Hi Mark- Thanks for the quick reply and I'll look into Authenticators.
Since you suggest 8.5.x, does that mean I was on the right track with JASPIC? Thanks again! Robert On Fri, Dec 8, 2017 at 12:26 AM, Mark Thomas <ma...@apache.org> wrote: > On 08/12/17 07:08, Robert J. Carr wrote: > > [tomcat 8, java 8, ubuntu xenial] > > > > I have setup security constraints that allow certain resources to only be > > accessed by authorized users. The users are authenticated using either > > BASIC or FORM, where a username and password is provided, and this works > > great. > > > > However, I'd also like to allow users to authenticate externally using an > > oauth provider. Is this possible? Note that I can already acquire the > > access tokens for the user, and from there I can get the username and > other > > profile metadata as necessary. > > > > But how do I then log the user into tomcat? The only way I can think to > > make this work is to take this username and create a tomcat account, > maybe > > setting the access token as the password if it matters. Then I could do a > > programmatic tomcat login on behalf of the user, so she is locally > > authenticated and a session is created. On subsequent logins I'd just > > update the password to the new access token. > > > > But this seems like a hack, and when it comes to users and security I'd > > prefer to avoid hacks. > > > > It looks like JASPIC might offer a solution for this? Unfortunately, it > > looks like it became available starting at 8.5 but I'm stuck using 8. > > > > Are there any other options? > > A custom Authenticator (that extends AuthenticatorBase) would be the > standard way of handling this. > > Given 8.0.x is approaching end of life (2018-06-30), it might be less > effort to look at switching to 8.5.x. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >