[tomcat 8, java 8, ubuntu xenial] I have setup security constraints that allow certain resources to only be accessed by authorized users. The users are authenticated using either BASIC or FORM, where a username and password is provided, and this works great.
However, I'd also like to allow users to authenticate externally using an oauth provider. Is this possible? Note that I can already acquire the access tokens for the user, and from there I can get the username and other profile metadata as necessary. But how do I then log the user into tomcat? The only way I can think to make this work is to take this username and create a tomcat account, maybe setting the access token as the password if it matters. Then I could do a programmatic tomcat login on behalf of the user, so she is locally authenticated and a session is created. On subsequent logins I'd just update the password to the new access token. But this seems like a hack, and when it comes to users and security I'd prefer to avoid hacks. It looks like JASPIC might offer a solution for this? Unfortunately, it looks like it became available starting at 8.5 but I'm stuck using 8. Are there any other options? Thanks! Robert
