You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nacho Ganguli <so...@softopt-engr.com> on 2019/05/17 17:11:56 UTC
Tomcat Authentication + Spring Security J2EEPreAuthentication
HELP, I NEED SOMEBODY, NOT JUST ANYBODY! HELP....
(It all started weeks ago when I tried unsuccessfully to use Tomcat's SSO
Valve and decided to try pre-authentication...)
We are developing a subscription-based "portal" webapp that we use to
authenticate users and perform authentication flows such as expired
passwords, expired subscriptions, forgot password, etc. Then, based on
authorization role annotations, users are able to launch specific webapps
via an API that uses a redirect. To do this, my "portal" webapp uses spring
security configured to perform these authentication flows.
MY PROBLEM: How do I configure Tomcat's container-based authentication to
recognize authentication performed by Spring Security?
Any suggestions or alternative solutions would be greatly appreciated.
Thank you,
Nacho Ganguli
Current Configuration:
Tomcat 7.0.70, JDK 1.7, Spring Frameworks 4.x, Spring Security 4.x
server.xml has been configured with a global naming resource and JDBCRealm
for authentication. Each webapp's context.xml has been configured to
reference the shared authentication database as a ResourceLink. Spring
security has been configured to use the JDBCRealm as a JNDI datasource.
--
Sent from: http://tomcat.10.x6.nabble.com/Tomcat-User-f1968778.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Authentication + Spring Security J2EEPreAuthentication
Posted by Michael Osipov <mi...@apache.org>.
Am 2019-05-20 um 21:35 schrieb Nacho Ganguli:
> My last attempt used Spring Security JEE pre-authentication filters. This
> works as I would like "provided" that I only use basic auth and tomcat's
> default realm (tomcat-users.xml).
>
> As soon as I introduce form-based auth, it does not work and I am prompted
> to authenticate a second time. The log files shows "RunAsManager did not
> change Authentication object"
>
> If anyone has some suggestions or can recommend an alternate approach, it
> would really help me.
Does form-based auth work w/o Spring Security properly? If yes, there
must be a bug in security:jee, you should debug that. I had to debug
this many many times due to a lot of issues with security:jee.
See [1] the attention admonition, you may suffer from one of those.
Michael
[1] http://tomcatspnegoad.sourceforge.net/spring-security.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Authentication + Spring Security J2EEPreAuthentication
Posted by Nacho Ganguli <so...@softopt-engr.com>.
My last attempt used Spring Security JEE pre-authentication filters. This
works as I would like "provided" that I only use basic auth and tomcat's
default realm (tomcat-users.xml).
As soon as I introduce form-based auth, it does not work and I am prompted
to authenticate a second time. The log files shows "RunAsManager did not
change Authentication object"
If anyone has some suggestions or can recommend an alternate approach, it
would really help me.
--
Sent from: http://tomcat.10.x6.nabble.com/Tomcat-User-f1968778.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Authentication + Spring Security J2EEPreAuthentication
Posted by Michael Osipov <mi...@apache.org>.
Am 2019-05-17 um 19:11 schrieb Nacho Ganguli:
> HELP, I NEED SOMEBODY, NOT JUST ANYBODY! HELP....
>
> (It all started weeks ago when I tried unsuccessfully to use Tomcat's SSO
> Valve and decided to try pre-authentication...)
>
> We are developing a subscription-based "portal" webapp that we use to
> authenticate users and perform authentication flows such as expired
> passwords, expired subscriptions, forgot password, etc. Then, based on
> authorization role annotations, users are able to launch specific webapps
> via an API that uses a redirect. To do this, my "portal" webapp uses spring
> security configured to perform these authentication flows.
>
> MY PROBLEM: How do I configure Tomcat's container-based authentication to
> recognize authentication performed by Spring Security?
I am afraid that this is not possible. Spring Security uses a filter the
decorate the request for #getRemoteUser() and #isUserInRole() while
Tomcat CMS operates on internal classes. Different approaches. Tomcat
source code has to be modified to understand Spring Security's classes.
I went away from Spring Security due to its complexity and to CAS only
by passing with security:jee and using my custom Tomcat authentication
implementation.
If someone knows better, I'd be glad to hear his/her approach.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org