I use OpenAM. It is free and source is free. A tomcat server does all of the authentication and authorization. But what is nice is that there is an apache module so you can do all of the enforcement at your web server. Then all other tomcat servers being proxied by that same web server can be sent custom headers for things like user name, user id, groups, etc. On Nov 16, 2011 1:09 PM, "chris derham" <ch...@derham.me.uk> wrote:
> > > > But for _transparent_ authentication IIS is required as Christopher > > mentioned. > > > > That is not true. You can use SPNEGO to setup transparent authentication > directly to tomcat. You do not need IIS. This means that a browser accesses > a protected url on the server, and the server and browser "discuss" who the > user is, and then the application is presented with that information. This > discussion is transparent and involves no user interaction. This can be > done by default in IE and I believe chrome, but firefox is more secure so > needs to have explicitly have this authentication security enabled - by > default it is turned off to stop hackers falsely requesting the details > from a malicious server > > HTH > > Chris >
