My understanding: When server receives a request for a secured resource first time (depending on url-pattern and security constraint settings in web.xml), first it asks for credentials using dialog box if its BASIC authentication or login form if its FORM authenticatin and performs authentication based on Realm (JDBC or JNDI or memory). If the user is authenticated successfully, it sets the Principal object in the request (you can see this using request.getUserPrincipal()). For subsequent requests, it checks everytime for the Principal object and flow continues.
When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user to navigate to other app (which is deployed in the same server) with out prompting for authentication details again. Actually it shares the Principal object in the request. In my case as I am already authenticated in aaa.com, I am able to access bbb.com's dynamic data (which is deployed in tomcat) without providing the authentication details second time. But not able to access the bbb.com's static data which is deployed in apache. In normal flow, (without SSO), if I authenticate bbb.com's apache pages (using httpd and .htaccess), I could navigate to Tomcat's pages without providing the authentication details. Means, here apache is caching credentials using SOME mechanism (not only cookies. But something else.. I am not sure..this) and tomcat is using those credentials and not asking for authentication. I need the reverse functionality. Means, when I provide credentials in aaa.com (Tomcat Form based authentication) I should be able to navigate to bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat pages). I am sorry for lengthy message. But I tried to explain complete scenario. David Smith-2 wrote: > > I'll first admit that I've never used single sign-on, so most of this is > educated conjecture on my part. Hopefully it'll spark some discussion > in the right direction. > > Your right -- jvm version is not going to make a difference with the > issue you are seeing. Plus upgrading the jvm may break the nine year > old app -- an excellent case to be made to your client/boss for > rewriting/upgrading the old app. > > The real problem is how the single sign-on id is getting from aaa.com to > bbb.com. Cookies won't work as the browser won't return a cookie for > aaa.com to bbb.com. That's a security problem if it does. That leaves > URL rewriting. Are you doing anything to make sure the URLs for bbb.com > have the single sign-on id in the url? Seems like that's the only way > for bbb.com to know it's getting a request from a previously > authenticated user. > > --David > > sridharmnj wrote: >> I hope you did not observe the following lines from my post. >> >>> bbb.com is an old project which was developed around 9 yrs ago and I am >>> not allowed to modify/reengineer the architecture. >>> >> >> It is successfully running on those versions in production and client >> does >> not want to upgrade versions for time being. I dont think that the java >> version is creating any problem. Do you think so??? >> >> My problem is not related to Java version upgrades and its out of scope >> for >> discussion here. I am sure Java version update alone doesnot solve the >> issue. >> >> >> Propes, Barry L wrote: >> >>> and you're stuck on Java 1.3.1 and cannot go forward? >>> >>> >>> -----Original Message----- >>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>> Sent: Tuesday, June 03, 2008 4:17 PM >>> To: users@tomcat.apache.org >>> Subject: RE: Single sign on issue with Tomcat and Apache >>> >>> >>> >>> Apache 2.0.50 >>> Tomcat 5.0.27 >>> Java 1.3.1 >>> >>> >>> Propes, Barry L wrote: >>> >>>> what versions are you using? Of each? >>>> >>>> -----Original Message----- >>>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>>> Sent: Tuesday, June 03, 2008 3:52 PM >>>> To: users@tomcat.apache.org >>>> Subject: Single sign on issue with Tomcat and Apache >>>> >>>> >>>> >>>> Hi, >>>> I am integrating two websites using single sign on. I have two sites >>>> namely >>>> aaa.com and bbb.com. >>>> >>>> When a user navigates from aaa.com, as he is already authenticated in >>>> it, >>>> he >>>> should be allowed to bbb.com without asking the credentials again. This >>>> is >>>> my requirement. >>>> >>>> aaa.com is based on Tomcat Form based authentication and working fine. >>>> >>>> bbb.com's static data is deployed on apache and it requires apache >>>> BASIC >>>> authentication (htttd, and .htaccess). And dynamic data is deployed on >>>> Tomcat and based on Tomcat BASIC authentication. >>>> >>>> If I access static data of bbb.com, it first asks for credentials >>>> (Using >>>> a >>>> popup), authenticates using mod_auth_mysql, and once the user is >>>> authenticated, it is storing credentials in browser cache. When I >>>> navigate >>>> to dynamic content which is in tomcat, still its working without asking >>>> credentials twice. (I ensured that <realm-name> in web.xml and AuthName >>>> in >>>> .htaccess file are same). >>>> >>>> I enabled SingleSignOn valve in server.xml file, and trying to access >>>> bbb.com from aaa.com. When I try to access dynamic data of bbb.com from >>>> aaa.com, as both are based on Tomcat security, they are sharing the >>>> browser >>>> cached credentials. (Though one is based on form and another is based >>>> on >>>> basic authentication model). But, when I try to access bbb.com's static >>>> data >>>> (which is in apache) from aaa.com, again its asking credentials, using >>>> a >>>> popup. >>>> >>>> bbb.com is an old project which was developed around 9 yrs ago and I am >>>> not >>>> allowed to modify/reengineer the architecture. >>>> >>>> Could any one please guide me in right direction. I appreciate your >>>> help. >>>> >>>> Thanks, >>>> Sridhar >>>> -- >>>> View this message in context: >>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html >>>> Sent from the Tomcat - User mailing list archive at Nabble.com. >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To start a new topic, e-mail: users@tomcat.apache.org >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To start a new topic, e-mail: users@tomcat.apache.org >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >>>> >>>> >>> -- >>> View this message in context: >>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html >>> Sent from the Tomcat - User mailing list archive at Nabble.com. >>> >>> >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >>> >> >> > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17636823.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
