Re: Single sign on issue with Tomcat and Apache
Many thanks!! I am planning to follow the below approach only. >>> Or, leave Apache in-between, but have it pass all requests for "bbb" to Tomcat also (like it does for aaa and ccc), and serve the static pages from Tomcat, subject to basic authentication on Tomcat. This way, after the first authentication, no matter where in aaa/bbb/ccc, Tomcat would know and keep the authentication even if you later switch between aaa/bbb/ccc. I am planning to move bbb (Apache static pages) to Tomcat and make it Tomcat Basic authentication. So I can access aaa/bbb/ccc. This seems to be the best solution for me. (Because, there are some other applications which are running on tomcat and this may be useful for future enhancements also) Now I am looking on feasibility of moving those pages to Tomcat. Thanks to you all and thanks to the wonderful forum. awarnier wrote: > > > > sridharmnj wrote: >> - there is only one Apache, and one Tomcat, on the same physical server >> yes >> - there are no Apache VirtualHosts (or there is only one), and there is >> only one Tomcat section in server.xml >> Apache virtualhost is there, and tomcat host is > - the back-end for the authentication is the same MySql database system, >> and the same table. In one case it is accessed by an Apache module >> (mod_auth_mysql), in the other by some Java module under Tomcat (that's >> my own weak point by the way, I'm not really a Java/Tomcat guy) >> yes, authentication is mysql database >> - there is only one single DNS domain (which simplifies certain issues) >> yes like www.mywebsite.com >> - all authentication is of type "Basic", which means based on the >> exchange of HTTP headers from browser to server. >> No, aaa is based on FORM authentication, and it should not be changed > [...] >> Hmm, I am sorry, if I mislead you. aaa is based on FORM authentication >> only >> and my client doesnot want to chage it. >> > > As Johnny and I are telling you in different words but with the same > meaning, you are mixing two different kinds of authentication, and > Apache (and the browser) unfortunately never see the authentication that > happens with the Tomcat FORM method. And there is even no way, at the > Tomcat level, to pass this information back to Apache (and neither does > it need to be passed back to Apache, it should passed to the browser, > see below). > > Or, let me put this another way, there is no simple way, using just the > standard Apache and Tomcat configuration and standard add-on modules. > > If your client absolutely wants to keep the FORM authentication for aaa, > and still wants to have a single-sign-on between the 3 areas > aaa/ccc/bbb, then the other solution would be to change the > authentication method for bbb and ccc. > > One general solution, roughly outlined in one of my previous emails : do > all the authentication(s) at the Apache level, and pass the Apache > authentication to Tomcat. > You could do something, at the Apache level, that will authenticate the > user always with a form (for aaa/bbb/ccc), and it could even be the same > "look" as the login.jsp currently used on Tomcat/aaa. And it would be > single-sign-on for all aaa/bbb/ccc. > That would be the "cleanest" solution. > (Note : the Tomcat applications would still be protected and > authenticated. They just would no longer handle the login dialog > themselves). > > Or, another solution : cut out Apache, and use Tomcat also as the HTTP > server for the static pages of bbb. If what happens on Apache is no > more than serving static html pages for bbb, Tomcat can do that too. > And this way, you could protect bbb by a Tomcat-level Basic > authentication, and it would also fall within your Tomcat single-sign-on. > > Or, leave Apache in-between, but have it pass all requests for "bbb" to > Tomcat also (like it does for aaa and ccc), and serve the static pages > from Tomcat, subject to basic authentication on Tomcat. This way, after > the first authentication, no matter where in aaa/bbb/ccc, Tomcat would > know and keep the authentication even if you later switch between > aaa/bbb/ccc. > > In Basic authentication, it is the browser basically that decides to > send the "authorization : Basic U3JpZGabkyuUZXN0aW5n " header, in > function of what it knows (that the realm "xxx" requires authorization). > It knows that, because in a previous attempt to access this same > realm, it received a 401 response from the server, telling him > "authorization required for realm "xxx". > But in your case, when the user accesses "aaa" first, the browser never > receives a 401 response, so it never knows that it must send the > "authorization" header, and it never does. > So when you go from aaa to bbb, it does not send the header either, even > if the realm is the same, because it does not know (yet) that an > authorization is required. The result is that Apache sends back a 401 > response then, and the result of that
Re: Single sign on issue with Tomcat and Apache
sridharmnj wrote: - there is only one Apache, and one Tomcat, on the same physical server yes - there are no Apache VirtualHosts (or there is only one), and there is only one Tomcat section in server.xml Apache virtualhost is there, and tomcat host is - the back-end for the authentication is the same MySql database system, and the same table. In one case it is accessed by an Apache module (mod_auth_mysql), in the other by some Java module under Tomcat (that's my own weak point by the way, I'm not really a Java/Tomcat guy) yes, authentication is mysql database - there is only one single DNS domain (which simplifies certain issues) yes like www.mywebsite.com - all authentication is of type "Basic", which means based on the exchange of HTTP headers from browser to server. No, aaa is based on FORM authentication, and it should not be changed [...] Hmm, I am sorry, if I mislead you. aaa is based on FORM authentication only and my client doesnot want to chage it. As Johnny and I are telling you in different words but with the same meaning, you are mixing two different kinds of authentication, and Apache (and the browser) unfortunately never see the authentication that happens with the Tomcat FORM method. And there is even no way, at the Tomcat level, to pass this information back to Apache (and neither does it need to be passed back to Apache, it should passed to the browser, see below). Or, let me put this another way, there is no simple way, using just the standard Apache and Tomcat configuration and standard add-on modules. If your client absolutely wants to keep the FORM authentication for aaa, and still wants to have a single-sign-on between the 3 areas aaa/ccc/bbb, then the other solution would be to change the authentication method for bbb and ccc. One general solution, roughly outlined in one of my previous emails : do all the authentication(s) at the Apache level, and pass the Apache authentication to Tomcat. You could do something, at the Apache level, that will authenticate the user always with a form (for aaa/bbb/ccc), and it could even be the same "look" as the login.jsp currently used on Tomcat/aaa. And it would be single-sign-on for all aaa/bbb/ccc. That would be the "cleanest" solution. (Note : the Tomcat applications would still be protected and authenticated. They just would no longer handle the login dialog themselves). Or, another solution : cut out Apache, and use Tomcat also as the HTTP server for the static pages of bbb. If what happens on Apache is no more than serving static html pages for bbb, Tomcat can do that too. And this way, you could protect bbb by a Tomcat-level Basic authentication, and it would also fall within your Tomcat single-sign-on. Or, leave Apache in-between, but have it pass all requests for "bbb" to Tomcat also (like it does for aaa and ccc), and serve the static pages from Tomcat, subject to basic authentication on Tomcat. This way, after the first authentication, no matter where in aaa/bbb/ccc, Tomcat would know and keep the authentication even if you later switch between aaa/bbb/ccc. In Basic authentication, it is the browser basically that decides to send the "authorization : Basic U3JpZGabkyuUZXN0aW5n " header, in function of what it knows (that the realm "xxx" requires authorization). It knows that, because in a previous attempt to access this same realm, it received a 401 response from the server, telling him "authorization required for realm "xxx". But in your case, when the user accesses "aaa" first, the browser never receives a 401 response, so it never knows that it must send the "authorization" header, and it never does. So when you go from aaa to bbb, it does not send the header either, even if the realm is the same, because it does not know (yet) that an authorization is required. The result is that Apache sends back a 401 response then, and the result of that is that the browser pops up the login dialog (again). That's a bit simplified, but it's the essence. On the other hand, Tomcat *never* sends any authentication information back to Apache. When you access ccc first, it is Tomcat that sends the 401 response to the browser, and that is how *the browser* then "knows". Apache never "knows". [...] André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Single sign on issue with Tomcat and Apache
> From: sridharmnj [mailto:[EMAIL PROTECTED] > Subject: Re: Single sign on issue with Tomcat and Apache > > Is it a better idea to move apache pages (bbb) into the > tomcat (ccc)? If you're not using httpd for anything other than serving static content, then yes, get rid of it. Tomcat by itself does that quite well. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single sign on issue with Tomcat and Apache
