BASIC authentication SSO with a separate IIS application

2005-09-28 Thread Anderson, Stephen
I've been told our working application must coexist with other
applications using BASIC authentication, the same domain name and a
shared authentication store to achieve single sign on (SSO).

 

Our application has been working fine without IIS or Apache sitting in
front of it.  The application is almost entirely dynamic so I didn't
feel a need before.

 

Now that we've thrown the switch on our QA tier the SSO is not working.
The other application seems to generate a key to store the
authentication in the browser of "qa.ourserver.com", while our
application generates a key of "qa.ourserver.com:80".  The browser then
treats these as separate domains.  I do not see anywhere in the config
files where this is set.

 

Q1: Can I configure Tomcat to not include the ":80" at the end of the
domain name?

Q2: Should I configure Tomcat to run behind the same IIS the other
application runs behind?

 

I'm developing in Java and the other application is developed in C## and
.net.

 

Q3: If the BASIC authentication solution weren't already dictated, what
would the preferred SSO solution be?

 

Any additional insight is also appreciated.

 

Thanks!

-Steve-

 



RE: howto configure JAAS+SSO

2005-08-16 Thread Mark Benussi
Hi Wendy,

Sure I can explain what happens but not why.

When you call the LoginModule with an optional Subject and CallBack the code
works fine for me, i.e. it calls the LoginModule and I do everything I need,
placing the Principals into the Subject.

However... and this is where I don't want to say anything sweeping in case I
have just simply misunderstood the Subject that is authenticated via the
LoginModule has no visibility to Tomcat. If I could find a way to replace
the session Subject with the one passed back from the
LoginModule.getSubject() I would be ok, but I couldn't, so I placed the
authorised Subject in the session and overrode the request.isUserInRole() to
authorise against the Subject I placed in the session.

One of these days I might ask the Tomcat dev list what I was doing wrong but
got comments from other developers saying they had the same problem [All the
JAAS examples do it the way I have described in some shape or form]

Its not that bid a deal, and if you just use the Request wrapper I have
attached you know that in the future you can remove the filter if you go to
WebSphere or something like that.

-Original Message-
From: Wendy Smoak [mailto:[EMAIL PROTECTED] 
Sent: 16 August 2005 17:44
To: Tomcat Users List
Subject: Re: howto configure JAAS+SSO

From: "Mark Benussi" <[EMAIL PROTECTED]>

> However I can tell you about JAAS in Tomcat. In 5 certainly there are
> issues. Essentially when you call the LoginModule to invoke your JAAS 
> config
> it works but it does not authenticate the proper session Subject.

Can you explain more about this?  I just _finally_ got the jsp-examples 
webapp that ships with Tomcat changed over to Kerberos authentication. Am I 
about to run into problems?

> What you end up doing (Or what I did) was place a request filter in the 
> app that
> wraps the request with an overridden RequestWrapper and you write your own
> inUserInRole against the Subject that the LoginModule returns (By placing 
> it
> in the session)
>
> If you want some code, taken from Wendy Smoak ...

.. who took it from one of Craig's tomcat-user posts. ;)
http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper

-- 
Wendy Smoak 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: howto configure JAAS+SSO

2005-08-16 Thread Wendy Smoak

From: "Mark Benussi" <[EMAIL PROTECTED]>


However I can tell you about JAAS in Tomcat. In 5 certainly there are
issues. Essentially when you call the LoginModule to invoke your JAAS 
config

it works but it does not authenticate the proper session Subject.


Can you explain more about this?  I just _finally_ got the jsp-examples 
webapp that ships with Tomcat changed over to Kerberos authentication. Am I 
about to run into problems?


What you end up doing (Or what I did) was place a request filter in the 
app that

wraps the request with an overridden RequestWrapper and you write your own
inUserInRole against the Subject that the LoginModule returns (By placing 
it

in the session)

If you want some code, taken from Wendy Smoak ...


