tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Sharing sessions across contexts?
Date Sat, 07 Oct 2000 02:48:10 GMT
kenneth topp wrote:

> On Fri, 6 Oct 2000, Craig R. McClanahan wrote:
> > What you are describing is somewhat similar to the "single sign on" support
> > that was just added to Tomcat 4.0.  It relies on webapps that use the
> > container-managed security features of the servlet 2.2/2.3 APIs, and works
> > like this:  the first time the user tries to access a URI protected by a
> > security constraint, the user must log in according to the login
> > configuration of that webapp.  However, their user identity is propogated
> > across all the webapps of this virtual host so the user won't be challenged
> > to log in to each webapp individually.
> this is just an implementation of http authentication of rfc2617, no?

Not only that.

You set up container-managed security for each of the applications in your
web.xml file, following the standard capabilities described by the servlet 2.2
and 2.3 specs.  The first time that your user accesses a portion of the webapp
protected by a security constraint, they will be challenged to log on according
to whatever login configuration you have set for that app.  The thing that single
sign on (SSO) does for you is save having to have the same user log on again for
each of the other apps.

> Is the security constraint going to be customizable, like apache
> (mod_auth_*)?

There are several levels of customization available:

* The container managed security mechanism lets you declare
  security constraints over individual URLs, over "subdirectories"
  of your webapps URL space, or even on filename extensions
  (such as "protect access to every JSP page).

* Attached to a security constraint, you get to declare what roles
  (think "groups" if you are used to Apache) have access to the
  URLs protected by this constraint.

How a servlet container looks up users and their roles is *not* standardized.
However, Tomcat 4.0 provides an API (pretty similar to the one in Tomcat 3.x) to
define your own Realm.  Two Realms are already provided (one that reads the
"conf/tomcat-users.xml" file, and one that connects to a database), but more can
easily be created.

> Kenneth Topp

Craig McClanahan

See you at ApacheCon Europe <>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

View raw message