If there is no way to do this, what changes do you suggest? except aaa changes. Is it a better idea to move apache pages (bbb) into the tomcat (ccc)? (so that there will be only tomcat authentication exists) Thanks, Sridhar awarnier wrote: > > Well, Johnny, we seem to agree.. > > Johnny Kewl wrote: >> >> - Original Message - From: "sridharmnj" <[EMAIL PROTECTED]> >> To: >> Sent: Thursday, June 05, 2008 4:33 PM >> Subject: Re: Single sign on issue with Tomcat and Apache >> >> >>> >>> Many thanks to all of you for responding to my problem. >>> I apologize, I hope I didnot mention my system architecture clearly. >>> (As I >>> mentioned, it is an old application, which was developed 9 yrs ago, >>> and no >>> documentation at all :-( ) >>> >>> I am accessing those applications like.. >>> >>> www.mywebsite.com/aaa -> (aaa webapp) Its based on Tomcat FORM based >>> authentication. (JDBC Realm) >>> www.mywebsite.com/bbb -> Here some static pages are deployed into >>> Apache and >>> based on BASIC authentication.(mod_auth_mysql) >>> www.mywebsite.com/ccc -> (ccc webapp) Here dynamic pages are deployed on >>> Tomcat based on BASIC authentication.(JDBC Realm) >>> >>> All the above applications are using same usertable for credentials. >>> >>> Scenario 1: When I logs into the bbb, (Apache-BASIC) it is poping up a >>> dialog box with username and password and after providing the details >>> it is >>> authenticating using mod_auth_mysql. I have a link to the ccc >>> (Tomcat-BASIC) >>> from bbb pages. When I clicked that link, I am able to navigate those >>> pages >>> without providing the credentials again. (I hope, here tomcat is finding >>> auth headers which are set by Apache) >>> >>> Scenario 2: When I directly logs into ccc (Tomcat-BASIC) it is poping >>> up a >>> dialog box with username and password and after providing the details, >>> it is >>> authenticating using Tomcat BASIC authentication. If I click a link to >>> bbb, >>> I am able to navigate to it without providing the details 2nd time. (I >>> hope, >>> here Apache is finding the credentials which are set by Tomcat). >>> >>> Scenario 3: When I logs into aaa, (TOMCAT-FORM) after authentication, >>> I am >>> able to access ccc (TOMCAT-BASIC) without providing the credentials >>> again. >>> (I hope, here Tomcat is sharing the credentials between FORM and BASIC >>> authentication credentials, as SingleSignOnValve is enabled). >>> >>> These Scenarios 1,2,3 are working perfectly, and I need those as is. >>> >>> Scenario 4: When I logs into aaa, (Tomcat-Form) after authentication, >>> If I >>> click a link to bbb (Apache-BASIC) again its poping up a window for >>> username >>> and password. >> >> sridharmnj >> Ok this is very different to what we first thought. >> This is a guess... >> >> I think the problem is that you mixing auth methods... >> You have to make them all BASIC in this case. >> The browser is on the same domain... so I think it will be returning the >> auth header info, can check with a dump valve or get wireshark and just >> make sure it is returning header info... but I think it is, the problem >> is that the auth info is not the same. >> >> I've never used FORM authentication, but I guess it just reads the UID >> and Password fields and then TC starts tracking that cookie as >> authenticated. >> BASIC does not do that... there the browser returns a Base64 encoded >> mash and that is interpreted. >> >> So if you go to say ccc (BASIC) and then bbb (BASIC). you havnt >> said... but I think that will work. >> But when you go to FORM all the browser sends Apache is a little old >> cookie... and the BASIC logic will go "what the hell"... and challenges >> the browser. >> >> So the initial thought that it was a domain problem is not correct... >> you just mixing incompatible auth schemes. >> I think you have to lose the FORM auth... and even though you cant >> change the web app, I think that is is possible externally... all thats >> going to happen is that the browser pops up a password box... and that >> auth FORM is now going to be redundant. >> >> I think the FORM auth has to go, must be made BASIC... my guess. >> >&g
Re: Single sign on issue with Tomcat and Apache
Well, Johnny, we seem to agree.. Johnny Kewl wrote: - Original Message - From: "sridharmnj" <[EMAIL PROTECTED]> To: Sent: Thursday, June 05, 2008 4:33 PM Subject: Re: Single sign on issue with Tomcat and Apache Many thanks to all of you for responding to my problem. I apologize, I hope I didnot mention my system architecture clearly. (As I mentioned, it is an old application, which was developed 9 yrs ago, and no documentation at all :-( ) I am accessing those applications like.. www.mywebsite.com/aaa -> (aaa webapp) Its based on Tomcat FORM based authentication. (JDBC Realm) www.mywebsite.com/bbb -> Here some static pages are deployed into Apache and based on BASIC authentication.(mod_auth_mysql) www.mywebsite.com/ccc -> (ccc webapp) Here dynamic pages are deployed on Tomcat based on BASIC authentication.(JDBC Realm) All the above applications are using same usertable for credentials. Scenario 1: When I logs into the bbb, (Apache-BASIC) it is poping up a dialog box with username and password and after providing the details it is authenticating using mod_auth_mysql. I have a link to the ccc (Tomcat-BASIC) from bbb pages. When I clicked that link, I am able to navigate those pages without providing the credentials again. (I hope, here tomcat is finding auth headers which are set by Apache) Scenario 2: When I directly logs into ccc (Tomcat-BASIC) it is poping up a dialog box with username and password and after providing the details, it is authenticating using Tomcat BASIC authentication. If I click a link to bbb, I am able to navigate to it without providing the details 2nd time. (I hope, here Apache is finding the credentials which are set by Tomcat). Scenario 3: When I logs into aaa, (TOMCAT-FORM) after authentication, I am able to access ccc (TOMCAT-BASIC) without providing the credentials again. (I hope, here Tomcat is sharing the credentials between FORM and BASIC authentication credentials, as SingleSignOnValve is enabled). These Scenarios 1,2,3 are working perfectly, and I need those as is. Scenario 4: When I logs into aaa, (Tomcat-Form) after authentication, If I click a link to bbb (Apache-BASIC) again its poping up a window for username and password. sridharmnj Ok this is very different to what we first thought. This is a guess... I think the problem is that you mixing auth methods... You have to make them all BASIC in this case. The browser is on the same domain... so I think it will be returning the auth header info, can check with a dump valve or get wireshark and just make sure it is returning header info... but I think it is, the problem is that the auth info is not the same. I've never used FORM authentication, but I guess it just reads the UID and Password fields and then TC starts tracking that cookie as authenticated. BASIC does not do that... there the browser returns a Base64 encoded mash and that is interpreted. So if you go to say ccc (BASIC) and then bbb (BASIC). you havnt said... but I think that will work. But when you go to FORM all the browser sends Apache is a little old cookie... and the BASIC logic will go "what the hell"... and challenges the browser. So the initial thought that it was a domain problem is not correct... you just mixing incompatible auth schemes. I think you have to lose the FORM auth... and even though you cant change the web app, I think that is is possible externally... all thats going to happen is that the browser pops up a password box... and that auth FORM is now going to be redundant. I think the FORM auth has to go, must be made BASIC... my guess. --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single sign on issue with Tomcat and Apache
- there is only one Apache, and one Tomcat, on the same physical server yes - there are no Apache VirtualHosts (or there is only one), and there is only one Tomcat section in server.xml Apache virtualhost is there, and tomcat host is FORM myWebSite Security /Login.jsp /Login_fail.jsp myWebSite Security myWebSite Security /aaa/* myGroup1 myGroup2 But that last item troubles me. I believe that you mentioned initially that the Tomcat authentication of www.mywebsite.com/aaa was "Basic", even if it is form-based. That troubles me because, as far as I know, that cannot be the case. There must be some other mechanism used there, and that may be the very base of your problem. Hmm, I am sorry, if I mislead you. aaa is based on FORM authentication only and my client doesnot want to chage it. My guess at this point is that the form-based authentication sets the credentials in Tomcat, and keeps these alive in some form of Tomcat "session" mechanism, but that it is never seen by the browser as a "Basic authentication". In other words, the browser knows nothing about it, and so can never pass this authentication from aaa to bbb. Absolutely, If I look into the request headers, when I log in to ccc using BASIC authentication, it is storing the following information in request hearders. authorization : Basic U3JpZGabkyuUZXN0aW5n But, If I log into the aaa system (using form based authentication system), it is not setting any such header. But still I can navigate to ccc, because Tomcat manages this as SingleSignOnValve is enabled. When I request to bbb pages, (Apache) as its not able to find any such headers in browser cache, it is asking for credentials.. This is what troubling me :-( If so, a very quick fix, would be to change the authentication setup of your aaa webapp (in webapps/aaa/WEB-INF/web.xml), to make it the same as in webapps ccc (webapps/aaa/WEB-INF/web.xml). It's in the section at the end, in or something. The only visible difference in application aaa, would be that instead of receiving the html login form, the user would see the same browser popup than for application bbb and ccc. Yes, I know :-) If I change it to BASIC it works.. But aaa application should not be changed to BASIC. As per the client request, it should be FORM authentication only :-( Can you then give us a copy of the relevant sections of the Apache configuration (simplified/edited if you want), showing how exactly the requests that initially all go through Apache (I suppose from the above), get passed to Tomcat if needed ? There should be things like this : JkMount /aaa ajp13 JkMount /aaa/* ajp13 ... AuthType Basic Require valid-user ... I find the following configuration in httpd.conf file. AuthType Basic AuthMySQLHost xx.xx.xx.xxx AuthMySQLUser myUser AuthMySQLPassword myPasssword AuthMySQLDBmyDataBase and also found the following configuration in .htaccess file of each folder in bbb application AuthType Basic require group myGroup1 myGroup2 AuthName "myWebSite Security" Thanks, Sridhar awarnier wrote: > > > > sridharmnj wrote: >> Many thanks to all of you for responding to my problem. >> I apologize, I hope I didnot mention my system architecture clearly. (As >> I >> mentioned, it is an old application, which was developed 9 yrs ago, and >> no >> documentation at all :-( ) >> >> I am accessing those applications like.. >> >> www.mywebsite.com/aaa -> (aaa webapp) Its based on Tomcat FORM based >> authentication. (JDBC Realm) >> www.mywebsite.com/bbb -> Here some static pages are deployed into Apache >> and >> based on BASIC authentication.(mod_auth_mysql) >> www.mywebsite.com/ccc -> (ccc webapp) Here dynamic pages are deployed on >> Tomcat based on BASIC authentication.(JDBC Realm) >> > > That makes it clearer, and provides some good news also. > What I guess from the above is : > - there is only one Apache, and one Tomcat, on the same physical server > - there are no Apache VirtualHosts (or there is only one), and there is > only one Tomcat section in server.xml > - the back-end for the authentication is the same MySql database system, > and the same table. In one case it is accessed by an Apache module > (mod_auth_mysql), in the other by some Java module under Tomcat (that's > my own weak point by the way, I'm not really a Java/Tomcat guy) > - there is only one single DNS domain (which simplifies certain issues) > - all authentication is of type "Basic", which means based on the > exchange of HTTP headers from browser to server. > > But that last item troubles me. I believe that you mentioned initially > that the Tomcat authentication of www.mywebsite.com/aaa was "Basic", > even if it is form-based. That troubles me because, as far as I know, > that cannot be the case. There must be some other mechanism used there, > and that may be the very base of your problem.
