Regarding how Apache httpd is working and where the credentials are stored, you already mentioned in your original post you had mod_auth_mysql configured and working. I'm guessing tomcat for bbb.com is configured with a realm in server.xml to the same database.
--David sridharmnj wrote:
Following lines are from apache user guide. (http://httpd.apache.org/docs/1.3/howto/auth.html#basicworks) Because the HTTP protocol is stateless, each request will be treated in the same way, even though they are from the same client. That is, every resource which is requested from the server will have to supply authentication credentials over again in order to receive the resource. Fortunately, the browser takes care of the details here, so that you only have to type in your username and password one time per browser session - that is, you might have to type it in again the next time you open up your browser and visit the same web site. I am not clear these lines. How the browser take care of those details. sridharmnj wrote:I am really sorry if my explanation was confused you. aaa.com -> Deployed in Tomcat and using FORM authentication. bbb.com -> 1) Static data files are deployed in apache and Httpd &.htaccess is used for authentication. 2) Dynamic data files are deployed in Tomcat and BASICauthentication is used. (Again I am sorry, this is existing system, I cant change it.) Please clarify me how Httpd and .htaccess are working. I mean where it is storing the credentials? If you can provide me some inputs on this, it helps me alot. I tried apache user guide, visited some forums and also googled but, nothing cleared my doubts. I really appreciate your help. David Smith-2 wrote:sridharmnj wrote:Pure basics. I'll only say that with BASIC authentication, user credential are transmitted to the server on _every_ request -- even for images, javascript and css.My understanding: When server receives a request for a secured resource first time (depending on url-pattern and security constraint settings in web.xml), first it asks for credentials using dialog box if its BASIC authentication or login form if its FORM authenticatin and performs authentication based on Realm (JDBC or JNDI or memory). If the user is authenticated successfully, it sets the Principal object in the request (you can see this using request.getUserPrincipal()). For subsequent requests, it checks everytime for the Principal object and flow continues.Right, but http is a stateless protocol and the client still has to provide something to let the server know it's been there before. In the absence of url rewriting, it's usually a cookie. Cookies can't cross domains.When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user to navigate to other app (which is deployed in the same server) with out prompting for authentication details again. Actually it shares the Principal object in the request.I'm getting that nagging feeling in the back of my head there's a combination of Apache Httpd and Apache Tomcat here. If that's the case could you clarify what service is providing what resources?In my case as I am already authenticated in aaa.com, I am able to access bbb.com's dynamic data (which is deployed in tomcat) without providing the authentication details second time. But not able to access the bbb.com's static data which is deployed in apache.Since Apache *Httpd* is using BASIC, and every request includes credentials, this is normal. Apache *Tomcat* would receive the same credentials in the BASIC auth header.In normal flow, (without SSO), if I authenticate bbb.com's apache pages (using httpd and .htaccess), I could navigate to Tomcat's pages without providing the authentication details. Means, here apache is caching credentials using SOME mechanism (not only cookies. But something else.. I am not sure..this) and tomcat is using those credentials and not asking forauthentication.I need the reverse functionality. Means, when I provide credentials in aaa.com (Tomcat Form based authentication) I should be able to navigate to bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat pages). I am sorry for lengthy message. But I tried to explain complete scenario. David Smith-2 wrote:I'll first admit that I've never used single sign-on, so most of thisis educated conjecture on my part. Hopefully it'll spark some discussion in the right direction.Your right -- jvm version is not going to make a difference with the issue you are seeing. Plus upgrading the jvm may break the nine year old app -- an excellent case to be made to your client/boss for rewriting/upgrading the old app.The real problem is how the single sign-on id is getting from aaa.comto bbb.com. Cookies won't work as the browser won't return a cookie for aaa.com to bbb.com. That's a security problem if it does. That leaves URL rewriting. Are you doing anything to make sure the URLs for bbb.com have the single sign-on id in the url? Seems like that's the only way for bbb.com to know it's getting a request from a previously authenticated user.--David sridharmnj wrote:I hope you did not observe the following lines from my post.bbb.com is an old project which was developed around 9 yrs ago and I amnot allowed to modify/reengineer the architecture.It is successfully running on those versions in production and client does not want to upgrade versions for time being. I dont think that the java version is creating any problem. Do you think so??? My problem is not related to Java version upgrades and its out of scope for discussion here. I am sure Java version update alone doesnot solve the issue. Propes, Barry L wrote:and you're stuck on Java 1.3.1 and cannot go forward? -----Original Message----- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 4:17 PM To: users@tomcat.apache.org Subject: RE: Single sign on issue with Tomcat and Apache Apache 2.0.50 Tomcat 5.0.27 Java 1.3.1 Propes, Barry L wrote:what versions are you using? Of each? -----Original Message----- From: sridharmnj [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 3:52 PM To: users@tomcat.apache.org Subject: Single sign on issue with Tomcat and Apache Hi, I am integrating two websites using single sign on. I have two sites namely aaa.com and bbb.com. When a user navigates from aaa.com, as he is already authenticated in it, he should be allowed to bbb.com without asking the credentials again. This ismy requirement.aaa.com is based on Tomcat Form based authentication and working fine. bbb.com's static data is deployed on apache and it requires apache BASIC authentication (htttd, and .htaccess). And dynamic data is deployed on Tomcat and based on Tomcat BASIC authentication. If I access static data of bbb.com, it first asks for credentials (Using a popup), authenticates using mod_auth_mysql, and once the user is authenticated, it is storing credentials in browser cache. When I navigate to dynamic content which is in tomcat, still its working without asking credentials twice. (I ensured that <realm-name> in web.xml and AuthName in.htaccess file are same).I enabled SingleSignOn valve in server.xml file, and trying to access bbb.com from aaa.com. When I try to access dynamic data of bbb.com from aaa.com, as both are based on Tomcat security, they are sharing the browser cached credentials. (Though one is based on form and another is based on basic authentication model). But, when I try to access bbb.com's static data (which is in apache) from aaa.com, again its asking credentials, using a popup. bbb.com is an old project which was developed around 9 yrs ago and I am notallowed to modify/reengineer the architecture.Could any one please guide me in right direction. I appreciate your help. Thanks,Sridhar --View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]-- View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
