On Tue, 28 Jan 2003, Will Hartung wrote:
> Date: Tue, 28 Jan 2003 16:49:09 -0800 > From: Will Hartung <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: Doubt in Single Sign On !!! > > > From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > > Sent: Tuesday, January 28, 2003 2:01 PM > > Subject: Re: Doubt in Single Sign On !!! > > > > True ... there is no such thing as a cross-application session defined in > > the servlet spec. > > > > You're outside the bounds of the servlet spec when you talk about this, > > but nothing stops a container from providing something like it. > > Yes, for example, the Tomcat Servlet Container (tm reg. us. pat. off.) has a > Single Sign On facility that's outside of the Servlet Spec, but it doesn't > behave as a consistent time out across all the webapps its supporting. :-) > Actually, SSO is *not* outside the bounds of the spec :-). See Section SRV.12.6 of the Servlet 2.3 Specification, and Tomcat's implementation complies with the requrements there. What is not defined is where the boundaries of a "security policy domain" are with respect to SSO -- Tomcat's choice to implement this at the virtual host level is entirely legitimate, as would an SSO implementation that was based on Project Liberty <http://www.libertyalliance.org/> that covered multiple web apps on multiple servers (not even necessarily all Java based). However, Section 12.6 only talks about propogating security identities; it says nothing about updating the last access time of sessions in other web apps so that they don't time out. Technically, that would not be hard to accomplish (modify the existing SSO valve to call access() on the internal StandardSession object of each related session) -- but you wont' be able to claim that such behavior is "required". > Regards, > > Will Hartung > ([EMAIL PROTECTED]) > Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