Re: Single sign on issue with Tomcat and Apache
sridharmnj wrote: Many thanks to all of you for responding to my problem. I apologize, I hope I didnot mention my system architecture clearly. (As I mentioned, it is an old application, which was developed 9 yrs ago, and no documentation at all :-( ) I am accessing those applications like.. www.mywebsite.com/aaa -> (aaa webapp) Its based on Tomcat FORM based authentication. (JDBC Realm) www.mywebsite.com/bbb -> Here some static pages are deployed into Apache and based on BASIC authentication.(mod_auth_mysql) www.mywebsite.com/ccc -> (ccc webapp) Here dynamic pages are deployed on Tomcat based on BASIC authentication.(JDBC Realm) All the above applications are using same usertable for credentials. Scenario 1: When I logs into the bbb, (Apache-BASIC) it is poping up a dialog box with username and password and after providing the details it is authenticating using mod_auth_mysql. I have a link to the ccc (Tomcat-BASIC) from bbb pages. When I clicked that link, I am able to navigate those pages without providing the credentials again. (I hope, here tomcat is finding auth headers which are set by Apache) Scenario 2: When I directly logs into ccc (Tomcat-BASIC) it is poping up a dialog box with username and password and after providing the details, it is authenticating using Tomcat BASIC authentication. If I click a link to bbb, I am able to navigate to it without providing the details 2nd time. (I hope, here Apache is finding the credentials which are set by Tomcat). Scenario 3: When I logs into aaa, (TOMCAT-FORM) after authentication, I am able to access ccc (TOMCAT-BASIC) without providing the credentials again. (I hope, here Tomcat is sharing the credentials between FORM and BASIC authentication credentials, as SingleSignOnValve is enabled). These Scenarios 1,2,3 are working perfectly, and I need those as is. Scenario 4: When I logs into aaa, (Tomcat-Form) after authentication, If I click a link to bbb (Apache-BASIC) again its poping up a window for username and password. This is (Scenario 4) what I need to change. When a user logs into aaa using Tomcat-Form based authentication and clicks a link to bbb, he should be directly allowed to it without asking the credentials 2nd time. Is there any way to do it, without modifying the Apache Authencitation? Not to my knowledge. AFAIK Tomcat sets a user principal that is not visible to the HTTPD server's authentication/authorization module. HTTPD's authenticated remote user header can be visible downwards to the container with the right configuration, and the two Tomcat webapps can co-operate, but I don't believe that there is anything in JK to allow it to propagate a principal upwards. Maybe one of the mod_jk committers has better info. p I am really sorry if I am confusing you. Please let me know still if you need any other details. Thanks, Sridhar Pid-2 wrote: Johnny Kewl wrote: - Original Message - From: "Propes, Barry L " <[EMAIL PROTECTED]> To: "Tomcat Users List" Hi, I am integrating two websites using single sign on. I have two sites namely aaa.com and bbb.com. I enabled SingleSignOn valve in server.xml file, and trying to access Its not going to work... Its not because of TC, its because of the way cookies are handled by the browser. Its been a long long time since I wrote a filter to do this, and there are probably better third party products out there. But this is what I remember... The SingleSignOn is addressing the issue of sign on across web apps and within a single TC... not across machines. ie Tomcat has to at least be able to track the session. If thats covered then... Then and I forget the terminology. A browser will consider this the same domain aaa.com/webapp/servlet1 aaa.com/webapp/servlet2 and I think even aaa.com/webapp2/servlet1 but as soon as that becomes bbb.com the "browser" treats it like a stranger and does not return the session key, nor auth info for the other domain... so TC/Apache is screwed because the browser doesnt want to play. Vaguely I remember setting "persistent" cookies in the browser, and then tracking my own cookies across machines... but it also meant a complete redo of all the security and TC's generic security could not be used. I remember seeing thrid party tools... but if you cant change the one webapp, you into something really creative, creating a filter wont work because security happens before the filter you have a creative problem on your hands ;) E.g. OpenID, JOSSO etc Search google for "Java Single Sign On". As has been stated, SingleSignOnValve isn't a true SSO solution. p I think if you can put TC behind Apache, thus getting it back to the same domain name, and the distinguishing only on sub context... ie aaa.com/images/in apache aaa.com/webapp/someservlet and the call is passed thru to TC Then the browser will like it and return the authentication details otherwise is going to be some kind of complex proxy type t
Re: Single sign on issue with Tomcat and Apache
- Original Message - From: "sridharmnj" <[EMAIL PROTECTED]> To: Sent: Thursday, June 05, 2008 4:33 PM Subject: Re: Single sign on issue with Tomcat and Apache Many thanks to all of you for responding to my problem. I apologize, I hope I didnot mention my system architecture clearly. (As I mentioned, it is an old application, which was developed 9 yrs ago, and no documentation at all :-( ) I am accessing those applications like.. www.mywebsite.com/aaa -> (aaa webapp) Its based on Tomcat FORM based authentication. (JDBC Realm) www.mywebsite.com/bbb -> Here some static pages are deployed into Apache and based on BASIC authentication.(mod_auth_mysql) www.mywebsite.com/ccc -> (ccc webapp) Here dynamic pages are deployed on Tomcat based on BASIC authentication.(JDBC Realm) All the above applications are using same usertable for credentials. Scenario 1: When I logs into the bbb, (Apache-BASIC) it is poping up a dialog box with username and password and after providing the details it is authenticating using mod_auth_mysql. I have a link to the ccc (Tomcat-BASIC) from bbb pages. When I clicked that link, I am able to navigate those pages without providing the credentials again. (I hope, here tomcat is finding auth headers which are set by Apache) Scenario 2: When I directly logs into ccc (Tomcat-BASIC) it is poping up a dialog box with username and password and after providing the details, it is authenticating using Tomcat BASIC authentication. If I click a link to bbb, I am able to navigate to it without providing the details 2nd time. (I hope, here Apache is finding the credentials which are set by Tomcat). Scenario 3: When I logs into aaa, (TOMCAT-FORM) after authentication, I am able to access ccc (TOMCAT-BASIC) without providing the credentials again. (I hope, here Tomcat is sharing the credentials between FORM and BASIC authentication credentials, as SingleSignOnValve is enabled). These Scenarios 1,2,3 are working perfectly, and I need those as is. Scenario 4: When I logs into aaa, (Tomcat-Form) after authentication, If I click a link to bbb (Apache-BASIC) again its poping up a window for username and password. sridharmnj Ok this is very different to what we first thought. This is a guess... I think the problem is that you mixing auth methods... You have to make them all BASIC in this case. The browser is on the same domain... so I think it will be returning the auth header info, can check with a dump valve or get wireshark and just make sure it is returning header info... but I think it is, the problem is that the auth info is not the same. I've never used FORM authentication, but I guess it just reads the UID and Password fields and then TC starts tracking that cookie as authenticated. BASIC does not do that... there the browser returns a Base64 encoded mash and that is interpreted. So if you go to say ccc (BASIC) and then bbb (BASIC). you havnt said... but I think that will work. But when you go to FORM all the browser sends Apache is a little old cookie... and the BASIC logic will go "what the hell"... and challenges the browser. So the initial thought that it was a domain problem is not correct... you just mixing incompatible auth schemes. I think you have to lose the FORM auth... and even though you cant change the web app, I think that is is possible externally... all thats going to happen is that the browser pops up a password box... and that auth FORM is now going to be redundant. I think the FORM auth has to go, must be made BASIC... my guess. --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single sign on issue with Tomcat and Apache
sridharmnj wrote: Many thanks to all of you for responding to my problem. I apologize, I hope I didnot mention my system architecture clearly. (As I mentioned, it is an old application, which was developed 9 yrs ago, and no documentation at all :-( ) I am accessing those applications like.. www.mywebsite.com/aaa -> (aaa webapp) Its based on Tomcat FORM based authentication. (JDBC Realm) www.mywebsite.com/bbb -> Here some static pages are deployed into Apache and based on BASIC authentication.(mod_auth_mysql) www.mywebsite.com/ccc -> (ccc webapp) Here dynamic pages are deployed on Tomcat based on BASIC authentication.