It shouldn't... if you apply the SSOValve at the host or engine levels, then all web apps underneath will then be using the SSOValve via inheritance.
Jeff Vamsavardhana Reddy wrote: > Seeing your reply, I have to add the following to my original comments. > > I have tested SSO with two WebApps deployed as part of an EAR. I do not > know if enabling SSO for Web Apps deployed independently requires any > changes in their deployment plans. > > Thanks, > Vamsi > > On 8/7/06, *Paul McMahan* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > I looked at using the Tomcat SSOValve for GERONIMO-973 and had a > similar experience -- i.e. it works fine but may not be appropriate in > many situations. As I recall, what it basically does is stores the > credentials in a cookie with higher level scope, making it visible to > all the applications in the server instead of just the one that was > originally authenticated. > > Since logging into the admin console should not grant access to other > applications deployed in the server I ended up using a different > approach for GERONIMO-973, which was to send all requests through a > single context that acted as a proxy for the other context(s). This > works for SSO across multiple WARs in an EAR but may not work for SSO > across EARs. See the comments in to GERONIMO-973 for details. Your > idea for defining multiple hosts might be a clever way to work around > that issue. > > As Jeff points out, it should not be necessary to rebuild the server > to use the SSOValve (unless something has changed recently). I just > enabled it in var/config/config.xml. > > Best wishes, > Paul > > On 8/7/06, Jeff Genender <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Why does the server need to be built with the SSOValve? > > > > You should be able to connect the SSOValve to the TomcatEngine in the > > config.xml. > > > > Jeff > > > > Vamsavardhana Reddy wrote: > > > I could get SSO Working on a server build with SSOValve GBean in > the > > > tomcat plan. In this case the application deployment plans > needed no > > > change as mentioned in the post that Krish pointed to. > > > > > > Here are some of my observations. > > > > > > An SSOValve GBean created as part of the application needs to be > > > connected to TomcatEngine so that SSO works. To do so, either the > > > FirstValve in TomcatEngine needs to be replaced with this > SSOValve or a > > > "NextValve" attribute should be added to the FirstValve and it > should be > > > made point to the SSOValve. I guess there is only one TomcatEngine > > > GBean in the server and I don't think it should be modified to > suit the > > > needs of two or more applications that need SSO. > > > > > > Other way is to have multiple hosts defined in the tomcar plan > and and > > > one of them could have an SSOValve in the chain. All apps that > want SSO > > > can use that host. > > > > > > In either case, the server needs to built with SSOValve GBean. > > > > > > With what G provides right now, there is noway that an SSOValve > GBean is > > > created as part of an application and hooked to the TomcatEngine. > > > > > > Comments? > > > > > > Thanks, > > > Vamsi > > > > > > On 8/2/06, *Krishnakumar B* < [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote: > > > > > > Hi Joe, > > > > > > I have also tried this and was able to get it to work by > doing a build > > > with SSOValve GBean open. > > > > > > Refer to earlier post : > > > http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 > <http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647> > > > <http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647> > > > > > > I was not able to get it to work by deploying a new Valve > along with 2 > > > web applications that need SSO. > > > > > > Regards > > > Krish. > > > > > > On 8/1/06, Joe O'Pecko <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote: > > > > I know this has been discussed in the past, and I > > > > apologize for the lengthy inquiry, however, I have > > > > been trying unsuccessfully to get SSO working with > > > > Tomcat on Geronimo v1.0 for some time. I am deploying > > > > an application as an ear file with two war files > > > > contained within. My geronimo-application.xml file > > > > contains a definition for a JAAS Security Realm and > > > > the two WAR file's geronimo-web.xml reference it via > > > > security-realm-name elements. Once deployed each web > > > > application challenges the user upon first access, > > > > using the configured JAAS LoginModule. I'd like to > > > > establish a SSO trust between the two web > > > > applications, if possible, so that a user is only > > > > challenged once for both web applications. > > > > > > > > I've seen a previous post on this site entitled Single > > > > Sign On : Tomcat in Geronimo > > > > (http://tinyurl.com/lkgjy) which seemed to provide > > > > some information. Basically, it suggested the addition > > > > of a SSOValve GBean to the geronimo-web.xml file. As > > > > suggested, I've added the SSOValve to each > > > > geronimo-web.xml and confirmed that I could see them > > > > running in the deploy-tool web application. However, > > > > each application has its own SSOValve GBean running > > > > which leads me to believe that they do not share > > > > anything between them. > > > > > > > > I've also seen Aaron Mulder's website which states > > > > that Geronimo does not natively support web-based > > > > single sign-on across web sites > > > > (http://tinyurl.com/qa9bl). > > > > > > > > So is it possible to provide Single Sign On accross > > > > web applications? I've attached my config files below > > > > if it helps. > > > > > > > > Thanks in advance for any help and information you can > > > > provide. > > > > > > > > Joe > > > > > > > > ---begin geronimo-application.xml--- > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > > > > > <application > > > > > > > > xmlns="http://geronimo.apache.org/xml/ns/j2ee/application"; > > > > > > > > xmlns:sec=" http://geronimo.apache.org/xml/ns/security-1.1"; > > > > configId="com/foo/test" > > > > parentId="geronimo/j2ee-server/1.0/car"> > > > > > > > > <dependency> > > > > <groupId>log4j</groupId> > > > > <artifactId>log4j</artifactId> > > > > <version> 1.2.8</version> > > > > </dependency> > > > > > > > > <sec:security> > > > > <sec:default-principal realm-name="foo-realm"> > > > > <sec:principal > > > > > > > > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal > " > > > > name="anonymous"/> > > > > </sec:default-principal> > > > > <sec:role-mappings> > > > > <!