... who took it from one of Craig's tomcat-user posts. ;)
http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper

--
Wendy Smoak 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: howto configure JAAS+SSO [Apologies code attached]

2005-08-16 Thread Edmund Urbani

Mark Benussi wrote:


1.Filter to go in web.xml

/**
* [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the 
HttpServletRequest and
* overide isUserInRole() using the
* [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper
HttpServletRequestWrapper}
* 
* @author Mark Benussi

*/
public class HttpServletRequestFilter implements Filter {

/**
 * @see javax.servlet.Filter#destroy()
 */
public void destroy() {
}

/**
 * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
 *  javax.servlet.ServletResponse, javax.servlet.FilterChain)
 */
public void doFilter(ServletRequest request, ServletResponse
response,
FilterChain chain) throws IOException,
ServletException {

HttpServletRequest httpServletRequest = (HttpServletRequest)
request;
HttpServletRequestWrapper wrappedRequest = new
HttpServletRequestWrapper(
httpServletRequest);
chain.doFilter(wrappedRequest, response);
}

/**
 * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
 */
public void init(FilterConfig config) throws ServletException {
}
}

2. Request wrapper

/**
* Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest} 
* @author Mark Benussi

*/
public class HttpServletRequestWrapper extends
javax.servlet.http.HttpServletRequestWrapper {

/**
 * The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest}
 */
private HttpServletRequest request = null;

/**
 * Helper to manage any common security methods
 */
private static SecurityHelper jaasHelper = null;

/**
 * Default constructor
	 * 
	 * @param request

 *The original [EMAIL PROTECTED]
javax.servlet.http.HttpServletRequest HttpServletRequest}
 */
public HttpServletRequestWrapper(HttpServletRequest request) {

super(request);
if (jaasHelper == null) {
jaasHelper = new SecurityHelper();
}
this.request = request;
}

/**
 * @see
javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String)
 */
public boolean isUserInRole(String role) {

Subject subject = jaasHelper.getSessionSubject(request,
false);
return jaasHelper.isSubjectInRole(subject, role);
}
}

3. When you call youre LoginModule get the Subject and place in the session
and then write your own code to validate the Subject has the role required.

4. As for passing the session to your LoginModule, which I wouldn't do in a
puristic way as the LoginModule should be able to be used by a wing app just
as much as a web app.
 

well. my login module would be for the very special purpose of making 
SSO of webapps possible, so i wouldn't have much of a problem with this.



Contstruct a CallBackHandler with the username and password but also with
the session or request. Then in your loginmodule you will have access to the
request/session when you invoke handle callback

 



wow. thanks a lot!
the code looks much simpler than i would have expected.

i think this will do nicely. :)

Edmund


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: howto configure JAAS+SSO [Apologies code attached]

2005-08-16 Thread Mark Benussi
1.Filter to go in web.xml

/**
 * [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the 
HttpServletRequest and
 * overide isUserInRole() using the
 * [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper
HttpServletRequestWrapper}
 * 
 * @author Mark Benussi
 */
public class HttpServletRequestFilter implements Filter {

/**
 * @see javax.servlet.Filter#destroy()
 */
public void destroy() {
}

/**
 * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
 *  javax.servlet.ServletResponse, javax.servlet.FilterChain)
 */
public void doFilter(ServletRequest request, ServletResponse
response,
FilterChain chain) throws IOException,
ServletException {

HttpServletRequest httpServletRequest = (HttpServletRequest)
request;
HttpServletRequestWrapper wrappedRequest = new
HttpServletRequestWrapper(
httpServletRequest);
chain.doFilter(wrappedRequest, response);
}

/**
 * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
 */
public void init(FilterConfig config) throws ServletException {
}
}

2. Request wrapper

/**
 * Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest} 
 * @author Mark Benussi
 */
public class HttpServletRequestWrapper extends
javax.servlet.http.HttpServletRequestWrapper {

/**
 * The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest}
 */
private HttpServletRequest request = null;

/**
 * Helper to manage any common security methods
 */
private static SecurityHelper jaasHelper = null;

