I have two applications each with their own context root and each has their own JAAS security domain. I have a set of users with the same logon credentials for both security domains but with differing roles for each domain.
I have enabled SSO by uncommenting the valve org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn in deploy/jbossweb-tomcat50.sar/server.xml. I have also disabled caching of security credentials by setting to zero the DefaultCacheTimeout and DefaultCacheResolution attributes of the JAAS security manager and realm mapping mbean in conf/jboss-service.xml I would expect the resultant behaviour to be that a user is asked to sign on once but roles would be determined for every access. However it appears that roles are determined at the point of sign on and not for every access. Am I missing something here? Dependant upon which resource the user attempts to access first their roles are set for the domain that the resource exists in. If they stay within that domain then everything is fine as they will only have access as their roles permit. If however they attempt to access a susequent domain where they have less roles then they can access resources that they shouldn't be able to. Is it possible (using declarative security) to have a user authenticate once across multiple applications (within a cluster) but to have authorization determined for every access? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3862277#3862277 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3862277 ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user