Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 67065 invoked from network); 11 Feb 2000 20:12:03 -0000 Received: from unknown (HELO arkin.exoffice.com) (207.33.160.68) by locus.apache.org with SMTP; 11 Feb 2000 20:12:03 -0000 Received: from exoffice.com (IDENT:arkin@arkin.exoffice.com [192.168.1.4]) by arkin.exoffice.com (8.9.3/8.9.3) with ESMTP id MAA01504 for ; Fri, 11 Feb 2000 12:13:56 -0800 Sender: arkin@arkin.exoffice.com Message-ID: <38A46D84.9C99CA53@exoffice.com> Date: Fri, 11 Feb 2000 12:13:56 -0800 From: Assaf Arkin Organization: Exoffice X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.13 i686) X-Accept-Language: en MIME-Version: 1.0 To: tomcat-dev@jakarta.apache.org Subject: Re: login-config handling (was Re: Help with Interceptors) References: <200002102358.QAA03028@durango.Central.Sun.COM> <38A354B9.92274300@exoffice.com> <38A3AAF8.44F310A5@mytownnet.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > What you say is true about sessions (they are specific to a servlet context), > but not necessarily true for general user authentication. The 2.2 spec allows a > container to implement "single sign on" authentication for multiple web apps on > the same server, although it gives precious few details on how to do this in a > portalble manner. I would hope that would be clarified in the next round. I guess my question, since I want to see one login for the entire realm (and all contexts), is how can you specify that in the DD? > In the Catalina architecture this would not be terribly hard to implement, > because you can attach a Realm at any level in the containment hierarchy. > However, there'd still be some issues about how you configure the session id > cookies for each app, plus how to decide which context to use for the actual > authentication rules. What happened to SecurityProvider? I find it easy to work with a single SecurityProvider where 'realm' is passed as an argument, rather than a Realm per realm. > > > > > What you want to do is be able to carry the login from one context to > > another. Once you logged into one context, you are automatically logged > > on in the other. Have no clue how to make it happen, but I think that's > > how it should work. > > > > What we're saying is that the values returned by getRemoteUser() and > getUserPrincipal() would be global to multiple apps, with only a single login > challenge. The sessions would still be unique per context, but you'd be able to > count on the fact that the container authenticated the user for you. If it can be done that way, all the better! arkin > > Craig McClanahan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org -- ---------------------------------------------------------------------- Assaf Arkin www.exoffice.com CTO, Exoffice Technologies, Inc. www.exolab.org