I am attempting to create a secure, and possibly metered web-service in Java.
In my research I turned up a lot of information about OpenSSO and thought that it was my solution until I discovered that OpenAM had taken over the reins and that OpenSSO was no longer being developed!
I've got Tomcat7+OpenAM's latest version installed and have started to configure it.
My GOAL:
I would like to have a session/tokenbased authentication where users can request a token from the secure web-service endpoint (OpenAM seems to offer this), than include that token in subsequent HTTP requests to the web-service endpoints protected by OpenAM.
I see guides on how to create an 'agent-policy', for Apache...but so far not Tomcat? Maybe I'm I'm just naive about how this stuff works - maybe I would use a Java EE Policy for Tomcat?
Finally, a nice to have: When the user hits a particular service, I am able to take their authenticated token, and use it to 'meter' the service in some meaningful way (record information about the requests) - is there an API hook in OpenAM or should I plan on implementing this internally to the web-service?
My question is: Are there any guides out their, or sample projects that demonstrate this type of configuration. OpenAM's documentation is nice, but I guess I need a bit more hand-holding.
