column for both the userCredCol and userNameCol values. Therefore no password to check for.
>>
>> Beau
>>
>> -----Original Message-----
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Sent: Friday, January 28, 2011 6:36 AM
>> To: Tomcat Users List
>> Subject: Re: Pid OpenSSO request for Tomcat Form Authentication that requires no password for third party SSO
>>
>> Pid wrote:
>>> On 1/27/11 3:57 PM, beau.hutcheson@thomsonreuters.com wrote:
>>>> Chris:
>>>> Thanks for your reply.
>>>> Currently I am using Tomcat 6.0.29
>>>>
>>>> @Pid: Would you have any ideas on how to set something up like this?
>>> What details are you providing to Tomcat?
>>>
>>> If I read the thread correctly you've got a single parameter - how are
>>> you validating that to stop say, me, guessing at logins?
>>>
>> That's easy, as long as Tomcat accepts only connections from a source known to go through
>> the aforementioned SSO.
>>
>> I have a similar setup at one of my customers. This is only an example :
>> All users use a session on a specific Windows Terminal Server. In that session, they open
>> a browser, which allows them to connect to Tomcat (*).
>> Tomcat accepts only connections from the IP's of the Terminal Server.
>> On the Terminal Server runs that nifty SSO mechanism which I mentioned in another message
>> here. Somehow, that SSO "detects" the login page which the Tomcat authentication is
>> sending back to the browser, fills-in the userid (**), and re-posts the login form to the
>> server.
>> The user is now logged-in and gets the application page.
>> The user does not see anything.
>>
>> I know that it sounds a bit strange when one explains it like that, but it works.
>>
>> (**) the user-id being sent is the user's Windows Domain user-id, which has already been
>> authenticated/verified, so it can be "trusted". There is thus no need to verify it again
>> in Tomcat.
>>
>> (*) Ok, I'm cheating : in my case, it is not Tomcat directly, but it is an Apache httpd
>> front-ending for Tomcat, and connecting to it via mod_jk. mod_jk will pass on the
>> httpd-level user-id, and Tomcat (with the 'tomcatAuthentication="false" attribute on the
>> AJP Connector), will accept that user-id as its own.
>> At the Tomcat level, you would still have to do the "isUserInRole" part though.
>>
>> Now the question is : assuming that there is no httpd front-end and no mod_jk, can a
>> similar mechanism work with Tomcat directly ?
>> In other words, can the standard Tomcat form-based authentication work, if the login form
>> is sent back with a non-blank userid, but with a blank password ?
>> And could this authentication code be easily "tweaked" to bypass any verification of the
>> received user-id ?
>>
>> And, to the original poster : apologies for somewhat hijacking your thread, but I am just
>> trying to help finding the best method for you.
>>
>> I have a feeling that for this case, having to create a brand-new Authenticator is a bit
>> heavy as a solution. It seems that it should be possible to at least crate some "null
>> Realm" which always accepts any user-id and always returns OK.
>> Or use whatever mechanism mod_jk is using to the same basic effect.
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Pid OpenSSO request for Tomcat Form Authentication that requires
no password for third party SSO
Posted by Pid * <pi...@pidster.com>.
On 28 Jan 2011, at 18:53, "beau.hutcheson@thomsonreuters.com"
<be...@thomsonreuters.com> wrote:
> @Pid: The SSo third party app knows the SSO entry point into my Tomcat app. I am supplied an encrypted token which contains the username and my tomcat app has the libraries to unencrypt that token and unveil the username
If you're using Tomcat 6 the only safe* way to do this is to implement JAAS.
It's a bit of a hassle but the result will be worth it.
p
*IMHO
> @Andre: Ideally it would seem most convenient to access j_security_check with a valid j_username and a j_password with a blank value, so then the tomcat container would generate the proper principal and roles information.
> I want to be able to use request.getRemoteUser() and request.isUserInRole(String role).
>
> It would seem that I can extend AuthenticatorBase and mimic everything that FormAuthenticator does except for the password query part.
>
> Or I can use a hack for the DataSourceRealm and use my "UserName" column for both the userCredCol and userNameCol values. Therefore no password to check for.
