BASIC authentication SSO with a separate IIS application
I've been told our working application must coexist with other applications using BASIC authentication, the same domain name and a shared authentication store to achieve single sign on (SSO). Our application has been working fine without IIS or Apache sitting in front of it. The application is almost entirely dynamic so I didn't feel a need before. Now that we've thrown the switch on our QA tier the SSO is not working. The other application seems to generate a key to store the authentication in the browser of "qa.ourserver.com", while our application generates a key of "qa.ourserver.com:80". The browser then treats these as separate domains. I do not see anywhere in the config files where this is set. Q1: Can I configure Tomcat to not include the ":80" at the end of the domain name? Q2: Should I configure Tomcat to run behind the same IIS the other application runs behind? I'm developing in Java and the other application is developed in C## and .net. Q3: If the BASIC authentication solution weren't already dictated, what would the preferred SSO solution be? Any additional insight is also appreciated. Thanks! -Steve-
RE: howto configure JAAS+SSO
Hi Wendy, Sure I can explain what happens but not why. When you call the LoginModule with an optional Subject and CallBack the code works fine for me, i.e. it calls the LoginModule and I do everything I need, placing the Principals into the Subject. However... and this is where I don't want to say anything sweeping in case I have just simply misunderstood the Subject that is authenticated via the LoginModule has no visibility to Tomcat. If I could find a way to replace the session Subject with the one passed back from the LoginModule.getSubject() I would be ok, but I couldn't, so I placed the authorised Subject in the session and overrode the request.isUserInRole() to authorise against the Subject I placed in the session. One of these days I might ask the Tomcat dev list what I was doing wrong but got comments from other developers saying they had the same problem [All the JAAS examples do it the way I have described in some shape or form] Its not that bid a deal, and if you just use the Request wrapper I have attached you know that in the future you can remove the filter if you go to WebSphere or something like that. -Original Message- From: Wendy Smoak [mailto:[EMAIL PROTECTED] Sent: 16 August 2005 17:44 To: Tomcat Users List Subject: Re: howto configure JAAS+SSO From: "Mark Benussi" <[EMAIL PROTECTED]> > However I can tell you about JAAS in Tomcat. In 5 certainly there are > issues. Essentially when you call the LoginModule to invoke your JAAS > config > it works but it does not authenticate the proper session Subject. Can you explain more about this? I just _finally_ got the jsp-examples webapp that ships with Tomcat changed over to Kerberos authentication. Am I about to run into problems? > What you end up doing (Or what I did) was place a request filter in the > app that > wraps the request with an overridden RequestWrapper and you write your own > inUserInRole against the Subject that the LoginModule returns (By placing > it > in the session) > > If you want some code, taken from Wendy Smoak ... .. who took it from one of Craig's tomcat-user posts. ;) http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: howto configure JAAS+SSO
From: "Mark Benussi" <[EMAIL PROTECTED]> However I can tell you about JAAS in Tomcat. In 5 certainly there are issues. Essentially when you call the LoginModule to invoke your JAAS config it works but it does not authenticate the proper session Subject. Can you explain more about this? I just _finally_ got the jsp-examples webapp that ships with Tomcat changed over to Kerberos authentication. Am I about to run into problems? What you end up doing (Or what I did) was place a request filter in the app that wraps the request with an overridden RequestWrapper and you write your own inUserInRole against the Subject that the LoginModule returns (By placing it in the session) If you want some code, taken from Wendy Smoak ... ... who took it from one of Craig's tomcat-user posts. ;) http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: howto configure JAAS+SSO [Apologies code attached]
Mark Benussi wrote: 1.Filter to go in web.xml /** * [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the HttpServletRequest and * overide isUserInRole() using the * [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper HttpServletRequestWrapper} * * @author Mark Benussi */ public class HttpServletRequestFilter implements Filter { /** * @see javax.servlet.Filter#destroy() */ public void destroy() { } /** * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, javax.servlet.FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletRequestWrapper wrappedRequest = new HttpServletRequestWrapper( httpServletRequest); chain.doFilter(wrappedRequest, response); } /** * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) */ public void init(FilterConfig config) throws ServletException { } } 2. Request wrapper /** * Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} * @author Mark Benussi */ public class HttpServletRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper { /** * The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ private HttpServletRequest request = null; /** * Helper to manage any common security methods */ private static SecurityHelper jaasHelper = null; /** * Default constructor * * @param request *The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ public HttpServletRequestWrapper(HttpServletRequest request) { super(request); if (jaasHelper == null) { jaasHelper = new SecurityHelper(); } this.request = request; } /** * @see javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String) */ public boolean isUserInRole(String role) { Subject subject = jaasHelper.getSessionSubject(request, false); return jaasHelper.isSubjectInRole(subject, role); } } 3. When you call youre LoginModule get the Subject and place in the session and then write your own code to validate the Subject has the role required. 4. As for passing the session to your LoginModule, which I wouldn't do in a puristic way as the LoginModule should be able to be used by a wing app just as much as a web app. well. my login module would be for the very special purpose of making SSO of webapps possible, so i wouldn't have much of a problem with this. Contstruct a CallBackHandler with the username and password but also with the session or request. Then in your loginmodule you will have access to the request/session when you invoke handle callback wow. thanks a lot! the code looks much simpler than i would have expected. i think this will do nicely. :) Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: howto configure JAAS+SSO [Apologies code attached]
1.Filter to go in web.xml /** * [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the HttpServletRequest and * overide isUserInRole() using the * [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper HttpServletRequestWrapper} * * @author Mark Benussi */ public class HttpServletRequestFilter implements Filter { /** * @see javax.servlet.Filter#destroy() */ public void destroy() { } /** * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, javax.servlet.FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletRequestWrapper wrappedRequest = new HttpServletRequestWrapper( httpServletRequest); chain.doFilter(wrappedRequest, response); } /** * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) */ public void init(FilterConfig config) throws ServletException { } } 2. Request wrapper /** * Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} * @author Mark Benussi */ public class HttpServletRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper { /** * The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ private HttpServletRequest request = null; /** * Helper to manage any common security methods */ private static SecurityHelper jaasHelper = null; /** * Default constructor * * @param request *The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ public HttpServletRequestWrapper(HttpServletRequest request) { super(request); if (jaasHelper == null) { jaasHelper = new SecurityHelper(); } this.request = request; } /** * @see javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String) */ public boolean isUserInRole(String role) { Subject subject = jaasHelper.getSessionSubject(request, false); return jaasHelper.isSubjectInRole(subject, role); } } 3. When you call youre LoginModule get the Subject and place in the session and then write your own code to validate the Subject has the role required. 4. As for passing the session to your LoginModule, which I wouldn't do in a puristic way as the LoginModule should be able to be used by a wing app just as much as a web app. Contstruct a CallBackHandler with the username and password but also with the session or request. Then in your loginmodule you will have access to the request/session when you invoke handle callback -Original Message- From: Edmund Urbani [mailto:[EMAIL PROTECTED] Sent: 16 August 2005 15:14 To: Tomcat Users List Subject: Re: howto configure JAAS+SSO Mark Benussi wrote: >Hi Edmund. > >I am sorry but I don't know much about SSO. > >However I can tell you about JAAS in Tomcat. In 5 certainly there are >issues. Essentially when you call the LoginModule to invoke your JAAS config >it works but it does not authenticate the proper session Subject. What you >end up doing (Or what I did) was place a request filter in the app that >wraps the request with an overridden RequestWrapper and you write your own >inUserInRole against the Subject that the LoginModule returns (By placing it >in the session) > >If you want some code, taken from Wendy Smoak and others I can provide. > > > thanks. I'm currently considering to write my own login module in order to share authentication data across login contexts. i would need to access session cookies from the module and i'm not sure how/if this can be done yet. i've never written a requestwrapper myself, so i can't really tell how hard/complicated that would be. i'd be glad, if you could provide me with some code to look at. that could certainly help me decide on how to go on about that SSO requirement. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: howto configure JAAS+SSO
