I am really sorry if my explanation was confused you.
aaa.com -> Deployed in Tomcat and using FORM authentication.
bbb.com -> 1) Static data files are deployed in apache and Httpd & .htaccess
is used for authentication.
2) Dynamic data files are deployed in Tomcat and BASIC
authentication is used.
(Again I am sorry, this is existing system, I cant
change it.)
Please clarify me how Httpd and .htaccess are working. I mean where it is
storing the credentials? If you can provide me some inputs on this, it helps
me alot. I tried apache user guide, visited some forums and also googled
but, nothing cleared my doubts.
I really appreciate your help.
David Smith-2 wrote:
>
> sridharmnj wrote:
>> My understanding:
>>
>> When server receives a request for a secured resource first time
>> (depending
>> on url-pattern and security constraint settings in web.xml), first it
>> asks
>> for credentials using dialog box if its BASIC authentication or login
>> form
>> if its FORM authenticatin and performs authentication based on Realm
>> (JDBC
>> or JNDI or memory). If the user is authenticated successfully, it sets
>> the
>> Principal object in the request (you can see this using
>> request.getUserPrincipal()). For subsequent requests, it checks everytime
>> for the Principal object and flow continues.
>>
> Pure basics. I'll only say that with BASIC authentication, user
> credential are transmitted to the server on _every_ request -- even for
> images, javascript and css.
>
>> When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user
>> to
>> navigate to other app (which is deployed in the same server) with out
>> prompting for authentication details again. Actually it shares the
>> Principal
>> object in the request.
>>
> Right, but http is a stateless protocol and the client still has to
> provide something to let the server know it's been there before. In the
> absence of url rewriting, it's usually a cookie. Cookies can't cross
> domains.
>
>> In my case as I am already authenticated in aaa.com, I am able to access
>> bbb.com's dynamic data (which is deployed in tomcat) without providing
>> the
>> authentication details second time. But not able to access the bbb.com's
>> static data which is deployed in apache.
>>
> I'm getting that nagging feeling in the back of my head there's a
> combination of Apache Httpd and Apache Tomcat here. If that's the case
> could you clarify what service is providing what resources?
>
>> In normal flow, (without SSO), if I authenticate bbb.com's apache pages
>> (using httpd and .htaccess), I could navigate to Tomcat's pages without
>> providing the authentication details. Means, here apache is caching
>> credentials using SOME mechanism (not only cookies. But something else..
>> I
>> am not sure..this) and tomcat is using those credentials and not asking
>> for
>> authentication.
>>
>>
> Since Apache *Httpd* is using BASIC, and every request includes
> credentials, this is normal. Apache *Tomcat* would receive the same
> credentials in the BASIC auth header.
>
>> I need the reverse functionality. Means, when I provide credentials in
>> aaa.com (Tomcat Form based authentication) I should be able to navigate
>> to
>> bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat
>> pages).
>>
>> I am sorry for lengthy message. But I tried to explain complete scenario.
>>
>>
>> David Smith-2 wrote:
>>
>>> I'll first admit that I've never used single sign-on, so most of this is
>>> educated conjecture on my part. Hopefully it'll spark some discussion
>>> in the right direction.
>>>
>>> Your right -- jvm version is not going to make a difference with the
>>> issue you are seeing. Plus upgrading the jvm may break the nine year
>>> old app -- an excellent case to be made to your client/boss for
>>> rewriting/upgrading the old app.
>>>
>>> The real problem is how the single sign-on id is getting from aaa.com to
>>> bbb.com. Cookies won't work as the browser won't return a cookie for
>>> aaa.com to bbb.com. That's a security problem if it does. That leaves
>>> URL rewriting. Are you doing anything to make sure the URLs for bbb.com
>>> have the single sign-on id in the url? Seems like that's the only way
>>> for bbb.com to know it's getting a request from a previously
>>> authenticated user.
>>>
>>> --David
>>>
>>> sridharmnj wrote:
>>>
>>>> I hope you did not observe the following lines from my post.
