Post-deployment configuration

Mar 30, 2011 at 4:41 PM

I've started using WAFFLE in my application so I can get the identity of a user of the system so I can know who is making changes to the system.  I'd like to now use it to restrict areas to different groups.  I believe WAFFLE makes this easy.  I'm giving my app to our Operations team as a WAR.  Most of the configuration in the examples is done via web.xml, which is contained in the WAR.  What's the best way to allow my Ops group to configure which groups can access which resources without requiring them to edit the contents of the WAR?



Mar 31, 2011 at 11:56 AM

Waffle only authenticates the user, it doesn't supply authorization. So this is really a Tomcat (or whatever webserver)-specific question. In the past we've paired Waffle with a database authorization provider that would lookup the waffle-authenticated principal in the database. It would be nice if someone wrote an article/post about a real example of how that's done with some existing components.

Mar 31, 2011 at 2:46 PM

A fair point - thanks for the clarification, that helps a bunch.  I'm not looking for something so general - let me explain further.

A previous version of this app was deployed behind Apache in a reverse proxy configuration.  Apache used mod_auth_sspi for authentication (passing the authenticated username in the X-Remote-User header).  My Ops team would then use Allow and Deny directives to specify which authenticated users/groups had access to which URLs. It was a nice separation of responsibility - my app didn't own the Apache config and only had the requirement that the authenticated user was passed along with the request.

Can I easily replicate something like this with Tomcat/Waffle?  I want to deliver my application as a war file, so I don't want any authorization information to live inside (I'll be deploying to a development and production areas which will have different authorization requirements).  I'm happy to have authorization changes be a configuration time event, requiring a restart of Tomcat if necessary, as these changes will be rare.

Thanks again!


Apr 11, 2011 at 3:18 AM

I think you can do the same if you use Waffle as a filter. It only does authentication by default, authorization is performed by the web server. So configure it to accept any authenticated user and write some code that puts the username into X-Remote-User header to use your old system. The rest should remain unchanged.