General architectural level queries

[hassankhan986]

Hi,

Thanks for the great connector.

I had a couple of questions as below:

1. Is there a way to specify valve setting in context per web app level ? (currently I am specifying the valve in the tomcat level -context.xml file)

2. What is the security implication of having the client secret in plain view inside context.xml file on the server? are there ways to hash/hide it further?

3. The final step in the authentication workflow of looking up of the user id in the tomcat Realms, what is the purpose of doing it ? can roles be also communicated by the IDP, can we disable this lookup?

Thanks

[levahim]

Hi,

1. Yes, you can totally define the valve in the webapp level context.

2. The context.xml file is a server-side file, it is not exposed anywhere outside the server. So, all the server security applies. You can't hash the client secret because you need the actual value. If you encrypt it, you still need a place to save the encryption key. However, none of that is necessary since access to the Tomcat setup and its files is supposed to be restricted by other means.

3. Separation of authentication and user database (the realm) is part of Tomcat's architecture. It's a very good and wise thing actually. If you don't need the realm, you can easily implement a dummy realm that simply always returns the user being looked up. To get the roles from the IdP you can either make a separate call to the IdP's API, if available, or have the roles included in the JWT returned by the IdP. The JWT is made available to the webapp by the authenticator in the HTTP session object.

Best