-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hauke,
On 6/1/2011 5:48 AM, Hauke Mehrtens wrote: > I created my own authentication method beside BASIC, DIGEST, FORM, and > CLIENT-CERT to allow the user to authenticate against our own SAML IdP > and enter the user credentials on a page provided by the IdP. The > authentication method of the IdP uses a Java applet to access a smart > card and get the user credentials, so the web browser has to be > redirected to some different page to login. > > To add our own authentication method we extended > org.apache.catalina.authenticator.AuthenticatorBase and added the it to > the list of supported methods in the tomcat configuration. This is > working like expected. Cool! > Now it should be possible to also log into the application with a from > based authentication in addition to the IdP login, the normal FORM > method would be nice. The user should select at some entry page what > method he wants to use and then the correct authentication method should > be used. I tried to modify the web.xml of my web application to add both > methods, but it did not work. > > Adding two <login-config> or two <auth-method> is not allowed. Right: you'll either have to step outside the servlet spec on this one (i.e. implement everything as a Filter or something like that) or try to integrate the two authentication methods into a single authenticator that can handle both situations (which might not be possible). > Now my > plan is to implement some additional authentication method which > supports both or a method which will forward the request to some other > method ( my own or FORM) depending on some attribute in the http > request, but this does not look clean to me. Is there a clean way to do > this? I think whatever you do, it's going to be kind of ugly. I have never used it, but you might want to look at using your own JSSE provider or something like that. I know it supports a lot of complexity, but your problem might come down to gathering the credentials in the first place, not necessarily performing the authentication. I'm totally ignorant of SAMS IdP... how does one communicate credentials? If you could shoehorn the credentials into username/password fields (even if one of them is blank), you might be able to use a unified authenticator. Since you are using an applet, you can communicate any way you choose with Tomcat, that is, using any URL with any parameters, etc. If you are using Tomcat 7, you can use the newly-available HttpServletRequest.login(String username, String password) method to access your special, dual-use authenticator from a special URL. > I am working on the Tomcat included in the JBoss 5.1 (I think it is > 6.0), but it should also work on other versions (>= 6.0) so that we are > able to secure any web application running on some tomcat. Hmm. Does JBoss have a version running Tomcat 7? Or, is it possible to safely upgrade Tomcat inside of JBoss? > Please add me to the CC as I am not subscripted to the list. You must be subscribed to the list to post to it. This is the last time I will CC you on a message posted to the list, mostly because I'm lazy. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3mT6QACgkQ9CaO5/Lv0PAxYACdGkhA0s4VsHXGnxGr1oz66PI6 mOMAoIAYahgTAsPKnKe+oi7cclQEuzge =a1Aw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
