Andre, I am using a realm for this. I decided that the best route to go on this is if a user is actively logged in and tries to log in again (while already authenticated) to invalidate the 'other' session and continue on, that way of the browser dies, they can still get in. I have however not clue one on how to do this. What is put in the session upon authentication that I could have my code look for to invalidate the "other" live session?
- Josh On Mon, Oct 12, 2009 at 10:01 AM, André Warnier <a...@ice-sa.com> wrote: > Josh Gooding wrote: > >> To my knowledge the Single Sign on in Tomcat is a way for all of your back >> end applications in your VH to recognize that you have logged in to one >> place, and all of the apps belonging to that VH will be logged into. >> >> Well, "kind of".. > > What I am trying to do is restrict the login from users to one single >> session. (i.e. if you are logged in once, you cannot log in again unless >> your session expires or you log out.) Is this possible with what is >> included with Tomcat or is this going to take some custom code? Either >> way >> us fine, i'm just trying to use the server to handle as much of the work >> load as possible and lessen the actual coding load. >> >> It really depends on what kind of "login" (or rather, user > authentication) you have set up. > If you are using Tomcat's integrated (or container-based) authentication > mechanism, then as far as I know the authenticated user-id is something that > will be stored in the session data. As long as the session is valid, the > user will not be asked to re-authenticate. As soon as the session is > invalidated and they try to access a webapp that is submitted to AAA, they > will be asked to login again. This is true for all webapps that are in the > same "realm". > It is fairly well explained here : > http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On > > The keys here are which kind of AAA you are using, the Realm of your > webapps, the session and its associated cookie. > > Note that this kind of SSO is Tomcat-specific, and valid only for a single > Tomcat. > What many of my customers understand by SSO is a bit different : it means > that they wish to login once in the morning when they turn on their > workstation, and never again during the day. They then want this single > login to be valid, automatically, for all servers and applications they > access during the day, whether they are running under Tomcat or not (but > also the ones running under Tomcat). > That's a different story. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