(JDBC Realm) That makes it clearer, and provides some good news also. What I guess from the above is : - there is only one Apache, and one Tomcat, on the same physical server - there are no Apache VirtualHosts (or there is only one), and there is only one Tomcat section in server.xml - the back-end for the authentication is the same MySql database system, and the same table. In one case it is accessed by an Apache module (mod_auth_mysql), in the other by some Java module under Tomcat (that's my own weak point by the way, I'm not really a Java/Tomcat guy) - there is only one single DNS domain (which simplifies certain issues) - all authentication is of type "Basic", which means based on the exchange of HTTP headers from browser to server. But that last item troubles me. I believe that you mentioned initially that the Tomcat authentication of www.mywebsite.com/aaa was "Basic", even if it is form-based. That troubles me because, as far as I know, that cannot be the case. There must be some other mechanism used there, and that may be the very base of your problem. My guess at this point is that the form-based authentication sets the credentials in Tomcat, and keeps these alive in some form of Tomcat "session" mechanism, but that it is never seen by the browser as a "Basic authentication". In other words, the browser knows nothing about it, and so can never pass this authentication from aaa to bbb. If so, a very quick fix, would be to change the authentication setup of your aaa webapp (in webapps/aaa/WEB-INF/web.xml), to make it the same as in webapps ccc (webapps/aaa/WEB-INF/web.xml). It's in the section at the end, in or something. The only visible difference in application aaa, would be that instead of receiving the html login form, the user would see the same browser popup than for application bbb and ccc. You do not need to change the webapp application itself for this, just the web.xml, and restart Tomcat, and maybe it will just magically start working !! ?? Go on, try it, I'm curious ! If it works, then I will explain why. But it would be consistent with the detailed explanation that you give below, of the behaviour of the different applications. If that does not work, then there are still a couple of details missing. Can you then give us a copy of the relevant sections of the Apache configuration (simplified/edited if you want), showing how exactly the requests that initially all go through Apache (I suppose from the above), get passed to Tomcat if needed ? There should be things like this : JkMount /aaa ajp13 JkMount /aaa/* ajp13 ... AuthType Basic Require valid-user ... (or, maybe, it is not JkMount and it is some other Apache-Tomcat connector ?) André All the above applications are using same usertable for credentials. Scenario 1: When I logs into the bbb, (Apache-BASIC) it is poping up a dialog box with username and password and after providing the details it is authenticating using mod_auth_mysql. I have a link to the ccc (Tomcat-BASIC) from bbb pages. When I clicked that link, I am able to navigate those pages without providing the credentials again. (I hope, here tomcat is finding auth headers which are set by Apache) Scenario 2: When I directly logs into ccc (Tomcat-BASIC) it is poping up a dialog box with username and password and after providing the details, it is authenticating using Tomcat BASIC authentication. If I click a link to bbb, I am able to navigate to it without providing the details 2nd time. (I hope, here Apache is finding the credentials which are set by Tomcat). Scenario 3: When I logs into aaa, (TOMCAT-FORM) after authentication, I am able to access ccc (TOMCAT-BASIC) without providing the credentials again. (I hope, here Tomcat is sharing the credentials between FORM and BASIC authentication credentials, as SingleSignOnValve is enabled). These Scenarios 1,2,3 are working perfectly, and I need those as is. Scenario 4: When I logs into aaa, (Tomcat-Form) after authentication, If I click a link to bbb (Apache-BASIC) again its poping up a window for username and password. This is (Scenario 4) what I need to change. When a user logs into aaa using Tomcat-Form based authentication and clicks a link to bbb, he should be directly allowed to it without asking the credentials 2nd time. Is there
Re: Single sign on issue with Tomcat and Apache
Many thanks to all of you for responding to my problem. I apologize, I hope I didnot mention my system architecture clearly. (As I mentioned, it is an old application, which was developed 9 yrs ago, and no documentation at all :-( ) I am accessing those applications like.. www.mywebsite.com/aaa -> (aaa webapp) Its based on Tomcat FORM based authentication. (JDBC Realm) www.mywebsite.com/bbb -> Here some static pages are deployed into Apache and based on BASIC authentication.(mod_auth_mysql) www.mywebsite.com/ccc -> (ccc webapp) Here dynamic pages are deployed on Tomcat based on BASIC authentication.(JDBC Realm) All the above applications are using same usertable for credentials. Scenario 1: When I logs into the bbb, (Apache-BASIC) it is poping up a dialog box with username and password and after providing the details it is authenticating using mod_auth_mysql. I have a link to the ccc (Tomcat-BASIC) from bbb pages. When I clicked that link, I am able to navigate those pages without providing the credentials again. (I hope, here tomcat is finding auth headers which are set by Apache) Scenario 2: When I directly logs into ccc (Tomcat-BASIC) it is poping up a dialog box with username and password and after providing the details, it is authenticating using Tomcat BASIC authentication. If I click a link to bbb, I am able to navigate to it without providing the details 2nd time. (I hope, here Apache is finding the credentials which are set by Tomcat). Scenario 3: When I logs into aaa, (TOMCAT-FORM) after authentication, I am able to access ccc (TOMCAT-BASIC) without providing the credentials again. (I hope, here Tomcat is sharing the credentials between FORM and BASIC authentication credentials, as SingleSignOnValve is enabled). These Scenarios 1,2,3 are working perfectly, and I need those as is. Scenario 4: When I logs into aaa, (Tomcat-Form) after authentication, If I click a link to bbb (Apache-BASIC) again its poping up a window for username and password. This is (Scenario 4) what I need to change. When a user logs into aaa using Tomcat-Form based authentication and clicks a link to bbb, he should be directly allowed to it without asking the credentials 2nd time. Is there any way to do it, without modifying the Apache Authencitation? I am really sorry if I am confusing you. Please let me know still if you need any other details. Thanks, Sridhar Pid-2 wrote: > > Johnny Kewl wrote: >> >> - Original Message - From: "Propes, Barry L " >> <[EMAIL PROTECTED]> >> To: "Tomcat Users List" >> >>> Hi, >>> I am integrating two websites using single sign on. I have two sites >>> namely >>> aaa.com and bbb.com. >> >>> I enabled SingleSignOn valve in server.xml file, and trying to access >> >> Its not going to work... >> Its not because of TC, its because of the way cookies are handled by the >> browser. >> >> Its been a long long time since I wrote a filter to do this, and there >> are probably better third party products out there. >> But this is what I remember... >> >> The SingleSignOn is addressing the issue of sign on across web apps and >> within a single TC... not across machines. >> ie Tomcat has to at least be able to track the session. If thats covered >> then... >> >> Then and I forget the terminology. >> A browser will consider this the same domain >> aaa.com/webapp/servlet1 >> aaa.com/webapp/servlet2 >> >> and I think even >> aaa.com/webapp2/servlet1 >> >> but as soon as that becomes bbb.com >> >> the "browser" treats it like a stranger and does not return the session >> key, nor auth info for the other domain... so TC/Apache is screwed >> because the browser doesnt want to play. >> >> Vaguely I remember setting "persistent" cookies in the browser, and then >> tracking my own cookies across machines... but it also meant a complete >> redo of all the security and TC's generic security could not be used. >> >> I remember seeing thrid party tools... but if you cant change the one >> webapp, you into something really creative, creating a filter wont work >> because security happens before the filter you have a creative >> problem on your hands ;) > > E.g. OpenID, JOSSO etc > > Search google for "Java Single Sign On". > > As has been stated, SingleSignOnValve isn't a true SSO solution. > > > p > > >> I think if you can put TC behind Apache, thus getting it back to the >> same domain name, and the distinguishing only on sub context... >> ie >> aaa.com/images/in apache >> aaa.com/webapp/someservlet and the call is passed thru to TC >> >> Then the browser will like it and return the authentication details >> otherwise is going to be some kind of complex proxy type thing to trick >> the browser. >> >> Good luck... >> >> --- >> HARBOR : http://www.kewlstuff.co.za/index.htm >> The most powerful application server on earth. >> The only real POJO Application Server. >> See it
Re: Single sign on issue with Tomcat and Apache
Johnny Kewl wrote: - Original Message - From: "Propes, Barry L " <[EMAIL PROTECTED]> To: "Tomcat Users List" Hi, I am integrating two websites using single sign on. I have two sites namely aaa.com and bbb.com. I enabled SingleSignOn valve in server.xml file, and trying to access Its not going to work... Its not because of TC, its because of the way cookies are handled by the browser. Its been a long long time since I wrote a filter to do this, and there are probably better third party products out there. But this is what I remember... The SingleSignOn is addressing the issue of sign on across web apps and within a single TC... not across machines. ie Tomcat has to at least be able to track the session. If thats covered then... Then and I forget the terminology. A browser will consider this the same domain aaa.com/webapp/servlet1 aaa.com/webapp/servlet2 and I think even aaa.com/webapp2/servlet1 but as soon as that becomes bbb.com the "browser" treats it like a stranger and does not return the session key, nor auth info for the other domain... so TC/Apache is screwed because the browser doesnt want to play. Vaguely I remember setting "persistent" cookies in the browser, and then tracking my own cookies across machines... but it also meant a complete redo of all the security and TC's generic security could not be used. I remember seeing thrid party tools... but if you cant change the one webapp, you into something really creative, creating a filter wont work because security happens before the filter you have a creative problem on your hands ;) E.g. OpenID, JOSSO etc Search google for "Java Single Sign On". As has been stated, SingleSignOnValve isn't a true SSO solution. p I think if you can put TC behind Apache, thus getting it back to the same domain name, and the distinguishing only on sub context... ie aaa.com/images/in apache aaa.com/webapp/someservlet and the call is passed thru to TC Then the browser will like it and return the authentication details otherwise is going to be some kind of complex proxy type thing to trick the browser. Good luck... --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single sign on issue with Tomcat and Apache
