incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "lgilardoni61@gmail.com" <lgilardon...@gmail.com>
Subject About SSO on tomcat
Date Fri, 20 Feb 2009 17:48:16 GMT
To save some time to other maybe interested ... I run into this 
unexpected and odd behaviour:

1) Tomcat 5, SSO enabled (usual <Valve 
className="org.apache.catalina.authenticator.SingleSignOn">)
2) Two Jspwiki instances (2.8.1), where everything should be accessible 
only to authenticated users

Log into wiki1, ok
Go to wiki2, SSO works, automatically authenticated
Logout from wiki2, nothing happens.

Tx to google, got to 
http://osdir.com/ml/java.jspwiki.user/2006-11/msg00172.html, and tx to 
Andrew Jaquith wro wrote the post, some light.
But also some more doubt. It turns out that in wiki2 after the logout 
you get a brand new session already authenticated. But if then you edit 
a page,
then a logout would work.

Some more google and:

http://mail-archives.apache.org/mod_mbox/tomcat-dev/200610.mbox/%3Cbug-40775-78@http.issues.apache.org/bugzilla/%3E

explain the mistery.

What happens is that session.invalidate in wiki2 only invalidate local 
session. This *should* propagate because in tomcat the SSO valve setup a 
listener
but it only does if the second application register, and this seems to 
happen *only* when you access a protected resource.
But normal wiki web.xml set up a security constraint *only* on a subset 
of resources, notably not on wiki.jsp, to allow for anonymous logins; so
session is got through the WikiServletFilter, but security constraints 
applied only on edit .. which explains the odd behaviour.

Hence, if you want to have SSO AND only authenticated users the simple 
solution is to set up the valve and the jspwiki web.xml
 normally BUT you also need to add a further security constraint, such 
as <url-pattern>/Wiki.jsp</url-pattern> in the authenticated area.

No idea about how (and if possible at all) enable SSO AND solve this 
problem AND keep the anonymous access; in our case this is not an issue 
(no anonymous access)
so my own problem is solved ... any other better idea wellcome.

LG

Mime
View raw message