/**
 * Default constructor
 * 
 * @param request
 *The original [EMAIL PROTECTED]
javax.servlet.http.HttpServletRequest HttpServletRequest}
 */
public HttpServletRequestWrapper(HttpServletRequest request) {

super(request);
if (jaasHelper == null) {
jaasHelper = new SecurityHelper();
}
this.request = request;
}

/**
 * @see
javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String)
 */
public boolean isUserInRole(String role) {

Subject subject = jaasHelper.getSessionSubject(request,
false);
return jaasHelper.isSubjectInRole(subject, role);
}
}

3. When you call youre LoginModule get the Subject and place in the session
and then write your own code to validate the Subject has the role required.

4. As for passing the session to your LoginModule, which I wouldn't do in a
puristic way as the LoginModule should be able to be used by a wing app just
as much as a web app.

Contstruct a CallBackHandler with the username and password but also with
the session or request. Then in your loginmodule you will have access to the
request/session when you invoke handle callback


-Original Message-
From: Edmund Urbani [mailto:[EMAIL PROTECTED] 
Sent: 16 August 2005 15:14
To: Tomcat Users List
Subject: Re: howto configure JAAS+SSO

Mark Benussi wrote:

>Hi Edmund.
>
>I am sorry but I don't know much about SSO.
>
>However I can tell you about JAAS in Tomcat. In 5 certainly there are
>issues. Essentially when you call the LoginModule to invoke your JAAS
config
>it works but it does not authenticate the proper session Subject. What you
>end up doing (Or what I did) was place a request filter in the app that
>wraps the request with an overridden RequestWrapper and you write your own
>inUserInRole against the Subject that the LoginModule returns (By placing
it
>in the session)
>
>If you want some code, taken from Wendy Smoak and others I can provide.
>
>  
>
thanks.

I'm currently considering to write my own login module in order to share 
authentication data across login contexts. i would need to access 
session cookies from the module and i'm not sure how/if this can be done 
yet.

i've never written a requestwrapper myself, so i can't really tell how 
hard/complicated that would be. i'd be glad, if you could provide me 
with some code to look at. that could certainly help me decide on how to 
go on about that SSO requirement.

 Edmund


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: howto configure JAAS+SSO

2005-08-16 Thread Edmund Urbani

Mark Benussi wrote:


Hi Edmund.

I am sorry but I don't know much about SSO.

However I can tell you about JAAS in Tomcat. In 5 certainly there are
issues. Essentially when you call the LoginModule to invoke your JAAS config
it works but it does not authenticate the proper session Subject. What you
end up doing (Or what I did) was place a request filter in the app that
wraps the request with an overridden RequestWrapper and you write your own
inUserInRole against the Subject that the LoginModule returns (By placing it
in the session)

If you want some code, taken from Wendy Smoak and others I can provide.

 


thanks.

I'm currently considering to write my own login module in order to share 
authentication data across login contexts. i would need to access 
session cookies from the module and i'm not sure how/if this can be done 
yet.


i've never written a requestwrapper myself, so i can't really tell how 
hard/complicated that would be. i'd be glad, if you could provide me 
with some code to look at. that could certainly help me decide on how to 
go on about that SSO requirement.


Edmund


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: howto configure JAAS+SSO

2005-08-16 Thread Mark Benussi
Hi Edmund.

I am sorry but I don't know much about SSO.

However I can tell you about JAAS in Tomcat. In 5 certainly there are
issues. Essentially when you call the LoginModule to invoke your JAAS config
it works but it does not authenticate the proper session Subject. What you
end up doing (Or what I did) was place a request filter in the app that
wraps the request with an overridden RequestWrapper and you write your own
inUserInRole against the Subject that the LoginModule returns (By placing it
in the session)

If you want some code, taken from Wendy Smoak and others I can provide.

-Original Message-
From: Edmund Urbani [mailto:[EMAIL PROTECTED] 
Sent: 16 August 2005 13:14
To: Tomcat Users List
Subject: howto configure JAAS+SSO


hello!

