I am really sorry if my explanation was confused you. aaa.com -> Deployed in Tomcat and using FORM authentication.
bbb.com -> 1) Static data files are deployed in apache and Httpd & .htaccess is used for authentication. 2) Dynamic data files are deployed in Tomcat and BASIC authentication is used. (Again I am sorry, this is existing system, I cant change it.) Please clarify me how Httpd and .htaccess are working. I mean where it is storing the credentials? If you can provide me some inputs on this, it helps me alot. I tried apache user guide, visited some forums and also googled but, nothing cleared my doubts. I really appreciate your help. David Smith-2 wrote: > > sridharmnj wrote: >> My understanding: >> >> When server receives a request for a secured resource first time >> (depending >> on url-pattern and security constraint settings in web.xml), first it >> asks >> for credentials using dialog box if its BASIC authentication or login >> form >> if its FORM authenticatin and performs authentication based on Realm >> (JDBC >> or JNDI or memory). If the user is authenticated successfully, it sets >> the >> Principal object in the request (you can see this using >> request.getUserPrincipal()). For subsequent requests, it checks everytime >> for the Principal object and flow continues. >> > Pure basics. I'll only say that with BASIC authentication, user > credential are transmitted to the server on _every_ request -- even for > images, javascript and css. > >> When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user >> to >> navigate to other app (which is deployed in the same server) with out >> prompting for authentication details again. Actually it shares the >> Principal >> object in the request. >> > Right, but http is a stateless protocol and the client still has to > provide something to let the server know it's been there before. In the > absence of url rewriting, it's usually a cookie. Cookies can't cross > domains. > >> In my case as I am already authenticated in aaa.com, I am able to access >> bbb.com's dynamic data (which is deployed in tomcat) without providing >> the >> authentication details second time. But not able to access the bbb.com's >> static data which is deployed in apache. >> > I'm getting that nagging feeling in the back of my head there's a > combination of Apache Httpd and Apache Tomcat here. If that's the case > could you clarify what service is providing what resources? > >> In normal flow, (without SSO), if I authenticate bbb.com's apache pages >> (using httpd and .htaccess), I could navigate to Tomcat's pages without >> providing the authentication details. Means, here apache is caching >> credentials using SOME mechanism (not only cookies. But something else.. >> I >> am not sure..this) and tomcat is using those credentials and not asking >> for >> authentication. >> >> > Since Apache *Httpd* is using BASIC, and every request includes > credentials, this is normal. Apache *Tomcat* would receive the same > credentials in the BASIC auth header. > >> I need the reverse functionality. Means, when I provide credentials in >> aaa.com (Tomcat Form based authentication) I should be able to navigate >> to >> bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat >> pages). >> >> I am sorry for lengthy message. But I tried to explain complete scenario. >> >> >> David Smith-2 wrote: >> >>> I'll first admit that I've never used single sign-on, so most of this is >>> educated conjecture on my part. Hopefully it'll spark some discussion >>> in the right direction. >>> >>> Your right -- jvm version is not going to make a difference with the >>> issue you are seeing. Plus upgrading the jvm may break the nine year >>> old app -- an excellent case to be made to your client/boss for >>> rewriting/upgrading the old app. >>> >>> The real problem is how the single sign-on id is getting from aaa.com to >>> bbb.com. Cookies won't work as the browser won't return a cookie for >>> aaa.com to bbb.com. That's a security problem if it does. That leaves >>> URL rewriting. Are you doing anything to make sure the URLs for bbb.com >>> have the single sign-on id in the url? Seems like that's the only way >>> for bbb.com to know it's getting a request from a previously >>> authenticated user. >>> >>> --David >>> >>> sridharmnj wrote: >>> >>>> I hope you did not observe the