>
> Beau
>
> -----Original Message-----
> From: André Warnier [mailto:aw@ice-sa.com]
> Sent: Friday, January 28, 2011 6:36 AM
> To: Tomcat Users List
> Subject: Re: Pid OpenSSO request for Tomcat Form Authentication that requires no password for third party SSO
>
> Pid wrote:
>> On 1/27/11 3:57 PM, beau.hutcheson@thomsonreuters.com wrote:
>>> Chris:
>>> Thanks for your reply.
>>> Currently I am using Tomcat 6.0.29
>>>
>>> @Pid: Would you have any ideas on how to set something up like this?
>>
>> What details are you providing to Tomcat?
>>
>> If I read the thread correctly you've got a single parameter - how are
>> you validating that to stop say, me, guessing at logins?
>>
>
> That's easy, as long as Tomcat accepts only connections from a source known to go through
> the aforementioned SSO.
>
> I have a similar setup at one of my customers. This is only an example :
> All users use a session on a specific Windows Terminal Server. In that session, they open
> a browser, which allows them to connect to Tomcat (*).
> Tomcat accepts only connections from the IP's of the Terminal Server.
> On the Terminal Server runs that nifty SSO mechanism which I mentioned in another message
> here. Somehow, that SSO "detects" the login page which the Tomcat authentication is
> sending back to the browser, fills-in the userid (**), and re-posts the login form to the
> server.
> The user is now logged-in and gets the application page.
> The user does not see anything.
>
> I know that it sounds a bit strange when one explains it like that, but it works.
>
> (**) the user-id being sent is the user's Windows Domain user-id, which has already been
> authenticated/verified, so it can be "trusted". There is thus no need to verify it again
> in Tomcat.
>
> (*) Ok, I'm cheating : in my case, it is not Tomcat directly, but it is an Apache httpd
> front-ending for Tomcat, and connecting to it via mod_jk. mod_jk will pass on the
> httpd-level user-id, and Tomcat (with the 'tomcatAuthentication="false" attribute on the
> AJP Connector), will accept that user-id as its own.
> At the Tomcat level, you would still have to do the "isUserInRole" part though.
>
> Now the question is : assuming that there is no httpd front-end and no mod_jk, can a
> similar mechanism work with Tomcat directly ?
> In other words, can the standard Tomcat form-based authentication work, if the login form
> is sent back with a non-blank userid, but with a blank password ?
> And could this authentication code be easily "tweaked" to bypass any verification of the
> received user-id ?
>
> And, to the original poster : apologies for somewhat hijacking your thread, but I am just
> trying to help finding the best method for you.
>
> I have a feeling that for this case, having to create a brand-new Authenticator is a bit
> heavy as a solution. It seems that it should be possible to at least crate some "null
> Realm" which always accepts any user-id and always returns OK.
> Or use whatever mechanism mod_jk is using to the same basic effect.
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Pid OpenSSO request for Tomcat Form Authentication that requires no password for third party SSO
Posted by be...@thomsonreuters.com.
@Pid: The SSo third party app knows the SSO entry point into my Tomcat app. I am supplied an encrypted token which contains the username and my tomcat app has the libraries to unencrypt that token and unveil the username
@Andre: Ideally it would seem most convenient to access j_security_check with a valid j_username and a j_password with a blank value, so then the tomcat container would generate the proper principal and roles information.
I want to be able to use request.getRemoteUser() and request.isUserInRole(String role).
It would seem that I can extend AuthenticatorBase and mimic everything that FormAuthenticator does except for the password query part.
Or I can use a hack for the DataSourceRealm and use my "UserName" column for both the userCredCol and userNameCol values. Therefore no password to check for.
Beau
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Friday, January 28, 2011 6:36 AM
To: Tomcat Users List
Subject: Re: Pid OpenSSO request for Tomcat Form Authentication that requires no password for third party SSO
Pid wrote:
> On 1/27/11 3:57 PM, beau.hutcheson@thomsonreuters.com wrote:
>> Chris:
>> Thanks for your reply.
>> Currently I am using Tomcat 6.0.29
>>
>> @Pid: Would you have any ideas on how to set something up like this?
>
> What details are you providing to Tomcat?
>
> If I read the thread correctly you've got a single parameter - how are
> you validating that to stop say, me, guessing at logins?
>
That's easy, as long as Tomcat accepts only connections from a source known to go through
the aforementioned SSO.