I'm trying to configure two webapps (slide and jetspeed2) for 
single-sign-on in the same tomcat instance. Both apps use JAAS and come 
with their own JAAS login modules. Is it possible to configure these 
(any?) two apps to share login info with JAAS. I started reading the 
JAAS docs recently and I tried putting the two login modules into one 
JAAS login context, but that does not seem to work, because the login 
module classes won't instantiate properly due to dependencies to their 
respective webapps.

Can SSO be achieved without having the apps share one login context?
Will I have to write my own login module(s)?
Should I use a (completely) different approach to get SSO?

Thanks for any help/advice.

 Edmund


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



howto configure JAAS+SSO

2005-08-16 Thread Edmund Urbani


hello!

I'm trying to configure two webapps (slide and jetspeed2) for 
single-sign-on in the same tomcat instance. Both apps use JAAS and come 
with their own JAAS login modules. Is it possible to configure these 
(any?) two apps to share login info with JAAS. I started reading the 
JAAS docs recently and I tried putting the two login modules into one 
JAAS login context, but that does not seem to work, because the login 
module classes won't instantiate properly due to dependencies to their 
respective webapps.


Can SSO be achieved without having the apps share one login context?
Will I have to write my own login module(s)?
Should I use a (completely) different approach to get SSO?

Thanks for any help/advice.

Edmund


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Tomcat SSO with other web servers

2005-04-20 Thread Patrick Lacson
Hi All,

What Single-Sign-On strategy do you guys use for Tomcat?  I know the
tomcat docs support SSO within webapps on the same in-process tomcat
instance, but what SSO techniques are you guys using to authenticate
with other webservers like WebSphere and IIS?

Is there a SAML implementation used for Tomcat??  I'm fairly new to
the SSO game so any suggestions, links, whitepapers, etc.. would be
very helpful.

Thanks,
Patrick

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Single Sign On(SSO) problem

2005-03-13 Thread xue daoming
Thanks Guillaume Lederrey!
I try it, and it works!
Thanks!

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Single Sign On(SSO) problem

2005-03-11 Thread Guillaume Lederrey
On Friday 11 March 2005 06.36, xue daoming wrote:
> How to config Single Single Sign On(SSO) in Tomcat? I read Tomcat
> document, but I can't find information about it. Is something I miss?
> Anybody carried out that can help me?

  I just gt that one working yesterday !

  All the apps that need to be accessed from SSO have to use the same Realm, 
not the same class but the same instance. So if you want all apps in a 
specific host to be accessed with SSO, then put your  tag in the 
.

  Configure the security in every app in the usual web.xml.

  Add a valve to the same host like this one :


  More docs in 
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/valve.html

  That works for me, I hope it helps you !

 Guillaume

-- 


Guillaume Lederrey
Informaticien Développement
Tecost - Technology Consulting Studies
Fribourg (Switzerland)
http://www.tecost.ch/

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Single Sign On(SSO) problem

2005-03-10 Thread xue daoming
Hi, All

How to config Single Single Sign On(SSO) in Tomcat? I read Tomcat
document, but I can't find information about it. Is something I miss?
Anybody carried out that can help me?
 
Thanks!

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE : Tomcat 4.1 SSO pb -> forget !

2004-06-21 Thread Boulay Arnaud
Sorry,
there was an error in my server.xml
Arnaud

 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat 4.1 SSO pb

2004-06-21 Thread Boulay Arnaud
Hello !
I've got some trouble with SSO :
the SSO Valve is enabled, 2 Contexts are defined .
I must login on each application at the first time before I can do a straightforward 
switch between both application.
Any Idea ?
Thanks,
Arnaud
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Using Tomcat to implement a Weblogic like SSO authentication

2004-03-10 Thread Jose Alberto Fernandez
Hi, I am trying to evaluate migrating our application from Weblogic to a

Tomcat/JBoss environment. One of the main roadblocks at the moment is
our 
reliance on the way SSO is done in weblogic.