- Original Message - From: "André Warnier" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Thursday, June 05, 2008 2:54 AM Subject: Re: Single sign on issue with Tomcat and Apache Johnny Kewl wrote: - Original Message - From: "André Warnier" <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Thursday, June 05, 2008 1:06 AM Subject: RE: Single sign on issue with Tomcat and Apache Hi. I saw your ongoing discussion, and maybe I can contribute something, but I need some more info before. Here is what you explained before : a) You have one site "aaa.com" to which users access this way : user ---> tomcat aaa.com b) and another site "bbb.com" to which users access this way : 1) static content : user --> Apache bbb.com 2) dynamic content : user -> Apache ---> mod_jk ---> tomcat bbb.com Is it really like described above ? Yes the exact architecture would help ;) I understand it like this browser --> Tomcat on aaa.com browser <- Tomacat delivers web pages with links to bbb.com/image.jpg browser ---> Apache on bbb.com with images and stuff (that wont authenticate) Reason is browser will not return auth and cookies that belong to domain aaa.com to bbb.com What (I think) may work is what you have indicated user -> Apache (bbb.com) ---> mod_jk ---> tomcat aaa.com All links now to bbb.com and JK setup to talk to aaa.com Images on Apache and servlet JKMounted on aaa.com The browser will return Basic header and cookies... so I think Apache auth modules and tomcat on SingleSignOn will work. All assuming this can be setup and if the images are hosted remotely that the Sp can set up JK etc. But is webapp cannot be changed and images are hardcoded in servlet... I think he's snookered and probably has to lose authentication on Apache. Thats how I understand it... Maybe? There are too many known unknowns at the moment to propose something precise. If there is only a single Tomcat with a single localhost Host and two webapps, then it would simplify the domain stuff and the SingleSignOn at that end. The general schema I am thinking about, if .. , is - all requests go through Apache, and from there to Tomcat or not - Tomcat allows only calls from Apache (IP filter) - Apache does all the authentication - mod_jk will pass the Apache user-id to Tomcat for requests that go there - the Apache config for Tomcat-destined links is of the kind SetHandler Jakarta-servlet Authentication stuff.. Require ... Yes, I think you right, if Apache is fronting the whole thing, then it may as well do all the auth stuff... This TC mailing list is great, theres a fantastic user knowledge base in this list. It almost like every other discipline has converged around TC. I beginning to think you could ask any question in this group, PHP, Ruby whatever, and it would probably get answered ;) Thanks --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single sign on issue with Tomcat and Apache
Johnny Kewl wrote: - Original Message - From: "André Warnier" <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Thursday, June 05, 2008 1:06 AM Subject: RE: Single sign on issue with Tomcat and Apache Hi. I saw your ongoing discussion, and maybe I can contribute something, but I need some more info before. Here is what you explained before : a) You have one site "aaa.com" to which users access this way : user ---> tomcat aaa.com b) and another site "bbb.com" to which users access this way : 1) static content : user --> Apache bbb.com 2) dynamic content : user -> Apache ---> mod_jk ---> tomcat bbb.com Is it really like described above ? Yes the exact architecture would help ;) I understand it like this browser --> Tomcat on aaa.com browser <- Tomacat delivers web pages with links to bbb.com/image.jpg browser ---> Apache on bbb.com with images and stuff (that wont authenticate) Reason is browser will not return auth and cookies that belong to domain aaa.com to bbb.com What (I think) may work is what you have indicated user -> Apache (bbb.com) ---> mod_jk ---> tomcat aaa.com All links now to bbb.com and JK setup to talk to aaa.com Images on Apache and servlet JKMounted on aaa.com The browser will return Basic header and cookies... so I think Apache auth modules and tomcat on SingleSignOn will work. All assuming this can be setup and if the images are hosted remotely that the Sp can set up JK etc. But is webapp cannot be changed and images are hardcoded in servlet... I think he's snookered and probably has to lose authentication on Apache. Thats how I understand it... Maybe? There are too many known unknowns at the moment to propose something precise. If there is only a single Tomcat with a single localhost Host and two webapps, then it would simplify the domain stuff and the SingleSignOn at that end. The general schema I am thinking about, if .. , is - all requests go through Apache, and from there to Tomcat or not - Tomcat allows only calls from Apache (IP filter) - Apache does all the authentication - mod_jk will pass the Apache user-id to Tomcat for requests that go there - the Apache config for Tomcat-destined links is of the kind SetHandler Jakarta-servlet Authentication stuff.. Require ... I'm not quite sure if for the "static" stuff you can combine JkUnMount's with a Location like above, but it's worth a try. Interesting anyway, and it kinds of fits with something I should get busy with in a few weeks. André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single sign on issue with Tomcat and Apache
- Original Message - From: "André Warnier" <[EMAIL PROTECTED]> To: Cc: <[EMAIL PROTECTED]> Sent: Thursday, June 05, 2008 1:06 AM Subject: RE: Single sign on issue with Tomcat and Apache Hi. I saw your ongoing discussion, and maybe I can contribute something, but I need some more info before. Here is what you explained before : a) You have one site "aaa.com" to which users access this way : user ---> tomcat aaa.com b) and another site "bbb.com" to which users access this way : 1) static content : user --> Apache bbb.com 2) dynamic content : user -> Apache ---> mod_jk ---> tomcat bbb.com Is it really like described above ? Yes the exact architecture would help ;) I understand it like this browser --> Tomcat on aaa.com browser <- Tomacat delivers web pages with links to bbb.com/image.jpg browser ---> Apache on bbb.com with images and stuff (that wont authenticate) Reason is browser will not return auth and cookies that belong to domain aaa.com to bbb.com What (I think) may work is what you have indicated user -> Apache (bbb.com) ---> mod_jk ---> tomcat aaa.com All links now to bbb.com and JK setup to talk to aaa.com Images on Apache and servlet JKMounted on aaa.com The browser will return Basic header and cookies... so I think Apache auth modules and tomcat on SingleSignOn will work. All assuming this can be setup and if the images are hosted remotely that the Sp can set up JK etc. But is webapp cannot be changed and images are hardcoded in servlet... I think he's snookered and probably has to lose authentication on Apache. Thats how I understand it... Maybe? --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Single sign on issue with Tomcat and Apache
Hi. I saw your ongoing discussion, and maybe I can contribute something, but I need some more info before. Here is what you explained before : a) You have one site "aaa.com" to which users access this way : user ---> tomcat aaa.com b) and another site "bbb.com" to which users access this way : 1) static content : user --> Apache bbb.com 2) dynamic content : user -> Apache ---> mod_jk ---> tomcat bbb.com Is it really like described above ? I am asking all of this because there are some things in your explanation that are difficult to understand, like : if Apache and Tomcat are on the same machine, they cannot both be answering on port 80, so users must be accessing "aaa.com:8080" or something like that, no ? And if there are 2 Tomcats on different machines - or even 2 virtual servers in one Tomcat - then it does not seem possible that they are sharing one set of user credentials. So what is the real layout ? Is all of that running on one single server ? Do you really have 2 separate Tomcat virtual hosts (or real separate Tomcat hosts), one for "aaa.com" and one for "bbb.com" ? or do you have one single Apache with two virtual servers "aaa.com" and "bbb.com", and one single Tomcat with a single ? Do users really go directly to Tomcat aaa.com on port 80, or do they anyway alsways go through an Apache/mod_jk to reach aaa.com ? Other question : are the two site names really of the form "company1.com" and "company2.com" ? or is it more something like "site1.company.com" and "site2.company.com" ? (That's important because in the second case "company.com" would be a common domain, but that does not work for just "com"). André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single sign on issue with Tomcat and Apache
- Original Message - From: "Propes, Barry L " <[EMAIL PROTECTED]> To: "Tomcat Users List" Hi, I am integrating two websites using single sign on. I have two sites namely aaa.com and bbb.com. I enabled SingleSignOn valve in server.xml file, and trying to access Its not going to work... Its not because of TC, its because of the way cookies are handled by the browser. Its been a long long time since I wrote a filter to do this, and there are probably better third party products out there. But this is what I remember... The SingleSignOn is addressing the issue of sign on across web apps and within a single TC... not across machines. ie Tomcat has to at least be able to track the session. If thats covered then... Then and I forget the terminology. A browser will consider this the same domain aaa.com/webapp/servlet1 aaa.com/webapp/servlet2 and I think even aaa.com/webapp2/servlet1 but as soon as that becomes bbb.com the "browser" treats it like a stranger and does not return the session key, nor auth info for the other domain... so TC/Apache is screwed because the browser doesnt want to play. Vaguely I remember setting "persistent" cookies in the browser, and then tracking my own cookies across machines... but it also meant a complete redo of all the security and TC's generic security could not be used. I remember seeing thrid party tools... but if you cant change the one webapp, you into something really creative, creating a filter wont work because security happens before the filter you have a creative problem on your hands ;) I think if you can put TC behind Apache, thus getting it back to the same domain name, and the distinguishing only on sub context... ie aaa.com/images/in apache aaa.com/webapp/someservlet and the call is passed thru to TC Then the browser will like it and return the authentication details otherwise is going to be some kind of complex proxy type thing to trick the browser. Good luck... --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Single sign on issue with Tomcat and Apache