I have a similar setup at one of my customers. This is only an example :
All users use a session on a specific Windows Terminal Server. In that session, they open
a browser, which allows them to connect to Tomcat (*).
Tomcat accepts only connections from the IP's of the Terminal Server.
On the Terminal Server runs that nifty SSO mechanism which I mentioned in another message
here. Somehow, that SSO "detects" the login page which the Tomcat authentication is
sending back to the browser, fills-in the userid (**), and re-posts the login form to the
server.
The user is now logged-in and gets the application page.
The user does not see anything.
I know that it sounds a bit strange when one explains it like that, but it works.
(**) the user-id being sent is the user's Windows Domain user-id, which has already been
authenticated/verified, so it can be "trusted". There is thus no need to verify it again
in Tomcat.
(*) Ok, I'm cheating : in my case, it is not Tomcat directly, but it is an Apache httpd
front-ending for Tomcat, and connecting to it via mod_jk. mod_jk will pass on the
httpd-level user-id, and Tomcat (with the 'tomcatAuthentication="false" attribute on the
AJP Connector), will accept that user-id as its own.
At the Tomcat level, you would still have to do the "isUserInRole" part though.
Now the question is : assuming that there is no httpd front-end and no mod_jk, can a
similar mechanism work with Tomcat directly ?
In other words, can the standard Tomcat form-based authentication work, if the login form
is sent back with a non-blank userid, but with a blank password ?
And could this authentication code be easily "tweaked" to bypass any verification of the
received user-id ?
And, to the original poster : apologies for somewhat hijacking your thread, but I am just
trying to help finding the best method for you.
I have a feeling that for this case, having to create a brand-new Authenticator is a bit
heavy as a solution. It seems that it should be possible to at least crate some "null
Realm" which always accepts any user-id and always returns OK.
Or use whatever mechanism mod_jk is using to the same basic effect.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Pid OpenSSO request for Tomcat Form Authentication that requires
no password for third party SSO
Posted by André Warnier <aw...@ice-sa.com>.
Pid wrote:
> On 1/27/11 3:57 PM, beau.hutcheson@thomsonreuters.com wrote:
>> Chris:
>> Thanks for your reply.
>> Currently I am using Tomcat 6.0.29
>>
>> @Pid: Would you have any ideas on how to set something up like this?
>
> What details are you providing to Tomcat?
>
> If I read the thread correctly you've got a single parameter - how are
> you validating that to stop say, me, guessing at logins?
>
That's easy, as long as Tomcat accepts only connections from a source known to go through
the aforementioned SSO.
I have a similar setup at one of my customers. This is only an example :
All users use a session on a specific Windows Terminal Server. In that session, they open
a browser, which allows them to connect to Tomcat (*).
Tomcat accepts only connections from the IP's of the Terminal Server.
On the Terminal Server runs that nifty SSO mechanism which I mentioned in another message
here. Somehow, that SSO "detects" the login page which the Tomcat authentication is
sending back to the browser, fills-in the userid (**), and re-posts the login form to the
server.
The user is now logged-in and gets the application page.
The user does not see anything.
I know that it sounds a bit strange when one explains it like that, but it works.
(**) the user-id being sent is the user's Windows Domain user-id, which has already been
authenticated/verified, so it can be "trusted". There is thus no need to verify it again
in Tomcat.
(*) Ok, I'm cheating : in my case, it is not Tomcat directly, but it is an Apache httpd
front-ending for Tomcat, and connecting to it via mod_jk. mod_jk will pass on the
httpd-level user-id, and Tomcat (with the 'tomcatAuthentication="false" attribute on the
AJP Connector), will accept that user-id as its own.
At the Tomcat level, you would still have to do the "isUserInRole" part though.
Now the question is : assuming that there is no httpd front-end and no mod_jk, can a
similar mechanism work with Tomcat directly ?
In other words, can the standard Tomcat form-based authentication work, if the login form
is sent back with a non-blank userid, but with a blank password ?
And could this authentication code be easily "tweaked" to bypass any verification of the
received user-id ?
And, to the original poster : apologies for somewhat hijacking your thread, but I am just
trying to help finding the best method for you.
I have a feeling that for this case, having to create a brand-new Authenticator is a bit
heavy as a solution. It seems that it should be possible to at least crate some "null
Realm" which always accepts any user-id and always returns OK.