Mark Benussi wrote: Hi Edmund. I am sorry but I don't know much about SSO. However I can tell you about JAAS in Tomcat. In 5 certainly there are issues. Essentially when you call the LoginModule to invoke your JAAS config it works but it does not authenticate the proper session Subject. What you end up doing (Or what I did) was place a request filter in the app that wraps the request with an overridden RequestWrapper and you write your own inUserInRole against the Subject that the LoginModule returns (By placing it in the session) If you want some code, taken from Wendy Smoak and others I can provide. thanks. I'm currently considering to write my own login module in order to share authentication data across login contexts. i would need to access session cookies from the module and i'm not sure how/if this can be done yet. i've never written a requestwrapper myself, so i can't really tell how hard/complicated that would be. i'd be glad, if you could provide me with some code to look at. that could certainly help me decide on how to go on about that SSO requirement. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: howto configure JAAS+SSO
Hi Edmund. I am sorry but I don't know much about SSO. However I can tell you about JAAS in Tomcat. In 5 certainly there are issues. Essentially when you call the LoginModule to invoke your JAAS config it works but it does not authenticate the proper session Subject. What you end up doing (Or what I did) was place a request filter in the app that wraps the request with an overridden RequestWrapper and you write your own inUserInRole against the Subject that the LoginModule returns (By placing it in the session) If you want some code, taken from Wendy Smoak and others I can provide. -Original Message- From: Edmund Urbani [mailto:[EMAIL PROTECTED] Sent: 16 August 2005 13:14 To: Tomcat Users List Subject: howto configure JAAS+SSO hello! I'm trying to configure two webapps (slide and jetspeed2) for single-sign-on in the same tomcat instance. Both apps use JAAS and come with their own JAAS login modules. Is it possible to configure these (any?) two apps to share login info with JAAS. I started reading the JAAS docs recently and I tried putting the two login modules into one JAAS login context, but that does not seem to work, because the login module classes won't instantiate properly due to dependencies to their respective webapps. Can SSO be achieved without having the apps share one login context? Will I have to write my own login module(s)? Should I use a (completely) different approach to get SSO? Thanks for any help/advice. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
howto configure JAAS+SSO
hello! I'm trying to configure two webapps (slide and jetspeed2) for single-sign-on in the same tomcat instance. Both apps use JAAS and come with their own JAAS login modules. Is it possible to configure these (any?) two apps to share login info with JAAS. I started reading the JAAS docs recently and I tried putting the two login modules into one JAAS login context, but that does not seem to work, because the login module classes won't instantiate properly due to dependencies to their respective webapps. Can SSO be achieved without having the apps share one login context? Will I have to write my own login module(s)? Should I use a (completely) different approach to get SSO? Thanks for any help/advice. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat SSO with other web servers
Hi All, What Single-Sign-On strategy do you guys use for Tomcat? I know the tomcat docs support SSO within webapps on the same in-process tomcat instance, but what SSO techniques are you guys using to authenticate with other webservers like WebSphere and IIS? Is there a SAML implementation used for Tomcat?? I'm fairly new to the SSO game so any suggestions, links, whitepapers, etc.. would be very helpful. Thanks, Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single Sign On(SSO) problem
Thanks Guillaume Lederrey! I try it, and it works! Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single Sign On(SSO) problem
On Friday 11 March 2005 06.36, xue daoming wrote: > How to config Single Single Sign On(SSO) in Tomcat? I read Tomcat > document, but I can't find information about it. Is something I miss? > Anybody carried out that can help me? I just gt that one working yesterday ! All the apps that need to be accessed from SSO have to use the same Realm, not the same class but the same instance. So if you want all apps in a specific host to be accessed with SSO, then put your tag in the . Configure the security in every app in the usual web.xml. Add a valve to the same host like this one : More docs in http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/valve.html That works for me, I hope it helps you ! Guillaume -- Guillaume Lederrey Informaticien Développement Tecost - Technology Consulting Studies Fribourg (Switzerland) http://www.tecost.ch/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Single Sign On(SSO) problem
Hi, All How to config Single Single Sign On(SSO) in Tomcat? I read Tomcat document, but I can't find information about it. Is something I miss? Anybody carried out that can help me? Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Tomcat 4.1 SSO pb -> forget !
