shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy Tripp" <>
Subject SSO with centralized authentication
Date Tue, 28 Jul 2009 19:20:56 GMT

We're trying to do a centralized authentication service, in which one
machine (one tomcat instance) does authentication and all other machines
just redirect all servlet requests to the authentication machine. If a
user is not authenticated, he gets the login screen, and on successful
login, gets routed from the authentication server back to the URL that
he requested on the application machine. So we'd have each application
do what the sample webapp does: have a ShiroFilter in web.xml which
redirects all URLS to login.jsp. At that point, the
WebUtils.saveRequest() call saves a URL, but it saves it on the
application machine, not the authentication server. Then, the login.jsp
ACTION is to invoke a servlet on the authentication machine, where the
WebUtils.getSavedRequest() would NOT retrieve the saved URL, because it
was saved back on the application machine.

So it looks like these PassThruAuthenticationFilter and
FormAuthenticationFilter filters don't support centralized
authentication out-of-the-box. Everything works for me now, but only
because I'm running everything on a single machine. 

Does all that make sense? If so, don't we need to be "saving" the URL by
storing it as a hidden field on login.jsp, and setting the
user-requested URL as we send the user to login.jsp?

Thanks again,

p.s. I'm working with Gurpreet, and this is a variation on her recent
post to the list.

View raw message