sridharmnj wrote:
My understanding:
When server receives a request for a secured resource first time (depending
on url-pattern and security constraint settings in web.xml), first it asks
for credentials using dialog box if its BASIC authentication or login form
if its FORM authenticatin and performs authentication based on Realm (JDBC
or JNDI or memory). If the user is authenticated successfully, it sets the
Principal object in the request (you can see this using
request.getUserPrincipal()). For subsequent requests, it checks everytime
for the Principal object and flow continues.
Pure basics. I'll only say that with BASIC authentication, user
credential are transmitted to the server on _every_ request -- even for
images, javascript and css.
When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user to
navigate to other app (which is deployed in the same server) with out
prompting for authentication details again. Actually it shares the Principal
object in the request.
Right, but http is a stateless protocol and the client still has to
provide something to let the server know it's been there before. In the
absence of url rewriting, it's usually a cookie. Cookies can't cross
domains.
In my case as I am already authenticated in aaa.com, I am able to access
bbb.com's dynamic data (which is deployed in tomcat) without providing the
authentication details second time. But not able to access the bbb.com's
static data which is deployed in apache.
I'm getting that nagging feeling in the back of my head there's a
combination of Apache Httpd and Apache Tomcat here. If that's the case
could you clarify what service is providing what resources?
In normal flow, (without SSO), if I authenticate bbb.com's apache pages
(using httpd and .htaccess), I could navigate to Tomcat's pages without
providing the authentication details. Means, here apache is caching
credentials using SOME mechanism (not only cookies. But something else.. I
am not sure..this) and tomcat is using those credentials and not asking for
authentication.
Since Apache *Httpd* is using BASIC, and every request includes
credentials, this is normal. Apache *Tomcat* would receive the same
credentials in the BASIC auth header.
I need the reverse functionality. Means, when I provide credentials in
aaa.com (Tomcat Form based authentication) I should be able to navigate to
bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat pages).
I am sorry for lengthy message. But I tried to explain complete scenario.
David Smith-2 wrote:
I'll first admit that I've never used single sign-on, so most of this is
educated conjecture on my part. Hopefully it'll spark some discussion
in the right direction.
Your right -- jvm version is not going to make a difference with the
issue you are seeing. Plus upgrading the jvm may break the nine year
old app -- an excellent case to be made to your client/boss for
rewriting/upgrading the old app.
The real problem is how the single sign-on id is getting from aaa.com to
bbb.com. Cookies won't work as the browser won't return a cookie for
aaa.com to bbb.com. That's a security problem if it does. That leaves
URL rewriting. Are you doing anything to make sure the URLs for bbb.com
have the single sign-on id in the url? Seems like that's the only way
for bbb.com to know it's getting a request from a previously
authenticated user.
--David
sridharmnj wrote:
I hope you did not observe the following lines from my post.
bbb.com is an old project which was developed around 9 yrs ago and I am
not allowed to modify/reengineer the architecture.
It is successfully running on those versions in production and client
does
not want to upgrade versions for time being. I dont think that the java
version is creating any problem. Do you think so???
My problem is not related to Java version upgrades and its out of scope
for
discussion here. I am sure Java version update alone doesnot solve the
issue.
Propes, Barry L wrote:
and you're stuck on Java 1.3.1 and cannot go forward?
-----Original Message-----
From: sridharmnj [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 03, 2008 4:17 PM
To: users@tomcat.apache.org
Subject: RE: Single sign on issue with Tomcat and Apache
Apache 2.0.50
Tomcat 5.0.27
Java 1.3.1
Propes, Barry L wrote:
what versions are you using? Of each?
-----Original Message-----
From: sridharmnj [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 03, 2008 3:52 PM
To: users@tomcat.apache.org
Subject: Single sign on issue with Tomcat and Apache
Hi,
I am integrating two websites using single sign on. I have two sites
namely
aaa.com and bbb.com.
When a user navigates from aaa.com, as he is already authenticated in
it,
he
should be allowed to bbb.com without asking the credentials again. This
is
my requirement.
aaa.com is based on Tomcat Form based authentication and working fine.
bbb.com's static data is deployed on apache and it requires apache
BASIC
authentication (htttd, and .htaccess). And dynamic data is deployed on
Tomcat and based on Tomcat BASIC authentication.
If I access static data of bbb.com, it first asks for credentials
(Using
a
popup), authenticates using mod_auth_mysql, and once the user is
authenticated, it is storing credentials in browser cache. When I
navigate
to dynamic content which is in tomcat, still its working without asking
credentials twice. (I ensured that <realm-name> in web.xml and AuthName
in
.htaccess file are same).
I enabled SingleSignOn valve in server.xml file, and trying to access
bbb.com from aaa.com. When I try to access dynamic data of bbb.com from
aaa.com, as both are based on Tomcat security, they are sharing the
browser
cached credentials. (Though one is based on form and another is based
on
basic authentication model). But, when I try to access bbb.com's static
data
(which is in apache) from aaa.com, again its asking credentials, using
a
popup.
bbb.com is an old project which was developed around 9 yrs ago and I am
not
allowed to modify/reengineer the architecture.
Could any one please guide me in right direction. I appreciate your
help.
Thanks,
Sridhar
--
View this message in context:
http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