In weblogic, even within the same virtual host, you can specify
different SSO 
domains by defining diferent names for the sessionID parameter. All
webapps 
sharing the same sessionID name will share the same user authentication 
information. This is independent of whether the sessionID is passed as a

coockie or as a parameter of the request. So given the following URLs:

   /app1/main.html;dom1Id=sdjhfaksjdhfa
   /app2/other.html;dom1Id=sdjhfaksjdhfa
   /app3/another.html;dom2Id=sdjhfaksjdhfa

In this case going from /app1 to /app2 will not require authentication
because the they use the same SSO information. But going to /app3 will
cause a login since the domain is different. Moreover, this needs to
work 
without cookies. We have to shitch-off the use of cookies due to
problems in the session cookie handle by some Browsers.

Is such a configuration possible in Tomcat? Or, if not, does the Tomcat
API 
provide what is needed so one can EASILY build such an authentication
module?

Any additional suggestions? I have looked and looked around for answers
on 
this regard but found nothing.

Thanks in advance,

Jose




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSO

2004-02-05 Thread Jeanfrancois Arcand


rlipi wrote:

Hi,
I found that it is possible to set Single Sign On for all web
aplications running in some "Host". 

I do that according to this topic:
http://www.ingrid.org/jajakarta/tomcat/tomcat-4.0b5/src/catalina/docs/si
nglesignon.html#Security. And it also works on Tomcat 5.
I welcome this feature. Nevertheless, by this way, it authenticates user
to the ALL web applications. But I have a few of them where I need
special authentication (for example manager or admin web application). 

Is it possible to configure Tomcat server:
1) to use SSO authentication for nearly all web aplication
2) to use specific authentication (Realm) for a few particular web
aplications?
 

Not with the current version since we don't support the notion of 
group/realm. But a patch will be welcome. I don't have any free time 
right now, but that will be nice to implement such feature in Tomcat 5.

-- Jeanfrancois




Thank You,
Radek.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


SSO

2004-02-05 Thread rlipi
Hi,
I found that it is possible to set Single Sign On for all web
aplications running in some "Host". 

I do that according to this topic:
http://www.ingrid.org/jajakarta/tomcat/tomcat-4.0b5/src/catalina/docs/si
nglesignon.html#Security. And it also works on Tomcat 5.

I welcome this feature. Nevertheless, by this way, it authenticates user
to the ALL web applications. But I have a few of them where I need
special authentication (for example manager or admin web application). 

Is it possible to configure Tomcat server:
1) to use SSO authentication for nearly all web aplication
2) to use specific authentication (Realm) for a few particular web
aplications?

Thank You,
Radek.





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Session Timeouts and SSO

2003-09-08 Thread G. Wade Johnson
Thanks, Tim.

I kind of remember reading that now. I need to look at my application
more carefully, to determine what is timing out.

G. Wade

Tim Funk wrote:
> 
> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html#Single%20Sign%20On
> 
> "As soon as the user logs out of one web application (for example, by
> invalidating or timing out the corresponding session if form based login is
> used), the user's sessions in all  web applications will be invalidated. Any
> subsequent attempt to access a protected resource in any application will
> require the user to authenticate himself or herself again."
> 
> -Tim
> 
> G. Wade Johnson wrote:
> 
> > Thanks again for all of the responses so far on my Timeout issue.
> > I still have a problem, but it is not what I thought it was.
> >
> > Apparently, there is a  set to 30 minutes in the
> > $CATALINA_HOME/conf/web.xml that I have. I don't recall changing this
> > (but I won't rule out the possibility). I modified that, and found
> > that I could get the session to expire at the time I specify.
> >
> > This time, I looked at the cookies that were sent back just before I
> > get the login screen and found that Tomcat is sending a request to
> > delete the JSESSIONIDSSO cookie used by the SingleSignon valve.
> > Apparently, it is this valve and not Tomcat proper that is signing me
> > out after the timeout period.
> >
> > Is this expected behavior?
> >
> > Is there any way for me to work around this behavior?
> >
> > Thanks again,
> > G. Wade
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Session Timeouts and SSO

2003-09-06 Thread Tim Funk
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html#Single%20Sign%20On

"As soon as the user logs out of one web application (for example, by 
invalidating or timing out the corresponding session if form based login is 
used), the user's sessions in all  web applications will be invalidated. Any 
subsequent attempt to access a protected resource in any application will 
require the user to authenticate himself or herself again."

