Thanks for pointing to OAuth. Any suggestion for open source OAuth Java library both for provider side implementation and client side? And can OAuth provider issue non-expiring tokens? That's kind of our requirement. After asking user once for credentials, we do not want to bother user again.
-----Original Message----- From: Pid [mailto:p...@pidster.com] Sent: Thursday, June 21, 2012 7:01 PM To: Tomcat Users List Subject: Re: mixing authentication schemes On 21/06/2012 20:34, Aggarwal, Ajay wrote: > Sorry about the poor formatting of my message. Research OAuth. p > -----Original Message----- > From: Aggarwal, Ajay [mailto:ajay.aggar...@stratus.com] > Sent: Thursday, June 21, 2012 3:27 PM > To: users@tomcat.apache.org > Subject: mixing authentication schemes > > CURRENT ENVIRONMENT > > > > Our device is managed via a tomcat 6 based web-server that runs on the > device. We have a proprietary XML/JSON API that web based UI client > uses to talk to web-server. We are NOT using container managed security. > Instead our application has implemented its own authentication. > Essentially client uses a proprietary login request and after a > successful authentication, server marks the HTTP session as > authenticated. > > > > NEW SITUATION > > > > Now we are looking to build a new multi-device management application, > which would have its own UI and server. As the name implies this > application is for managing multiple devices. > > > > How should this multi-device service authenticate itself with the > individual devices? We do not want user to enter credentials for each > device every time this service wants to talk to a managed device. We > also do not want to store each managed device's credentials with the > multi-device service. > > > > One of the possibility is to use SSL certificate based authentication. > So multi-device application can authenticate itself with individual > devices using a SSL certificate. We only need to import multi-device > application's certificate into each managed device's trust-store once. > > > > QUESTIONS > > > > Few questions for those of you who have dealt with this type of 3-tier > applications > > > > Q1. How to get above scheme working in tomcat, such that the existing > device specific UI clients can continue to authenticate using > proprietary login request, whereas multi-device application uses SSL > certificate based authentication? > > > > Q2. What are some of the other suggestions and/or best practices that > you would recommend to solve this problem? > > > > Thanks. > > > > -Ajay > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- [key:62590808] --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
