-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jill,
On 4/22/2009 3:11 PM, Jill Han wrote: > What I want to do is all the applications have the same realm config > in server.xml. That's not what you said earlier: you said you wanted /certain/ applications to have SSO behavior. SSO works by creating a single Realm for all applications within the same <Host> and authenticating only a single time. > When it comes to the different Applications, the > authentication will be performed based on application very own > web.xml. This is not possible using SSO, since it always uses the same Realm configuration. The only things you can control with web.xml are the form where authentication is requested (the login-form) which could be different for each webapp and the recognized security roles and what they are allowed to access. > If the applications in the web.xml have the same > <realm-name>, those applications just need to be authenticated once. Tomcat does not provide this capability. You will have to roll your own authentication scheme to do this. > If the applications in the web.xml have different <realm-name>, those > applications need to be authenticated separately. Your best option is to use multiple <Host> entries in server.xml, but this requires that you have different host names or IP addresses in order to make it work, which may not be possible or reasonable for your requirements. > Those tasks can be achieved if basic authentication as > <login-config> <auth-method>BASIC</auth-method> > <realm-name>TEST</realm-name> </login-config> is used. This is because of a coincidence in how HTTP Auth works. Your browser sends a special HTTP header regardless of the webapp being used, and then the webapp does whatever it wants in order to authenticate and authorize the request. Form authentication is different, since once the authentication is performed, the session is tied to that user and only authorization checks are done after that. If you still can't get this to work, I can think of another solution (and you're not going to like it): 1. Use securityfilter (http://securityfilter.sourceforge.net) 2. Write a servlet that accepts an encrypted identifier from your other applications and crams the Principal into the session (where sf keeps its user info) 3. Encode all your URLs that take you from one application to the other to to provide this encrypted identifier to the login-forcing servlet and then redirect to where you /really/ want to go Of course, this doesn't work if users randomly jump between applications without actually clicking on your links. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvc9MACgkQ9CaO5/Lv0PDI0gCeMz5jpM1h8sqAxVGAqyatHOcP Di8Amwc5K5mhG8unhenRq6Cw2iprgzCk =rvrX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