Sorry, there was an error in my server.xml Arnaud - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4.1 SSO pb
Hello ! I've got some trouble with SSO : the SSO Valve is enabled, 2 Contexts are defined . I must login on each application at the first time before I can do a straightforward switch between both application. Any Idea ? Thanks, Arnaud - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using Tomcat to implement a Weblogic like SSO authentication
Hi, I am trying to evaluate migrating our application from Weblogic to a Tomcat/JBoss environment. One of the main roadblocks at the moment is our reliance on the way SSO is done in weblogic. In weblogic, even within the same virtual host, you can specify different SSO domains by defining diferent names for the sessionID parameter. All webapps sharing the same sessionID name will share the same user authentication information. This is independent of whether the sessionID is passed as a coockie or as a parameter of the request. So given the following URLs: /app1/main.html;dom1Id=sdjhfaksjdhfa /app2/other.html;dom1Id=sdjhfaksjdhfa /app3/another.html;dom2Id=sdjhfaksjdhfa In this case going from /app1 to /app2 will not require authentication because the they use the same SSO information. But going to /app3 will cause a login since the domain is different. Moreover, this needs to work without cookies. We have to shitch-off the use of cookies due to problems in the session cookie handle by some Browsers. Is such a configuration possible in Tomcat? Or, if not, does the Tomcat API provide what is needed so one can EASILY build such an authentication module? Any additional suggestions? I have looked and looked around for answers on this regard but found nothing. Thanks in advance, Jose - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSO
rlipi wrote: Hi, I found that it is possible to set Single Sign On for all web aplications running in some "Host". I do that according to this topic: http://www.ingrid.org/jajakarta/tomcat/tomcat-4.0b5/src/catalina/docs/si nglesignon.html#Security. And it also works on Tomcat 5. I welcome this feature. Nevertheless, by this way, it authenticates user to the ALL web applications. But I have a few of them where I need special authentication (for example manager or admin web application). Is it possible to configure Tomcat server: 1) to use SSO authentication for nearly all web aplication 2) to use specific authentication (Realm) for a few particular web aplications? Not with the current version since we don't support the notion of group/realm. But a patch will be welcome. I don't have any free time right now, but that will be nice to implement such feature in Tomcat 5. -- Jeanfrancois Thank You, Radek. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSO
Hi, I found that it is possible to set Single Sign On for all web aplications running in some "Host". I do that according to this topic: http://www.ingrid.org/jajakarta/tomcat/tomcat-4.0b5/src/catalina/docs/si nglesignon.html#Security. And it also works on Tomcat 5. I welcome this feature. Nevertheless, by this way, it authenticates user to the ALL web applications. But I have a few of them where I need special authentication (for example manager or admin web application). Is it possible to configure Tomcat server: 1) to use SSO authentication for nearly all web aplication 2) to use specific authentication (Realm) for a few particular web aplications? Thank You, Radek. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeouts and SSO
Thanks, Tim. I kind of remember reading that now. I need to look at my application more carefully, to determine what is timing out. G. Wade Tim Funk wrote: > > http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html#Single%20Sign%20On > > "As soon as the user logs out of one web application (for example, by > invalidating or timing out the corresponding session if form based login is > used), the user's sessions in all web applications will be invalidated. Any > subsequent attempt to access a protected resource in any application will > require the user to authenticate himself or herself again." > > -Tim > > G. Wade Johnson wrote: > > > Thanks again for all of the responses so far on my Timeout issue. > > I still have a problem, but it is not what I thought it was. > > > > Apparently, there