-Tim

G. Wade Johnson wrote:

Thanks again for all of the responses so far on my Timeout issue.
I still have a problem, but it is not what I thought it was.
Apparently, there is a  set to 30 minutes in the
$CATALINA_HOME/conf/web.xml that I have. I don't recall changing this
(but I won't rule out the possibility). I modified that, and found
that I could get the session to expire at the time I specify.
This time, I looked at the cookies that were sent back just before I
get the login screen and found that Tomcat is sending a request to
delete the JSESSIONIDSSO cookie used by the SingleSignon valve.
Apparently, it is this valve and not Tomcat proper that is signing me
out after the timeout period.
Is this expected behavior?

Is there any way for me to work around this behavior?

Thanks again,
G. Wade


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Session Timeouts and SSO

2003-09-05 Thread G. Wade Johnson
Thanks again for all of the responses so far on my Timeout issue.
I still have a problem, but it is not what I thought it was.

Apparently, there is a  set to 30 minutes in the
$CATALINA_HOME/conf/web.xml that I have. I don't recall changing this
(but I won't rule out the possibility). I modified that, and found
that I could get the session to expire at the time I specify.

This time, I looked at the cookies that were sent back just before I
get the login screen and found that Tomcat is sending a request to
delete the JSESSIONIDSSO cookie used by the SingleSignon valve.
Apparently, it is this valve and not Tomcat proper that is signing me
out after the timeout period.

Is this expected behavior?

Is there any way for me to work around this behavior?

Thanks again,
G. Wade

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Single-Sign-On (SSO) with Tomcats in 2 different servers

2003-02-03 Thread Filip Hanik
Tomcat 5 will in a very near future have a cluster module that ships with it as well.

Filip

-Original Message-
From: Ben Ricker [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 03, 2003 12:07 PM
To: Tomcat Users List
Subject: Re: Single-Sign-On (SSO) with Tomcats in 2 different servers


What you want it session replication. You can search the archives for
answers. Also, go to:
http://www.onjava.com/pub/a/onjava/2002/07/17/tomcluster.html?page=1
for a good overview.

Ben Ricker

On Mon, 2003-02-03 at 13:17, Víctor Ferrero del Valle wrote:
> Hi,
> 
> I have 2 servers, both with Tomcat. On each server is installed a
> different web application.
> Therefore, server A has a Tomcat with application A, and server B has
> another Tomcat (but same version) with Application B.
> The access to the applications is restricted, so the user must provide
> his userId and password before accessing the applications.
> Both applications authenticate against the same LDAP server.
> 
> The issue is that Id like to use Single Sign On (SSO) to access both
> applications, so that when a user accesses one application and
> identifies himself, he doesnt need to identify again when he accesses
> the other application.
> I think that in order to accomplishing this, the two Tomcats should be
> able to share
> sessions. Is this possible? Is there any other solution?
> 
> Thanks in advance.
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
-- 
Ben Ricker <[EMAIL PROTECTED]>
Wellinx.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: Single-Sign-On (SSO) with Tomcats in 2 different servers

2003-02-03 Thread Ben Ricker
What you want it session replication. You can search the archives for
answers. Also, go to:
http://www.onjava.com/pub/a/onjava/2002/07/17/tomcluster.html?page=1
for a good overview.