-- > > > > this mapping maps all users in the > > > > registeredUsers group to registered-users role > > > > defined in web.xml > > > > --> > > > > <sec:role role-name="FOO_ADMIN"> > > > > <sec:realm realm-name="foo-realm"> > > > > <sec:principal > > > > > > > > > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > > > > name="foo_admin"/> > > > > </sec:realm> > > > > </sec:role> > > > > <sec:role role-name="FOO_USER"> > > > > <sec:realm realm-name="foo-realm"> > > > > <sec:principal > > > > > > > > > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > > > > name="foo_user"/> > > > > </sec:realm> > > > > </sec:role> > > > > > > > > </sec:role-mappings> > > > > </sec:security> > > > > > > > > <gbean name="foo-realm" > > > > > class="org.apache.geronimo.security.realm.GenericSecurityRealm"> > > > > <!-- > > > > this is the name of the Security Realm as > > > > well as the name > > > > of the configuration entry used by the > > > > application > > > > --> > > > > <attribute > > > > name="realmName">foo-realm</attribute> > > > > > > > > <!-- > > > > reference to the head of the login module > > > > use list > > > > --> > > > > <reference name="LoginModuleConfiguration"> > > > > <name>foo-login</name> > > > > </reference> > > > > > > > > <reference name="ServerInfo"> > > > > > > > > > > > > > <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name> > > > > </reference> > > > > > > > > <reference name="LoginService"> > > > > > > > > > > > > > <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name> > > > > > > > > </reference> > > > > </gbean> > > > > > > > > <!-- > > > > this is the head of the login module use list > > > > --> > > > > <gbean name="foo-login" > > > > class=" org.apache.geronimo.security.jaas.JaasLoginModuleUse"> > > > > <!-- login module must succeed --> > > > > <attribute > > > > name="controlFlag">REQUIRED</attribute> > > > > > > > > <!-- reference to the login module --> > > > > <reference name="LoginModule"> > > > > <name>foo-login</name> > > > > </reference> > > > > </gbean> > > > > > > > > <!-- the login module GBean --> > > > > <gbean name="foo-login" > > > > class="org.apache.geronimo.security.jaas.LoginModuleGBean"> > > > > <attribute name="loginModuleClass"> > > > > com.foo.FooLoginModule > > > > </attribute> > > > > <attribute name="serverSide">true</attribute> > > > > <attribute > > > > name="loginDomainName">foo-realm</attribute> > > > > </gbean> > > > > > > > > <gbean name="FooServer" > > > > class="com.foo.FooServerGBean" > > > > > > > > gbeanName="com.foo.fooserver:type=Server,name=GUIServer"> > > > > <attribute name="baseDirectory" > > > > type="java.lang.String"> > > > > /home/foo > > > > </attribute> > > > > </gbean> > > > > </application> > > > > ----end geronimo-application.xml---- > > > > > > > > > > > > ---begin first geronimo-web.xml--- > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <web-app > > > > > > > > xmlns=" http://geronimo.apache.org/xml/ns/j2ee/web-1.0"; > > > > configId="com/foo/contextOne"> > > > > > > > > <context-root>/contextOne</context-root> > > > > > > > > > <context-priority-classloader>false</context-priority-classloader> > > > > > > > > > > > > <container-config> > > > > <!-- Tomcat-specific container declarations > > > > --> > > > > <tomcat > > > > > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config > <http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config>"> > > > > <valve-chain>SSOValve</valve-chain> > > > > </tomcat> > > > > </container-config> > > > > > > > > > > > > <security-realm-name>netcool-realm</security-realm-name> > > > > > > > > <gbean name="SSOValve" > > > > class=" org.apache.geronimo.tomcat.ValveGBean"> > > > > <attribute name="className"> > > > > > > > > org.apache.catalina.authenticator.SingleSignOn > > > > </attribute> > > > > </gbean> > > > > > > > > </web-app> > > > > ----end first geronimo-web.xml---- > > > > > > > > > > > > ---begin second geronimo-web.xml--- > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <web-app > > > > > > > > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"; > > > > configId="com/foo/contextTwo"> > > > > > > > > <context-root>/contextTwo</context-root> > > > > > > > > > <context-priority-classloader>false</context-priority-classloader> > > > > > > > > > > > > <container-config> > > > > <!-- Tomcat-specific container declarations > > > > --> > > > > <tomcat > > > > > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config > <http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config>"> > > > > <valve-chain>SSOValve</valve-chain> > > > > </tomcat> > > > > </container-config> > > > > > > > > > > > > <security-realm-name>netcool-realm</security-realm-name> > > > > > > > > <gbean name="SSOValve" > > > > class=" org.apache.geronimo.tomcat.ValveGBean"> > > > > <attribute name="className"> > > > > > > > > org.apache.catalina.authenticator.SingleSignOn > > > > </attribute> > > > > </gbean> > > > > > > > > </web-app> > > > > ----end second geronimo-web.xml---- > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > > > Do You Yahoo!? > > > > Tired of spam? Yahoo! Mail has the best spam protection > around > > > > http://mail.yahoo.com > > > > > > > > > > > > > >
