Legacy application with JDBC and JNDI REALM authentication

Question

Hello All,

My application currently relies on JDBC realm authentication. Recent needs have forced us to think about having LDAP authentication as well. We are thinking about using Active Directory for both authentication as well as authorization (roles). As a standalone test, I was able to authenticate my application with AD. But here is the confusion I have going forward.

If the user chooses LDAP authentication when he logs in, I authenticate the user with AD, get the user's roles and do I replicate(create a new) windows user in my database?. I have to have the user in the database, because many parts of the application is designed to retrieve the user from database

If the users chooses local login, I still should have JDBCRealm somewhere that I should use to authenticate the user. Is it possible to have multiple realms in tomcat? (I sort of know it is possible, but havent seen much documentation around it)

Any thoughts, comments, suggestions would immensely help me

Thanks K

Answer 1

If you can run your app on Tomcat 6, there is a realm called CombinedRealm that will let you do what you are trying to do: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm. It is possible to do what you want in older versions but it's a real pain. You basically will have to implement your own custom Realm. I've not yet used this new CombinedRealm, but if it works as advertised it will save you a lot of effort and pain. Trust me.