Ben Ricker

On Mon, 2003-02-03 at 13:17, Víctor Ferrero del Valle wrote:
> Hi,
> 
> I have 2 servers, both with Tomcat. On each server is installed a
> different web application.
> Therefore, server A has a Tomcat with application A, and server B has
> another Tomcat (but same version) with Application B.
> The access to the applications is restricted, so the user must provide
> his userId and password before accessing the applications.
> Both applications authenticate against the same LDAP server.
> 
> The issue is that Id like to use Single Sign On (SSO) to access both
> applications, so that when a user accesses one application and
> identifies himself, he doesnt need to identify again when he accesses
> the other application.
> I think that in order to accomplishing this, the two Tomcats should be
> able to share
> sessions. Is this possible? Is there any other solution?
> 
> Thanks in advance.
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
-- 
Ben Ricker <[EMAIL PROTECTED]>
Wellinx.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Single-Sign-On (SSO) with Tomcats in 2 different servers

2003-02-03 Thread Víctor Ferrero del Valle
Hi,

I have 2 servers, both with Tomcat. On each server is installed a
different web application.
Therefore, server A has a Tomcat with application A, and server B has
another Tomcat (but same version) with Application B.
The access to the applications is restricted, so the user must provide
his userId and password before accessing the applications.
Both applications authenticate against the same LDAP server.

The issue is that I’d like to use Single Sign On (SSO) to access both
applications, so that when a user accesses one application and
identifies himself, he doesn’t need to identify again when he accesses
the other application.
I think that in order to accomplishing this, the two Tomcats should be
able to share
sessions. Is this possible? Is there any other solution?

Thanks in advance.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




SSO cookie is not present

2001-06-14 Thread Keng Wong

Downloaded T4-b5 and tried configuring SSO (SingleSignOn) with FORM 
authentication. When the first webapp gets executed, the SSO cookie is not 
set (in browser).

Here are my properties:

server.xml:



   
..



Made a duplicate webapp called test2 from example. Tried the example 
jsp/security/protected.
Both webapps contains the same web.xml:
 
  Example Security Constraint
  
 Protected Area
 
 /jsp/security/protected/*
 
 DELETE
 GET
 POST
 PUT
  
  
 
 tomcat
 role1
  



  FORM
  Example Form-Based Authentication Area
  
/jsp/security/login/login.jsp
/jsp/security/login/error.jsp
  


This is what the log shows:
2001-06-14 02:53:52 SingleSignOn[localhost]: Process request for 
'/test2/jsp/security/protected/index.jsp'
2001-06-14 02:53:52 SingleSignOn[localhost]:  Checking for SSO cookie
2001-06-14 02:53:52 SingleSignOn[localhost]:  SSO cookie is not present
2001-06-14 02:53:52 StandardHost[localhost]: Mapping request URI 
'/test2/jsp/security/protected/index.jsp'
2001-06-14 02:53:52 StandardHost[localhost]:  Mapped to context '/test2'
2001-06-14 02:54:01 SingleSignOn[localhost]: Process request for 
'/test2/jsp/security/protected/index.jsp'
2001-06-14 02:54:01 SingleSignOn[localhost]:  Checking for SSO cookie
2001-06-14 02:54:01 SingleSignOn[localhost]:  SSO cookie is not present
2001-06-14 02:54:01 StandardHost[localhost]: Mapping request URI 
'/test2/jsp/security/protected/index.jsp'
2001-06-14 02:54:01 StandardHost[localhost]:  Mapped to context '/test2'
2001-06-14 02:54:01 jsp: init
2001-06-14 02:54:01 SessionListener: 
sessionCreated('50E620234093A0539630028227494569')
2001-06-14 02:54:18 SingleSignOn[localhost]: Process request for 
'/test2/jsp/security/protected/index.jsp'
2001-06-14 02:54:18 SingleSignOn[localhost]:  Checking for SSO cookie
2001-06-14 02:54:18 SingleSignOn[localhost]:  SSO cookie is not present
2001-06-14 02:54:18 StandardHost[localhost]: Mapping request URI 
'/test2/jsp/security/protected/index.jsp'
2001-06-14 02:54:18 StandardHost[localhost]:  Mapped to context '/test2'

Thanks.


-- 
keng wong