is a set to 30 minutes in the > > $CATALINA_HOME/conf/web.xml that I have. I don't recall changing this > > (but I won't rule out the possibility). I modified that, and found > > that I could get the session to expire at the time I specify. > > > > This time, I looked at the cookies that were sent back just before I > > get the login screen and found that Tomcat is sending a request to > > delete the JSESSIONIDSSO cookie used by the SingleSignon valve. > > Apparently, it is this valve and not Tomcat proper that is signing me > > out after the timeout period. > > > > Is this expected behavior? > > > > Is there any way for me to work around this behavior? > > > > Thanks again, > > G. Wade > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeouts and SSO
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html#Single%20Sign%20On "As soon as the user logs out of one web application (for example, by invalidating or timing out the corresponding session if form based login is used), the user's sessions in all web applications will be invalidated. Any subsequent attempt to access a protected resource in any application will require the user to authenticate himself or herself again." -Tim G. Wade Johnson wrote: Thanks again for all of the responses so far on my Timeout issue. I still have a problem, but it is not what I thought it was. Apparently, there is a set to 30 minutes in the $CATALINA_HOME/conf/web.xml that I have. I don't recall changing this (but I won't rule out the possibility). I modified that, and found that I could get the session to expire at the time I specify. This time, I looked at the cookies that were sent back just before I get the login screen and found that Tomcat is sending a request to delete the JSESSIONIDSSO cookie used by the SingleSignon valve. Apparently, it is this valve and not Tomcat proper that is signing me out after the timeout period. Is this expected behavior? Is there any way for me to work around this behavior? Thanks again, G. Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Session Timeouts and SSO
Thanks again for all of the responses so far on my Timeout issue. I still have a problem, but it is not what I thought it was. Apparently, there is a set to 30 minutes in the $CATALINA_HOME/conf/web.xml that I have. I don't recall changing this (but I won't rule out the possibility). I modified that, and found that I could get the session to expire at the time I specify. This time, I looked at the cookies that were sent back just before I get the login screen and found that Tomcat is sending a request to delete the JSESSIONIDSSO cookie used by the SingleSignon valve. Apparently, it is this valve and not Tomcat proper that is signing me out after the timeout period. Is this expected behavior? Is there any way for me to work around this behavior? Thanks again, G. Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Single-Sign-On (SSO) with Tomcats in 2 different servers
Tomcat 5 will in a very near future have a cluster module that ships with it as well. Filip -Original Message- From: Ben Ricker [mailto:[EMAIL PROTECTED]] Sent: Monday, February 03, 2003 12:07 PM To: Tomcat Users List Subject: Re: Single-Sign-On (SSO) with Tomcats in 2 different servers What you want it session replication. You can search the archives for answers. Also, go to: http://www.onjava.com/pub/a/onjava/2002/07/17/tomcluster.html?page=1 for a good overview. Ben Ricker On Mon, 2003-02-03 at 13:17, Víctor Ferrero del Valle wrote: > Hi, > > I have 2 servers, both with Tomcat. On each server is installed a > different web application. > Therefore, server A has a Tomcat with application A, and server B has > another Tomcat (but same version) with Application B. > The access to the applications is restricted, so the user must provide > his userId and password before accessing the applications. > Both applications authenticate against the same LDAP server. > > The issue is that Id like to use Single Sign On (SSO) to access both > applications, so that when a user accesses one application and > identifies himself, he doesnt need to identify again when he accesses > the other application. > I think that in order to accomplishing this, the two Tomcats should be > able to share > sessions. Is this possible? Is there any other solution? > > Thanks in advance. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Ben Ricker <[EMAIL PROTECTED]> Wellinx.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single-Sign-On (SSO) with Tomcats in 2 different servers
