On Mon, 15 Jul 2002, James Krygowski wrote:
> Date: Mon, 15 Jul 2002 08:55:59 -0400
> From: James Krygowski <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: forwarding through j_security_check
>
> Hi All-
>
> I'm working on a web-app launcher. The essential idea is to provide users
> with a centralized, secure web portal from which they can launch other web
> applications. The other applications will reside in Tomcat servers
> different from the portal Tomcat server.
>
> Each application will be protected by standard J2EE security implemented
> with j_security_check. I'd like to be able to forward to applications and
> automatically negotiate the j_security_check so that user's don't have to
> log on once they've already presented their credentials to the portal
> application (i.e. single sign-on).
>
> Is it possible to formulate an href url that simultaneously specifies the
> target resource and the credentials being passed to j_security_check? I
> note that in the packet sent in the j_security_check post, all the
> information needed is present. If the read the packet right, the Referrer
> in the http header contains the information about the desired "protected"
> resource. Is this Referrer used by j_security_check to forward a request on
> to the desired destination?
No, it is not. When form based login detects the need to challenge the
user for credentials, it saves an internal copy of the original request,
and "replays" it once the user is successfully authenticated.
> If so, is it possible to set up a servlet that
> could manipulate the Referrer in the header, and redirect a request along to
> an application in another Tomcat server, making it look like a post to
> j_security_check, complete with referrer, j_username and j_password?
>
> Any suggestions or comments are welcome and appreciated.
>
Trying to forward security credentials like this is pretty much guaranteed
not to work.
One thing you might consider using is Tomcat's standard support for single
sign on across multiple webaps. Check out the "Single Sign On" section
on:
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/config/host.html
> Thanks,
>
> Jim
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