>>>>
>>>>
>>>>> bbb.com is an old project which was developed around 9 yrs ago and I
>>>>> am
>>>>> not allowed to modify/reengineer the architecture.
>>>>>
>>>>>
>>>> It is successfully running on those versions in production and client
>>>> does
>>>> not want to upgrade versions for time being. I dont think that the java
>>>> version is creating any problem. Do you think so???
>>>>
>>>> My problem is not related to Java version upgrades and its out of scope
>>>> for
>>>> discussion here. I am sure Java version update alone doesnot solve the
>>>> issue.
>>>>
>>>>
>>>> Propes, Barry L wrote:
>>>>
>>>>
>>>>> and you're stuck on Java 1.3.1 and cannot go forward?
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: sridharmnj [mailto:[EMAIL PROTECTED]
>>>>> Sent: Tuesday, June 03, 2008 4:17 PM
>>>>> To: users@tomcat.apache.org
>>>>> Subject: RE: Single sign on issue with Tomcat and Apache
>>>>>
>>>>>
>>>>>
>>>>> Apache 2.0.50
>>>>> Tomcat 5.0.27
>>>>> Java 1.3.1
>>>>>
>>>>>
>>>>> Propes, Barry L wrote:
>>>>>
>>>>>
>>>>>> what versions are you using? Of each?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: sridharmnj [mailto:[EMAIL PROTECTED]
>>>>>> Sent: Tuesday, June 03, 2008 3:52 PM
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Single sign on issue with Tomcat and Apache
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>> I am integrating two websites using single sign on. I have two sites
>>>>>> namely
>>>>>> aaa.com and bbb.com.
>>>>>>
>>>>>> When a user navigates from aaa.com, as he is already authenticated in
>>>>>> it,
>>>>>> he
>>>>>> should be allowed to bbb.com without asking the credentials again.
>>>>>> This
>>>>>> is
>>>>>> my requirement.
>>>>>>
>>>>>> aaa.com is based on Tomcat Form based authentication and working
>>>>>> fine.
>>>>>>
>>>>>> bbb.com's static data is deployed on apache and it requires apache
>>>>>> BASIC
>>>>>> authentication (htttd, and .htaccess). And dynamic data is deployed
>>>>>> on
>>>>>> Tomcat and based on Tomcat BASIC authentication.
>>>>>>
>>>>>> If I access static data of bbb.com, it first asks for credentials
>>>>>> (Using
>>>>>> a
>>>>>> popup), authenticates using mod_auth_mysql, and once the user is
>>>>>> authenticated, it is storing credentials in browser cache. When I
>>>>>> navigate
>>>>>> to dynamic content which is in tomcat, still its working without
>>>>>> asking
>>>>>> credentials twice. (I ensured that <realm-name> in web.xml and
>>>>>> AuthName
>>>>>> in
>>>>>> .htaccess file are same).
>>>>>>
>>>>>> I enabled SingleSignOn valve in server.xml file, and trying to access
>>>>>> bbb.com from aaa.com. When I try to access dynamic data of bbb.com
>>>>>> from
>>>>>> aaa.com, as both are based on Tomcat security, they are sharing the
>>>>>> browser
>>>>>> cached credentials. (Though one is based on form and another is based
>>>>>> on
>>>>>> basic authentication model). But, when I try to access bbb.com's
>>>>>> static
>>>>>> data
>>>>>> (which is in apache) from aaa.com, again its asking credentials,
>>>>>> using
>>>>>> a
>>>>>> popup.
>>>>>>
>>>>>> bbb.com is an old project which was developed around 9 yrs ago and I
>>>>>> am
>>>>>> not
>>>>>> allowed to modify/reengineer the architecture.
>>>>>>
>>>>>> Could any one please guide me in right direction. I appreciate your
>>>>>> help.
>>>>>>
>>>>>> Thanks,
>>>>>> Sridhar
>>>>>> --
>>>>>> View this message in context:
>>>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html
>>>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html
>>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>>
>>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
--
View this message in context:
http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17637401.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