pages). I am sorry for lengthy message. But I tried to explain complete scenario. David Smith-2 wrote: I'll first admit that I've never used single sign-on, so most of this is educated conjecture on my part. Hopefully it'll spark some discussion in the right direction. Your right -- jvm version is not going to make a difference with the issue you are seeing. Plus upgrading the jvm may break the nine year old app -- an excellent case to be made to your client/boss for rewriting/upgrading the old app. The real problem is how the single sign-on id is getting from aaa.com to bbb.com. Cookies won't work as the browser won't return a cookie for aaa.com to bbb.com. That's a security problem if it does. That leaves URL rewriting. Are you doing anything to make sure the URLs for bbb.com have the single sign-on id in the url? Seems like that's the only way for bbb.com to know it's getting a request from a previously authenticated user. --David sridharmnj wrote: I hope you did not observe the following lines from my post. bbb.com is an old project which was developed around 9 yrs ago and I am not allowed to modify/reengineer the architecture. It is successfully running on those versions in production and client does not want to upgrade versions for time being. I dont think that the java version is creating any problem. Do you think so??? My problem is not related to Java version upgrades and its out of scope for discussion here. I am sure Java version update alone doesnot solve the issue. Propes, Barry L wrote: and you're stuck on Java 1.3.1 and cannot go forward? -Original Message----- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 4:17 PM To: users@tomcat.apache.org Subject: RE: Single sign on issue with Tomcat and Apache Apache 2.0.50 Tomcat 5.0.27 Java 1.3.1 Propes, Barry L wrote: what versions are you using? Of each? -Original Message- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 3:52 PM To: users@tomcat.apache.org Subject: Single sign on issue with Tomcat and Apache Hi, I am integrating two websites using single sign on. I have two sites namely aaa.com and bbb.com. When a user navigates from aaa.com, as he is already authenticated in it, he should be allowed to bbb.com without asking the credentials again. This is my requirement. aaa.com is based on Tomcat Form based authentication and working fine. bbb.com's static data is deployed on apache and it requires apache BASIC authentication (htttd, and .htaccess). And dynamic data is deployed on Tomcat and based on Tomcat BASIC authentication. If I access static data of bbb.com, it first asks for credentials (Using a popup), authenticates using mod_auth_mysql, and once the user is authenticated, it is storing credentials in browser cache. When I navigate to dynamic content which is in tomcat, still its working without asking credentials twice. (I ensured that in web.xml and AuthName in .htaccess file are same). I enabled SingleSignOn valve in server.xml file, and trying to access bbb.com from aaa.com. When I try to access dynamic data of bbb.com from aaa.com, as both are based on Tomcat security, they are sharing the browser cached credentials. (Though one is based on form and another is based on basic authentication model). But, when I try to access bbb.com's static data (which is in apache) from aaa.com, again its asking credentials, using a popup. bbb.com is an old project which was developed around 9 yrs ago and I am not allowed to modify/reengineer the architecture. Could any one please guide me in right direction. I appreciate your help. Thanks, Sridhar -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -
Re: Single sign on issue with Tomcat and Apache
gt; >>> >>> David Smith-2 wrote: >>> >>>> I'll first admit that I've never used single sign-on, so most of this >>>> is >>>> educated conjecture on my part. Hopefully it'll spark some discussion >>>> in the right direction. >>>> >>>> Your right -- jvm version is not going to make a difference with the >>>> issue you are seeing. Plus upgrading the jvm may break the nine year >>>> old app -- an excellent case to be made to your client/boss for >>>> rewriting/upgrading the old app. >>>> >>>> The real problem is how the single sign-on id is getting from aaa.com >>>> to >>>> bbb.com. Cookies won't work as the browser won't return a cookie for >>>> aaa.com to bbb.com. That's a security problem if it does. That leaves >>>> URL rewriting. Are you doing anything to make sure the URLs for >>>> bbb.com >>>> have the single sign-on id in the url? Seems like that's the only way >>>> for bbb.com to know it's getting a request from a previously >>>> authenticated user. >>>> >>>> --David >>>> >>>> sridharmnj wrote: >>>> >>>>> I hope you did not observe the following lines from my post. >>>>> >>>>> >>>>>> bbb.com is an old project which was developed around 9 yrs ago and I >>>>>> am >>>>>> not allowed to modify/reengineer the architecture. >>>>>> >>>>>> >>>>> It is successfully running on those versions in production and client >>>>> does >>>>> not want to upgrade versions for time being. I dont think that the >>>>> java >>>>> version is creating any problem. Do you think so??? >>>>> >>>>> My problem is not related to Java version upgrades and its out of >>>>> scope >>>>> for >>>>> discussion here. I am sure Java version update alone doesnot solve the >>>>> issue. >>>>> >>>>> >>>>> Propes, Barry L wrote: >>>>> >>>>> >>>>>> and you're stuck on Java 1.3.1 and cannot go forward? >>>>>> >>>>>> >>>>>> -Original Message- >>>>>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>>>>> Sent: Tuesday, June 03, 2008 4:17 PM >>>>>> To: users@tomcat.apache.org >>>>>> Subject: RE: Single sign on issue with Tomcat and Apache >>>>>> >>>>>> >>>>>> >>>>>> Apache 2.0.50 >>>>>> Tomcat 5.0.27 >>>>>> Java 1.3.1 >>>>>> >>>>>> >>>>>> Propes, Barry L wrote: >>>>>> >>>>>> >>>>>>> what versions are you using? Of each? >>>>>>> >>>>>>> -Original Message- >>>>>>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>>>>>> Sent: Tuesday, June 03, 2008 3:52 PM >>>>>>> To: users@tomcat.apache.org >>>>>>> Subject: Single sign on issue with Tomcat and Apache >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> I am integrating two websites using single sign on. I have two sites >>>>>>> namely >>>>>>> aaa.com and bbb.com. >>>>>>> >>>>>>> When a user navigates from aaa.com, as he is already authenticated >>>>>>> in >>>>>>> it, >>>>>>> he >>>>>>> should be allowed to bbb.com without asking the credentials again. >>>>>>> This >>>>>>> is >>>>>>> my requirement. >>>>>>> >>>>>>> aaa.com is based on Tomcat Form based authentication and working >>>>>>> fine. >>>>>>> >>>>>>> bbb.com's static data is deployed on apache and it requires apache >>>>>>> BASIC >>>>>>> authentication (htttd, and .htaccess). And dynamic data is deployed >>>>>>> on >>>>>>
Re: Single sign on issue with Tomcat and Apache
henticated user. >>> >>> --David >>> >>> sridharmnj wrote: >>> >>>> I hope you did not observe the following lines from my post. >>>> >>>> >>>>> bbb.com is an old project which was developed around 9 yrs ago and I >>>>> am >>>>> not allowed to modify/reengineer the architecture. >>>>> >>>>> >>>> It is successfully running on those versions in production and client >>>> does >>>> not want to upgrade versions for time being. I dont think that the java >>>> version is creating any problem. Do you think so??? >>>> >>>> My problem is not related to Java version upgrades and its out of scope >>>> for >>>> discussion here. I am sure Java version update alone doesnot solve the >>>> issue. >>>> >>>> >>>> Propes, Barry L wrote: >>>> >>>> >>>>> and you're stuck on Java 1.3.1 and cannot go forward? >>>>> >>>>> >>>>> -Original Message- >>>>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>>>> Sent: Tuesday, June 03, 2008 4:17 PM >>>>> To: users@tomcat.apache.org >>>>> Subject: RE: Single sign on issue with Tomcat and Apache >>>>> >>>>> >>>>> >>>>> Apache 2.0.50 >>>>> Tomcat 5.0.27 >>>>> Java 1.3.1 >>>>> >>>>> >>>>> Propes, Barry L wrote: >>>>> >>>>> >>>>>> what versions are you using? Of each? >>>>>> >>>>>> -Original Message- >>>>>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>>>>> Sent: Tuesday, June 03, 2008 3:52 PM >>>>>> To: users@tomcat.apache.org >>>>>> Subject: Single sign on issue with Tomcat and Apache >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> I am integrating two websites using single sign on. I have two sites >>>>>> namely >>>>>> aaa.com and bbb.com. >>>>>> >>>>>> When a user navigates from aaa.com, as he is already authenticated in >>>>>> it, >>>>>> he >>>>>> should be allowed to bbb.com without asking the credentials again. >>>>>> This >>>>>> is >>>>>> my requirement. >>>>>> >>>>>> aaa.com is based on Tomcat Form based authentication and working >>>>>> fine. >>>>>> >>>>>> bbb.com's static data is deployed on apache and it requires apache >>>>>> BASIC >>>>>> authentication (htttd, and .htaccess). And dynamic data is deployed >>>>>> on >>>>>> Tomcat and based on Tomcat BASIC authentication. >>>>>> >>>>>> If I access static data of bbb.com, it first asks for credentials >>>>>> (Using >>>>>> a >>>>>> popup), authenticates using mod_auth_mysql, and once the user is >>>>>> authenticated, it is storing credentials in browser cache. When I >>>>>> navigate >>>>>> to dynamic content which is in tomcat, still its working without >>>>>> asking >>>>>> credentials twice. (I ensured that in web.xml and >>>>>> AuthName >>>>>> in >>>>>> .htaccess file are same). >>>>>> >>>>>> I enabled SingleSignOn valve in server.xml file, and trying to access >>>>>> bbb.com from aaa.com. When I try to access dynamic data of bbb.com >>>>>> from >>>>>> aaa.com, as both are based on Tomcat security, they are sharing the >>>>>> browser >>>>>> cached credentials. (Though one is based on form and another is based >>>>>> on >>>>>> basic authentication model). But, when I try to access bbb.com's >>>>>> static >>>>>> data >>>>>> (which is in apache) from aaa.com, again its asking credentials, >>>>>> using >>>>>> a >>>>>> popup. >>>>>> >>>>>> bbb.com is an old project which was developed a
Re: Single sign on issue with Tomcat and Apache
