Protecting applications deployed in Tomcat webserver using Oracle Access Manager

Hi all,

This post will bring out some of the solution proposal aspects and how to protect applications deployed in Tomcat webserver using Oracle Access Manager. This can be application to applications deployed in any webserver which Oracle does not provide Webgate out of the box.

The scenario is that there are web applications deployed in Tomcat server and how would you protect those with OAM.

There are 2 ways of doing it. First solution is to use a Reverse Proxy server infront of Tomcat (say Apache or OHS etc.,) and define the Resources to be protected in OAM Policy domain. Second solution is to implement custom access gate for Tomcat server. Here, you would need to write JAAS Authentication Module and Authorization Module which internally calls Access Gate and inturn the Access Server for authentication and Authorization purposes.

This post will talk about the first solution. Lets say we have Reverse proxy as OHS web server.

You can follow the steps as shown below:

  • Add/Modify host identifier to include OHS port.
  • Create Policy domain with resources, authorization rules. Specify the authentication scheme and add authorization rules accordingly as per your requirements.
  • Now, uncomment the proxy module configuration in the httpd.conf of OHS webserver. If you can’t point out proxy related configuration in the httpd.conf file, search for mod_proxy and uncomment if it is commented out.
  • Add the lines ProxyPass and ProxyReversePass to your application resources as shown below.

ProxyPass /sample/public.html  http://tomcat_host:port/sample/public.html
ProxyPassReverse /sample/public.html  http://tomcat_host:port/sample/public/public.html

  • Access your application using OHS Port and the application resource will be prompted for authentication accordingly.

In later posts, I will come up with implementing Second Solution.

Please drop your comments in case of any issues.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

10 comments
dehinde says August 3, 2010

Hi Mahendra,

Any idea when you might have suggestions for the second solution? More importantly is a kind of step by step guide on how to
1.) write custom Access gate for App servers like Geronimo or Tomcat.
2.) How can any Application (e.g non-web)use the Oracle Access Manager for managing authentication.

Reply
Mahendra says August 3, 2010

Dehinde,

I am not finding time to implement the second approach. For time being I would suggest you to proceed like this.

1. Create custom resource type in OAM
2. Create Access Gate profile.
3. Install Access SDK
4. ConfigureAccess Gate
5. In your non-web application, use the logic to read the userid and password submitted by user either through form or basic over ldap. Write code to contact access server for authentication and authorization decisions.

Hope this helps.

-Mahendra.

Reply
Marcel says September 3, 2012

Hello,

If I want to set an response from OAM, in order to send the userID to the application deployed on Tomcat, will it be possible?

Regards,
Marcel

Reply
    Atul Kumar says September 3, 2012

    @ Marcel,
    Yes, it is possible set them via authentication or authorization scheme .

    Reply
neha8000 says May 28, 2013

If we are protecting multiple apps that are tomcat and IIS based can we still go with the first approach ?

Reply
Mahendra says May 28, 2013

What is the first approach you are talking about ?

Reply
neha8000 says September 9, 2013

By first approach I meant “Reverse Proxy server infront of Tomcat (say Apache or OHS etc.,) and define the Resources to be protected in OAM”. Do you have more details on setting this up ?

Reply
Sankar says October 25, 2013

Hi,

I have deployed custom application in tomcat and I need to protect using OAM . I followed first procedure but when I am accessing to a page of that application it is prompting both OAM login page and application’s login page.
I want tomcat authentication to be happening directly so that it won’t throw tomcat login page again. The customer don’t want to change code in the Custom Application .

Can you please suggest me how can we achieve this.

Thanks
sankar

Reply
    Muhammad says April 3, 2017

    @Sankar
    Hi Sankar,

    Are you able to integrate Tomcat application with OAM using only single/OAM authentication? Would you be so kind to share main steps please.

    Regards,
    Muhammad

    Reply
Ravi says April 21, 2014

Hi Mahendra –

Were you able to post the steps for second solution?

Thanks,
Ravi

Reply
Add Your Reply