following lines from my post. >>>> >>>> >>>>> bbb.com is an old project which was developed around 9 yrs ago and I >>>>> am >>>>> not allowed to modify/reengineer the architecture. >>>>> >>>>> >>>> It is successfully running on those versions in production and client >>>> does >>>> not want to upgrade versions for time being. I dont think that the java >>>> version is creating any problem. Do you think so??? >>>> >>>> My problem is not related to Java version upgrades and its out of scope >>>> for >>>> discussion here. I am sure Java version update alone doesnot solve the >>>> issue. >>>> >>>> >>>> Propes, Barry L wrote: >>>> >>>> >>>>> and you're stuck on Java 1.3.1 and cannot go forward? >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>>>> Sent: Tuesday, June 03, 2008 4:17 PM >>>>> To: users@tomcat.apache.org >>>>> Subject: RE: Single sign on issue with Tomcat and Apache >>>>> >>>>> >>>>> >>>>> Apache 2.0.50 >>>>> Tomcat 5.0.27 >>>>> Java 1.3.1 >>>>> >>>>> >>>>> Propes, Barry L wrote: >>>>> >>>>> >>>>>> what versions are you using? Of each? >>>>>> >>>>>> -----Original Message----- >>>>>> From: sridharmnj [mailto:[EMAIL PROTECTED] >>>>>> Sent: Tuesday, June 03, 2008 3:52 PM >>>>>> To: users@tomcat.apache.org >>>>>> Subject: Single sign on issue with Tomcat and Apache >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> I am integrating two websites using single sign on. I have two sites >>>>>> namely >>>>>> aaa.com and bbb.com. >>>>>> >>>>>> When a user navigates from aaa.com, as he is already authenticated in >>>>>> it, >>>>>> he >>>>>> should be allowed to bbb.com without asking the credentials again. >>>>>> This >>>>>> is >>>>>> my requirement. >>>>>> >>>>>> aaa.com is based on Tomcat Form based authentication and working >>>>>> fine. >>>>>> >>>>>> bbb.com's static data is deployed on apache and it requires apache >>>>>> BASIC >>>>>> authentication (htttd, and .htaccess). And dynamic data is deployed >>>>>> on >>>>>> Tomcat and based on Tomcat BASIC authentication. >>>>>> >>>>>> If I access static data of bbb.com, it first asks for credentials >>>>>> (Using >>>>>> a >>>>>> popup), authenticates using mod_auth_mysql, and once the user is >>>>>> authenticated, it is storing credentials in browser cache. When I >>>>>> navigate >>>>>> to dynamic content which is in tomcat, still its working without >>>>>> asking >>>>>> credentials twice. (I ensured that <realm-name> in web.xml and >>>>>> AuthName >>>>>> in >>>>>> .htaccess file are same). >>>>>> >>>>>> I enabled SingleSignOn valve in server.xml file, and trying to access >>>>>> bbb.com from aaa.com. When I try to access dynamic data of bbb.com >>>>>> from >>>>>> aaa.com, as both are based on Tomcat security, they are sharing the >>>>>> browser >>>>>> cached credentials. (Though one is based on form and another is based >>>>>> on >>>>>> basic authentication model). But, when I try to access bbb.com's >>>>>> static >>>>>> data >>>>>> (which is in apache) from aaa.com, again its asking credentials, >>>>>> using >>>>>> a >>>>>> popup. >>>>>> >>>>>> bbb.com is an old project which was developed around 9 yrs ago and I >>>>>> am >>>>>> not >>>>>> allowed to modify/reengineer the architecture. >>>>>> >>>>>> Could any one please guide me in right direction. I appreciate your >>>>>> help. >>>>>> >>>>>> Thanks, >>>>>> Sridhar >>>>>> -- >>>>>> View this message in context: >>>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html >>>>>> Sent from the Tomcat - User mailing list archive at Nabble.com. >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To start a new topic, e-mail: users@tomcat.apache.org >>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To start a new topic, e-mail: users@tomcat.apache.org >>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> -- >>>>> View this message in context: >>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html >>>>> Sent from the Tomcat - User mailing list archive at Nabble.com. >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To start a new topic, e-mail: users@tomcat.apache.org >>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To start a new topic, e-mail: users@tomcat.apache.org >>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >>> >> >> > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17637401.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]