Hi Chris, Well, it seems that I will have to use a Valve + Realm combination. Thanks!
Regards Sebastian -----Ursprüngliche Nachricht----- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Dienstag, 29. März 2016 19:57 An: Tomcat Users List <users@tomcat.apache.org> Betreff: Re: OpenID Connect with Tomcat 8 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sebastien, On 3/29/16 12:57 PM, Sebastian Trost wrote: > Hi, > > I am looking for a way to use OpenID Connect (authentication AND > authorization) with Tomcat 8. I found two ways to get > authentication working, but not authorization. Here's what I tested > so far: > > Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth This > extension works very well for authentication. It isn't possible to > authorize users, though. You can configure a realm which authorizes > the user against LDAP or a database. > > Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc + > Tomcat 8 This mod works pretty well, too. But the AJP Connector > doesn't seem to receive the roles from the web server and also > relies on the realm to fetch the roles for each user. > > With both methods I failed to read the roles OpenID Connect > supplies with the id token. > > I experimented a bit with botching around in tomcat8-oidcauth. I > removed the authenticate()-call and instead built the > GenericPrincipal object with hard-coded roles on my own. That seems > to work. But is this safe? Can I just read the token id and assume > that it is correct and set the roles in the GenericPrincipal? Are > there any other methods to use both authentication AND > authorization with tomcat 8? I haven't looked at any of the above projects but if you want to authenticate and authorize against a different type of backing database, then you need to create your own Realm. RealmBase provides some nice utilities, but you aren't required to actually extend it. The Realm has complete control over how the Principal objects are created, so if you have a way to identify the user and their roles, then you can simply create a GenericPrincipal and return that on login, and its roles will be used for authentication later. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlb6wd4ACgkQ9CaO5/Lv0PDbYwCaAwKxMmUKPQWU9Vz/86xio4T2 /FwAn3kmrN6wJY1Fik4/Vcp6K62AF/tt =30NH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
