javaapacheauthenticationtomcatmod-rewrite

Apache server session authentication using a web application

I am building a small Java (servlet) authentication web application that will be running on Tomcat. The application will authenticate a user and then redirect the user to another web application (on a different server). The problem is that after the user authenticates I need to somehow tell Apache that this session is authenticated and that Apache should redirect (using RewriteRules) the http request to the target web application (and not the one for authentication).

According to my research I have 3 options:

  1. After authentication success I redirect to a URL that tells Apache that this session is authenticated (using RewriteRules). I can store this information in Cookie (issue: security) or Apache Environment Variables (issue: clearing inactive Environment variables ...).
  2. Use a apache mod for storing sessions in to a database. On auth success I update the database with Java app, apache redirects all requests to target URL (issue: DB access load (up to 500 active concurent users)).
  3. HTTP tunneling. But this means that every request for target application is going through my authentication application (issue: redundant, slow, ...)

Questions:

  1. Is there another way to do this?
  2. What would be the best way to do this?
Solution

  • A few ways of doing this,

    1. If you can afford an enterprise solution, go with Oracle Identity Management / Oracle Access Management. It will redirect to a login page, once login is successful and the right cookie has been added, all future requests will get a header injected in their requests on the internal side. Your internal app can key in on the header and confirm that the user has logged in. To do development, you can run the secure app without OIM/OAM by using Firefox ModifyHeaders plugin.

    2. If you cannot afford an enterprise solution, go with OpenIAM, it does the same thing but at a small scale without reporting and high-availability features.

    3. There might be a third of doing this, but I've never tried it, that would be by using Apache's authentication modules (or a combination of them), like http://authmemcookie.sourceforge.net/, or http://httpd.apache.org/docs/trunk/mod/mod_session.html

    Good luck!