What you want it session replication. You can search the archives for answers. Also, go to: http://www.onjava.com/pub/a/onjava/2002/07/17/tomcluster.html?page=1 for a good overview. Ben Ricker On Mon, 2003-02-03 at 13:17, Víctor Ferrero del Valle wrote: > Hi, > > I have 2 servers, both with Tomcat. On each server is installed a > different web application. > Therefore, server A has a Tomcat with application A, and server B has > another Tomcat (but same version) with Application B. > The access to the applications is restricted, so the user must provide > his userId and password before accessing the applications. > Both applications authenticate against the same LDAP server. > > The issue is that Id like to use Single Sign On (SSO) to access both > applications, so that when a user accesses one application and > identifies himself, he doesnt need to identify again when he accesses > the other application. > I think that in order to accomplishing this, the two Tomcats should be > able to share > sessions. Is this possible? Is there any other solution? > > Thanks in advance. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Ben Ricker <[EMAIL PROTECTED]> Wellinx.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Single-Sign-On (SSO) with Tomcats in 2 different servers
Hi, I have 2 servers, both with Tomcat. On each server is installed a different web application. Therefore, server A has a Tomcat with application A, and server B has another Tomcat (but same version) with Application B. The access to the applications is restricted, so the user must provide his userId and password before accessing the applications. Both applications authenticate against the same LDAP server. The issue is that Id like to use Single Sign On (SSO) to access both applications, so that when a user accesses one application and identifies himself, he doesnt need to identify again when he accesses the other application. I think that in order to accomplishing this, the two Tomcats should be able to share sessions. Is this possible? Is there any other solution? Thanks in advance. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSO cookie is not present
Downloaded T4-b5 and tried configuring SSO (SingleSignOn) with FORM authentication. When the first webapp gets executed, the SSO cookie is not set (in browser). Here are my properties: server.xml: .. Made a duplicate webapp called test2 from example. Tried the example jsp/security/protected. Both webapps contains the same web.xml: Example Security Constraint Protected Area /jsp/security/protected/* DELETE GET POST PUT tomcat role1 FORM Example Form-Based Authentication Area /jsp/security/login/login.jsp /jsp/security/login/error.jsp This is what the log shows: 2001-06-14 02:53:52 SingleSignOn[localhost]: Process request for '/test2/jsp/security/protected/index.jsp' 2001-06-14 02:53:52 SingleSignOn[localhost]: Checking for SSO cookie 2001-06-14 02:53:52 SingleSignOn[localhost]: SSO cookie is not present 2001-06-14 02:53:52 StandardHost[localhost]: Mapping request URI '/test2/jsp/security/protected/index.jsp' 2001-06-14 02:53:52 StandardHost[localhost]: Mapped to context '/test2' 2001-06-14 02:54:01 SingleSignOn[localhost]: Process request for '/test2/jsp/security/protected/index.jsp' 2001-06-14 02:54:01 SingleSignOn[localhost]: Checking for SSO cookie 2001-06-14 02:54:01 SingleSignOn[localhost]: SSO cookie is not present 2001-06-14 02:54:01 StandardHost[localhost]: Mapping request URI '/test2/jsp/security/protected/index.jsp' 2001-06-14 02:54:01 StandardHost[localhost]: Mapped to context '/test2' 2001-06-14 02:54:01 jsp: init 2001-06-14 02:54:01 SessionListener: sessionCreated('50E620234093A0539630028227494569') 2001-06-14 02:54:18 SingleSignOn[localhost]: Process request for '/test2/jsp/security/protected/index.jsp' 2001-06-14 02:54:18 SingleSignOn[localhost]: Checking for SSO cookie 2001-06-14 02:54:18 SingleSignOn[localhost]: SSO cookie is not present 2001-06-14 02:54:18 StandardHost[localhost]: Mapping request URI '/test2/jsp/security/protected/index.jsp' 2001-06-14 02:54:18 StandardHost[localhost]: Mapped to context '/test2' Thanks. -- keng wong