[Pki-devel] SPNEGO for Dogtag

[Fraser Tweedale]

On Thu, Nov 12, 2015 at 11:20:10AM +0100, Jan Pazdziora wrote:
> On Thu, Nov 12, 2015 at 07:46:25PM +1000, Fraser Tweedale wrote:
> > On Thu, Nov 12, 2015 at 08:34:11AM +0100, Jan Pazdziora wrote:
> > > 
> > > I'm a bit confused. Do you try to do the authentication in tomcat
> > > or do you try to front-end tomcat with Apache? If you do it in tomcat
> > > itself (like the investigation seems to suggest), what is the role
> > > of mod_lookup_identity here?
> >
> > No Apache, no mod_lookup_identity.  But a Tomcat Realm
> > implementation that does a lookup of principal info via SSSD via
> > D-Bus, like what mod_lookup_identity does for Apache.
> 
> In general, that is what we tell people not to do.
> 
> The goal is to use external authenticatication and identity operations
> in frontend server (Apache) and applications / frameworks consuming the
> results. The benefit of this approach is that you don't have to
> reimplement things when you say want to support additional protocol
> -- hopefully, the platform will do it for you in the form of Apache
> modules. The mod_auth_openidc is a prime example -- ideally, any
> application that consumes results of external authentication (which
> was initially done for example to support Kerberos) gets OpenId Connect
> for free, just by reconfiguring the frontend Apache HTTP Server.
> 
In this case I would be implementing a Realm module for Tomcat as an
application server (Dogtag to consume the resulting information in
our case).  It does not always make sense to put Apache in front of
Tomcat, and we cannot assume such a setup.  The similar argument
exists for Nginx; for which a "lookup identity" module was also
implemented.

I was wondering if you (or others) were aware of any existing
implementation for Tomcat.

Cheers,
Fraser

> -- 
> Jan Pazdziora | adelton at #ipa*, #brno
> Senior Principal Software Engineer, Identity Management Engineering, Red Hat