tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Doubt in Single Sign On !!!
Date Wed, 29 Jan 2003 07:25:25 GMT


On Tue, 28 Jan 2003, Will Hartung wrote:

> Date: Tue, 28 Jan 2003 16:49:09 -0800
> From: Will Hartung <willh@msoft.com>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Re: Doubt in Single Sign On !!!
>
> > From: "Craig R. McClanahan" <craigmcc@apache.org>
> > Sent: Tuesday, January 28, 2003 2:01 PM
> > Subject: Re: Doubt in Single Sign On !!!
>
>
> > True ... there is no such thing as a cross-application session defined in
> > the servlet spec.
> >
> > You're outside the bounds of the servlet spec when you talk about this,
> > but nothing stops a container from providing something like it.
>
> Yes, for example, the Tomcat Servlet Container (tm reg. us. pat. off.) has a
> Single Sign On facility that's outside of the Servlet Spec, but it doesn't
> behave as a consistent time out across all the webapps its supporting. :-)
>

Actually, SSO is *not* outside the bounds of the spec :-).  See Section
SRV.12.6 of the Servlet 2.3 Specification, and Tomcat's implementation
complies with the requrements there.  What is not defined is where
the boundaries of a "security policy domain" are with respect to SSO --
Tomcat's choice to implement this at the virtual host level is entirely
legitimate, as would an SSO implementation that was based on Project
Liberty <http://www.libertyalliance.org/> that covered multiple web apps
on multiple servers (not even necessarily all Java based).

However, Section 12.6 only talks about propogating security identities; it
says nothing about updating the last access time of sessions in other web
apps so that they don't time out.  Technically, that would not be hard to
accomplish (modify the existing SSO valve to call access() on the internal
StandardSession object of each related session) -- but you wont' be able
to claim that such behavior is "required".

> Regards,
>
> Will Hartung
> (willh@msoft.com)
>

Craig

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message