Multiple authentication methods? Fallback from keycloak saml to basic/form auth?

[ken edward <ke...@gmail.com>]

Hello,

I have tomcat value for authentication implemented and working
(keycloak saml tomcat adapter). but how can I implement a fallback to
form/basic authentication? Can I chain auth valves?

Ken

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Multiple authentication methods? Fallback from keycloak saml to basic/form auth?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ken,

On 8/23/17 10:51 AM, ken edward wrote:
> I have tomcat value for authentication implemented and working 
> (keycloak saml tomcat adapter). but how can I implement a fallback 
> to form/basic authentication? Can I chain auth valves?

You can write a Valve that chains two Valves together, and use that.

However, you may find that getting two separate authenticator valves
to work "with" one another, even if they both work very well separately.

If it were me, I'd always use a separate URL endpoint for SAML
authentications, with that endpoint doing it's work without any
separate authentication, and calling
HttpServletRequest.login(user,password). Then use FORM login for
everyone else.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZneBrAAoJEBzwKT+lPKRY5UgQAInZW88/HuijEuy4rPODWOhn
YMsNBwJ3A3QyjY0cJIrcwIraZn26DGF5zdVJUFOoWesaYz5vTkXLK4GENXOL/l5u
Z/hH4h0fwGZRe6/VoiVyF06M+cDB62Jr9xNAMm8ryk1nTqlwQBArY0EQGlnIbcRB
qa2vqc9SoCALFImIQc/0KKs0dR+QK48tffVMUAPtVUlS2ptyJ/oGoyMnIOrh2KPq
WzgRcgHDOJlnHiY7oD9N5Ylv2EO6Xcph2ol5YtxYi1mX0Hy+jsqJeO4OhRqL6Hf6
OevdENk/qEq4Z554aR6sgZHh2HFGpaezJ/64KvU/uBLfnb7HTJAPzU0FhM3mHU/g
w7awTXaKx/aFBLnkYEwq84+RbJ6Sg89xohdYt6QSQQLBk1w0rMSxWRZTR8mgHCqT
jX9797KW9ImwBGEmEDsThRWHz+g4060vDpAb6YbDF7LSyMabQXuaiqVEYeA9HMJs
bIR6hn6mSlZ1SroUbvJ9/JaPqWAWEyjEmPC8ewnLwMJL/+gC6PfQPhvT8k4cSgjd
dBXFN45YB7CXMpIgl0fNufbdhPnsfkNVGOqFWemKQqn1I9UrHxBFkSpYZLBw0aTo
6Ezcdy8UqFrQw8OttS3qgz6RWhrOUBKIJCF0HDLs/hZii0Rx73IaS9T4BdupnlkM
9jTmGhzMIhcIYE4Abmox
=GlYF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Multiple authentication methods? Fallback from keycloak saml to basic/form auth?

["André Warnier (tomcat)" <aw...@ice-sa.com>]

On 23.08.2017 16:51, ken edward wrote:
> Hello,
>
> I have tomcat value for authentication implemented and working
> (keycloak saml tomcat adapter). but how can I implement a fallback to
> form/basic authentication? Can I chain auth valves?
>

Not really my area, but since nobody else seems to respond, I'll tell you what I believe :

 From the Valve documentation (at 
http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html) I see nothing that would 
indicate that Valves cannot be chained.
In fact, it is rather the opposite, implicitly : some of the listed Valves would not make 
sense if they did not allow another Valve to be inserted also (such as the AccessLog Valve).

But I also do not see any explicit mention of what happens when several Valves are defined 
in the same "configuration scope" (such as : in what order are they "executed", compared 
to the order in which they are listed in the configuration), which may be of importance to 
you. (Obviously, you'd want a Form/Basic auth to be invoked only if your other Valve fails 
first, and not before your own Valve).




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org