Or use whatever mechanism mod_jk is using to the same basic effect.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Pid OpenSSO request for Tomcat Form Authentication that requires
no password for third party SSO
Posted by Pid <pi...@pidster.com>.
On 1/27/11 3:57 PM, beau.hutcheson@thomsonreuters.com wrote:
> Chris:
> Thanks for your reply.
> Currently I am using Tomcat 6.0.29
>
> @Pid: Would you have any ideas on how to set something up like this?
What details are you providing to Tomcat?
If I read the thread correctly you've got a single parameter - how are
you validating that to stop say, me, guessing at logins?
p
> Beau
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Wednesday, January 26, 2011 6:30 PM
> To: Tomcat Users List
> Subject: Re: Tomcat Form Authentication that requires no password for
> third party SSO
>
> Beau,
>
> On 1/26/2011 1:10 PM, beau.hutcheson@thomsonreuters.com wrote:
>> I am trying to integrate my application with an SSO partner
> application.
>
> What Tomcat version? I ask because Tomcat 7 includes the Servlet 3.0
> programmatic login API.
>
>> After successfully logging into the partner app, I will be redirected
>> and only provided a username to log into my tomcat Form Authentication
>> app. I am using a DataSourceRealm to check for both Users and User
>> Roles.
>
> DataSourceRealm requires both username and password. I think JAASRealm
> might be able to help you. Also, one of the list contributors (Pid) is
> working on a realm to help with OpenSSO or something like that: he may
> have some ideas about how to set things up.
>
>> Are there any suggestions as to how I can still authenticate() through
>> the tomcat container without providing a password?
>
> Out of the box, I don't believe Tomcat can do this.
>
> -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Pid OpenSSO request for Tomcat Form Authentication that requires no password for third party SSO
Posted by be...@thomsonreuters.com.
Chris:
Thanks for your reply.
Currently I am using Tomcat 6.0.29
@Pid: Would you have any ideas on how to set something up like this?
Beau
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, January 26, 2011 6:30 PM
To: Tomcat Users List
Subject: Re: Tomcat Form Authentication that requires no password for
third party SSO
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Beau,
On 1/26/2011 1:10 PM, beau.hutcheson@thomsonreuters.com wrote:
> I am trying to integrate my application with an SSO partner
application.
What Tomcat version? I ask because Tomcat 7 includes the Servlet 3.0
programmatic login API.
> After successfully logging into the partner app, I will be redirected
> and only provided a username to log into my tomcat Form Authentication
> app. I am using a DataSourceRealm to check for both Users and User
> Roles.
DataSourceRealm requires both username and password. I think JAASRealm
might be able to help you. Also, one of the list contributors (Pid) is
working on a realm to help with OpenSSO or something like that: he may
have some ideas about how to set things up.
> Are there any suggestions as to how I can still authenticate() through
> the tomcat container without providing a password?
Out of the box, I don't believe Tomcat can do this.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1ArocACgkQ9CaO5/Lv0PBVWwCgwvN2jma89OEB0QLPo+rAAnOX
luAAoI/QXqxD1ZX3DhevcyxCyJDL+eCc
=QXO9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Form Authentication that requires no password for third
party SSO
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Beau,
On 1/26/2011 1:10 PM, beau.hutcheson@thomsonreuters.com wrote:
> I am trying to integrate my application with an SSO partner application.
What Tomcat version? I ask because Tomcat 7 includes the Servlet 3.0
programmatic login API.
> After successfully logging into the partner app, I will be redirected
> and only provided a username to log into my tomcat Form Authentication
> app. I am using a DataSourceRealm to check for both Users and User
> Roles.
DataSourceRealm requires both username and password. I think JAASRealm
might be able to help you. Also, one of the list contributors (Pid) is
working on a realm to help with OpenSSO or something like that: he may
have some ideas about how to set things up.
> Are there any suggestions as to how I can still authenticate() through
> the tomcat container without providing a password?
Out of the box, I don't believe Tomcat can do this.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1ArocACgkQ9CaO5/Lv0PBVWwCgwvN2jma89OEB0QLPo+rAAnOX
luAAoI/QXqxD1ZX3DhevcyxCyJDL+eCc
=QXO9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org