sridharmnj wrote: My understanding: When server receives a request for a secured resource first time (depending on url-pattern and security constraint settings in web.xml), first it asks for credentials using dialog box if its BASIC authentication or login form if its FORM authenticatin and performs authentication based on Realm (JDBC or JNDI or memory). If the user is authenticated successfully, it sets the Principal object in the request (you can see this using request.getUserPrincipal()). For subsequent requests, it checks everytime for the Principal object and flow continues. Pure basics. I'll only say that with BASIC authentication, user credential are transmitted to the server on _every_ request -- even for images, javascript and css. When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user to navigate to other app (which is deployed in the same server) with out prompting for authentication details again. Actually it shares the Principal object in the request. Right, but http is a stateless protocol and the client still has to provide something to let the server know it's been there before. In the absence of url rewriting, it's usually a cookie. Cookies can't cross domains. In my case as I am already authenticated in aaa.com, I am able to access bbb.com's dynamic data (which is deployed in tomcat) without providing the authentication details second time. But not able to access the bbb.com's static data which is deployed in apache. I'm getting that nagging feeling in the back of my head there's a combination of Apache Httpd and Apache Tomcat here. If that's the case could you clarify what service is providing what resources? In normal flow, (without SSO), if I authenticate bbb.com's apache pages (using httpd and .htaccess), I could navigate to Tomcat's pages without providing the authentication details. Means, here apache is caching credentials using SOME mechanism (not only cookies. But something else.. I am not sure..this) and tomcat is using those credentials and not asking for authentication. Since Apache *Httpd* is using BASIC, and every request includes credentials, this is normal. Apache *Tomcat* would receive the same credentials in the BASIC auth header. I need the reverse functionality. Means, when I provide credentials in aaa.com (Tomcat Form based authentication) I should be able to navigate to bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat pages). I am sorry for lengthy message. But I tried to explain complete scenario. David Smith-2 wrote: I'll first admit that I've never used single sign-on, so most of this is educated conjecture on my part. Hopefully it'll spark some discussion in the right direction. Your right -- jvm version is not going to make a difference with the issue you are seeing. Plus upgrading the jvm may break the nine year old app -- an excellent case to be made to your client/boss for rewriting/upgrading the old app. The real problem is how the single sign-on id is getting from aaa.com to bbb.com. Cookies won't work as the browser won't return a cookie for aaa.com to bbb.com. That's a security problem if it does. That leaves URL rewriting. Are you doing anything to make sure the URLs for bbb.com have the single sign-on id in the url? Seems like that's the only way for bbb.com to know it's getting a request from a previously authenticated user. --David sridharmnj wrote: I hope you did not observe the following lines from my post. bbb.com is an old project which was developed around 9 yrs ago and I am not allowed to modify/reengineer the architecture. It is successfully running on those versions in production and client does not want to upgrade versions for time being. I dont think that the java version is creating any problem. Do you think so??? My problem is not related to Java version upgrades and its out of scope for discussion here. I am sure Java version update alone doesnot solve the issue. Propes, Barry L wrote: and you're stuck on Java 1.3.1 and cannot go forward? -Original Message- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 4:17 PM To: users@tomcat.apache.org Subject: RE: Single sign on issue with Tomcat and Apache Apache 2.0.50 Tomcat 5.0.27 Java 1.3.1 Propes, Barry L wrote: what versions are you using? Of each? -Original Message- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 3:52 PM To: users@tomcat.apache.org Subject: Single sign on issue with Tomcat and Apache Hi, I am integrating two websites using single sign on. I have two sites namely aaa.com and bbb.com. When a user navigates from aaa.com, as he is already authenticated in it, he should be allowed to bbb.com without asking the credentials again
Re: Single sign on issue with Tomcat and Apache
My understanding: When server receives a request for a secured resource first time (depending on url-pattern and security constraint settings in web.xml), first it asks for credentials using dialog box if its BASIC authentication or login form if its FORM authenticatin and performs authentication based on Realm (JDBC or JNDI or memory). If the user is authenticated successfully, it sets the Principal object in the request (you can see this using request.getUserPrincipal()). For subsequent requests, it checks everytime for the Principal object and flow continues. When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user to navigate to other app (which is deployed in the same server) with out prompting for authentication details again. Actually it shares the Principal object in the request. In my case as I am already authenticated in aaa.com, I am able to access bbb.com's dynamic data (which is deployed in tomcat) without providing the authentication details second time. But not able to access the bbb.com's static data which is deployed in apache. In normal flow, (without SSO), if I authenticate bbb.com's apache pages (using httpd and .htaccess), I could navigate to Tomcat's pages without providing the authentication details. Means, here apache is caching credentials using SOME mechanism (not only cookies. But something else.. I am not sure..this) and tomcat is using those credentials and not asking for authentication. I need the reverse functionality. Means, when I provide credentials in aaa.com (Tomcat Form based authentication) I should be able to navigate to bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat pages). I am sorry for lengthy message. But I tried to explain complete scenario. David Smith-2 wrote: > > I'll first admit that I've never used single sign-on, so most of this is > educated conjecture on my part. Hopefully it'll spark some discussion > in the right direction. > > Your right -- jvm version is not going to make a difference with the > issue you are seeing. Plus upgrading the jvm may break the nine year > old app -- an excellent case to be made to your client/boss for > rewriting/upgrading the old app. > > The real problem is how the single sign-on id is getting from aaa.com to > bbb.com. Cookies won't work as the browser won't return a cookie for > aaa.com to bbb.com. That's a security problem if it does. That leaves > URL rewriting. Are you doing anything to make sure the URLs for bbb.com > have the single sign-on id in the url? Seems like that's the only way > for bbb.com to know it's getting a request from a previously > authenticated user. > > --David > > sridharmnj wrote: >> I hope you did not observe the following lines from my post. >> >>> bbb.com is an old project which was developed around 9 yrs ago and I am >>> not allowed to modify/reengineer the architecture. >>> >> >> It is successfully running on those versions in production and client >> does >> not want to upgrade versions for time being. I dont think that the java >> version is creating any problem. Do you think so??? >> >> My problem is not related to Java version upgrades and its out of scope >> for >> discussion here. I am sure Java version update alone doesnot solve the >> issue. >> >> >> Propes, Barry L wrote: >> >>> and you're stuck on Java 1.3.1 and cannot go forward? >>> >>> >>> -Original Message- >>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, June 03, 2008 4:17 PM >>> To: users@tomcat.apache.org >>> Subject: RE: Single sign on issue with Tomcat and Apache >>> >>> >>> >>> Apache 2.0.50 >>> Tomcat 5.0.27 >>> Java 1.3.1 >>> >>> >>> Propes, Barry L wrote: >>> >>>> what versions are you using? Of each? >>>> >>>> -Original Message- >>>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>>> Sent: Tuesday, June 03, 2008 3:52 PM >>>> To: users@tomcat.apache.org >>>> Subject: Single sign on issue with Tomcat and Apache >>>> >>>> >>>> >>>> Hi, >>>> I am integrating two websites using single sign on. I have two sites >>>> namely >>>> aaa.com and bbb.com. >>>> >>>> When a user navigates from aaa.com, as he is already authenticated in >>>> it, >>>> he >>>> should be allowed to bbb.com without asking the credentials again. This >>>> is >>>> my requirem
Re: Single sign on issue with Tomcat and Apache
I'll first admit that I've never used single sign-on, so most of this is educated conjecture on my part. Hopefully it'll spark some discussion in the right direction. Your right -- jvm version is not going to make a difference with the issue you are seeing. Plus upgrading the jvm may break the nine year old app -- an excellent case to be made to your client/boss for rewriting/upgrading the old app. The real problem is how the single sign-on id is getting from aaa.com to bbb.com. Cookies won't work as the browser won't return a cookie for aaa.com to bbb.com. That's a security problem if it does. That leaves URL rewriting. Are you doing anything to make sure the URLs for bbb.com have the single sign-on id in the url? Seems like that's the only way for bbb.com to know it's getting a request from a previously authenticated user. --David sridharmnj wrote: I hope you did not observe the following lines from my post. bbb.com is an old project which was developed around 9 yrs ago and I am not allowed to modify/reengineer the architecture. It is successfully running on those versions in production and client does not want to upgrade versions for time being. I dont think that the java version is creating any problem. Do you think so??? My problem is not related to Java version upgrades and its out of scope for discussion here. I am sure Java version update alone doesnot solve the issue. Propes, Barry L wrote: and you're stuck on Java 1.3.1 and cannot go forward? -Original Message- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 4:17 PM To: users@tomcat.apache.org Subject: RE: Single sign on issue with Tomcat and Apache Apache 2.0.50 Tomcat 5.0.27 Java 1.3.1 Propes, Barry L wrote: what versions are you using? Of each? -Original Message- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 3:52 PM To: users@tomcat.apache.org Subject: Single sign on issue with Tomcat and Apache Hi, I am integrating two websites using single sign on. I have two sites namely aaa.com and bbb.com. When a user navigates from aaa.com, as he is already authenticated in it, he should be allowed to bbb.com without asking the credentials again. This is my requirement. aaa.com is based on Tomcat Form based authentication and working fine. bbb.com's static data is deployed on apache and it requires apache BASIC authentication (htttd, and .htaccess). And dynamic data is deployed on Tomcat and based on Tomcat BASIC authentication. If I access static data of bbb.com, it first asks for credentials (Using a popup), authenticates using mod_auth_mysql, and once the user is authenticated, it is storing credentials in browser cache. When I navigate to dynamic content which is in tomcat, still its working without asking credentials twice. (I ensured that in web.xml and AuthName in .htaccess file are same). I enabled SingleSignOn valve in server.xml file, and trying to access bbb.com from aaa.com. When I try to access dynamic data of bbb.com from aaa.com, as both are based on Tomcat security, they are sharing the browser cached credentials. (Though one is based on form and another is based on basic authentication model). But, when I try to access bbb.com's static data (which is in apache) from aaa.com, again its asking credentials, using a popup. bbb.com is an old project which was developed around 9 yrs ago and I am not allowed to modify/reengineer the architecture. Could any one please guide me in right direction. I appreciate your help. Thanks, Sridhar -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --
RE: Single sign on issue with Tomcat and Apache
I hope you did not observe the following lines from my post. > bbb.com is an old project which was developed around 9 yrs ago and I am > not allowed to modify/reengineer the architecture. It is successfully running on those versions in production and client does not want to upgrade versions for time being. I dont think that the java version is creating any problem. Do you think so??? My problem is not related to Java version upgrades and its out of scope for discussion here. I am sure Java version update alone doesnot solve the issue. Propes, Barry L wrote: > > and you're stuck on Java 1.3.1 and cannot go forward? > > > -Original Message- > From: sridharmnj [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 03, 2008 4:17 PM > To: users@tomcat.apache.org > Subject: RE: Single sign on issue with Tomcat and Apache > > > > Apache 2.0.50 > Tomcat 5.0.27 > Java 1.3.1 > > > Propes, Barry L wrote: >> >> what versions are you using? Of each? >> >> -Original Message- >> From: sridharmnj [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, June 03, 2008 3:52 PM >> To: users@tomcat.apache.org >> Subject: Single sign on issue with Tomcat and Apache >> >> >> >> Hi, >> I am integrating two websites using single sign on. I have two sites >> namely >> aaa.com and bbb.com. >> >> When a user navigates from aaa.com, as he is already authenticated in it, >> he >> should be allowed to bbb.com without asking the credentials again. This >> is >> my requirement. >> >> aaa.com is based on Tomcat Form based authentication and working fine. >> >> bbb.com's static data is deployed on apache and it requires apache BASIC >> authentication (htttd, and .htaccess). And dynamic data is deployed on >> Tomcat and based on Tomcat BASIC authentication. >> >> If I access static data of bbb.com, it first asks for credentials (Using >> a >> popup), authenticates using mod_auth_mysql, and once the user is >> authenticated, it is storing credentials in browser cache. When I >> navigate >> to dynamic content which is in tomcat, still its working without asking >> credentials twice. (I ensured that in web.xml and AuthName >> in >> .htaccess file are same). >> >> I enabled SingleSignOn valve in server.xml file, and trying to access >> bbb.com from aaa.com. When I try to access dynamic data of bbb.com from >> aaa.com, as both are based on Tomcat security, they are sharing the >> browser >> cached credentials. (Though one is based on form and another is based on >> basic authentication model). But, when I try to access bbb.com's static >> data >> (which is in apache) from aaa.com, again its asking credentials, using a >> popup. >> >> bbb.com is an old project which was developed around 9 yrs ago and I am >> not >> allowed to modify/reengineer the architecture. >> >> Could any one please guide me in right direction. I appreciate your help. >> >> Thanks, >> Sridhar >> -- >> View this message in context: >> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html >> Sent from the Tomcat - User mailing list archive at Nabble.com. >> >> >> - >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> - >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > -- > View this message in context: > http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17636089.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Single sign on issue with Tomcat and Apache
and you're stuck on Java 1.3.1 and cannot go forward? -Original Message- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 4:17 PM To: users@tomcat.apache.org Subject: RE: Single sign on issue with Tomcat and Apache Apache 2.0.50 Tomcat 5.0.27 Java 1.3.1 Propes, Barry L wrote: > > what versions are you using? Of each? > > -Original Message- > From: sridharmnj [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 03, 2008 3:52 PM > To: users@tomcat.apache.org > Subject: Single sign on issue with Tomcat and Apache > > > > Hi, > I am integrating two websites using single sign on. I have two sites > namely > aaa.com and bbb.com. > > When a user navigates from aaa.com, as he is already authenticated in it, > he > should be allowed to bbb.com without asking the credentials again. This is > my requirement. > > aaa.com is based on Tomcat Form based authentication and working fine. > > bbb.com's static data is deployed on apache and it requires apache BASIC > authentication (htttd, and .htaccess). And dynamic data is deployed on > Tomcat and based on Tomcat BASIC authentication. > > If I access static data of bbb.com, it first asks for credentials (Using a > popup), authenticates using mod_auth_mysql, and once the user is > authenticated, it is storing credentials in browser cache. When I navigate > to dynamic content which is in tomcat, still its working without asking > credentials twice. (I ensured that in web.xml and AuthName in > .htaccess file are same). > > I enabled SingleSignOn valve in server.xml file, and trying to access > bbb.com from aaa.com. When I try to access dynamic data of bbb.com from > aaa.com, as both are based on Tomcat security, they are sharing the > browser > cached credentials. (Though one is based on form and another is based on > basic authentication model). But, when I try to access bbb.com's static > data > (which is in apache) from aaa.com, again its asking credentials, using a > popup. > > bbb.com is an old project which was developed around 9 yrs ago and I am > not > allowed to modify/reengineer the architecture. > > Could any one please guide me in right direction. I appreciate your help. > > Thanks, > Sridhar > -- > View this message in context: > http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Single sign on issue with Tomcat and Apache
Apache 2.0.50 Tomcat 5.0.27 Java 1.3.1 Propes, Barry L wrote: > > what versions are you using? Of each? > > -Original Message- > From: sridharmnj [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 03, 2008 3:52 PM > To: users@tomcat.apache.org > Subject: Single sign on issue with Tomcat and Apache > > > > Hi, > I am integrating two websites using single sign on. I have two sites > namely > aaa.com and bbb.com. > > When a user navigates from aaa.com, as he is already authenticated in it, > he > should be allowed to bbb.com without asking the credentials again. This is > my requirement. > > aaa.com is based on Tomcat Form based authentication and working fine. > > bbb.com's static data is deployed on apache and it requires apache BASIC > authentication (htttd, and .htaccess). And dynamic data is deployed on > Tomcat and based on Tomcat BASIC authentication. > > If I access static data of bbb.com, it first asks for credentials (Using a > popup), authenticates using mod_auth_mysql, and once the user is > authenticated, it is storing credentials in browser cache. When I navigate > to dynamic content which is in tomcat, still its working without asking > credentials twice. (I ensured that in web.xml and AuthName in > .htaccess file are same). > > I enabled SingleSignOn valve in server.xml file, and trying to access > bbb.com from aaa.com. When I try to access dynamic data of bbb.com from > aaa.com, as both are based on Tomcat security, they are sharing the > browser > cached credentials. (Though one is based on form and another is based on > basic authentication model). But, when I try to access bbb.com's static > data > (which is in apache) from aaa.com, again its asking credentials, using a > popup. > > bbb.com is an old project which was developed around 9 yrs ago and I am > not > allowed to modify/reengineer the architecture. > > Could any one please guide me in right direction. I appreciate your help. > > Thanks, > Sridhar > -- > View this message in context: > http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Single sign on issue with Tomcat and Apache
what versions are you using? Of each? -Original Message- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 3:52 PM To: users@tomcat.apache.org Subject: Single sign on issue with Tomcat and Apache Hi, I am integrating two websites using single sign on. I have two sites namely aaa.com and bbb.com. When a user navigates from aaa.com, as he is already authenticated in it, he should be allowed to bbb.com without asking the credentials again. This is my requirement. aaa.com is based on Tomcat Form based authentication and working fine. bbb.com's static data is deployed on apache and it requires apache BASIC authentication (htttd, and .htaccess). And dynamic data is deployed on Tomcat and based on Tomcat BASIC authentication. If I access static data of bbb.com, it first asks for credentials (Using a popup), authenticates using mod_auth_mysql, and once the user is authenticated, it is storing credentials in browser cache. When I navigate to dynamic content which is in tomcat, still its working without asking credentials twice. (I ensured that in web.xml and AuthName in .htaccess file are same). I enabled SingleSignOn valve in server.xml file, and trying to access bbb.com from aaa.com. When I try to access dynamic data of bbb.com from aaa.com, as both are based on Tomcat security, they are sharing the browser cached credentials. (Though one is based on form and another is based on basic authentication model). But, when I try to access bbb.com's static data (which is in apache) from aaa.com, again its asking credentials, using a popup. bbb.com is an old project which was developed around 9 yrs ago and I am not allowed to modify/reengineer the architecture. Could any one please guide me in right direction. I appreciate your help. Thanks, Sridhar -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]