AWS's Cognito service provides a login/signup GUI that allows users to sign up for a site (with various verifications: email, phone), log in, manage forgotten passwords, etc. When a user signs in, Cognito directs the user to a callback URL you provide. Attached to the callback URL is a JWT token (or code).
The Cognito part with User Pools works just as expected...
The web site is deployed to Tomcat. The built-in way Tomcat protects resources is with security constraints. For example, by adding the following to the web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>User Stuff</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Authentication</realm-name>
<form-login-config>
<form-login-page>login.html</form-login-page>
<form-error-page>error.html</form-error-page>
</form-login-config>
</login-config>
With a configured Realm for username and password (or hash) store.
And the Tomcat part works as expected...
The problem is that my goal is to integrate the Tomcat security constraints with Cognito's external sign-up/sign-in GUI.
Do people do this? What, if any, glue exists to bridge the gap between Cognito External GUI and a Tomcat Realm?
Obvious problems...
login-config doesn't allow URLs outside the current domain (i.e. https://... is rejected)
Triggering Tomcat's authentication requires a form POST to j_security_check. Which isn't directly compatible with Cognito's callback URL scheme.
Or is this going to take a whole OAuth/Framework stack like spring security to make work...
