tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shanmugampl <shanmuga...@india.adventnet.com>
Subject Re: Doubt in Single Sign On !!!
Date Wed, 29 Jan 2003 05:23:41 GMT
Will this be supported  in the future releases of Tomcat

Craig R. McClanahan wrote:

>On Tue, 28 Jan 2003, Will Hartung wrote:
>
>  
>
>>Date: Tue, 28 Jan 2003 13:32:46 -0800
>>From: Will Hartung <willh@msoft.com>
>>Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
>>To: Tomcat Users List <tomcat-user@jakarta.apache.org>
>>Subject: Re: Doubt in Single Sign On !!!
>>
>>    
>>
>>>From: "Craig R. McClanahan" <craigmcc@apache.org>
>>>Sent: Tuesday, January 28, 2003 1:04 PM
>>>Subject: Re: Doubt in Single Sign On !!!
>>>      
>>>
>>    
>>
>>>The reason for this design is security.
>>>
>>>Consider a portal-type application like My Yahoo, which implements their
>>>version of single sign on (you don't have to log in to mail, then to
>>>games, then to ...).  I browse around between the apps, and decide to log
>>>out.  Should the effect of this logout be global?  I would suggest that it
>>>should -- you don't want to be in an Internet cafe and log out of one
>>>Yahoo app, but forget that you haven't logged out of all the rest.
>>>      
>>>
>>All well and good, but it seems to me that the problem that is being
>>described here is that the sessions of each application have their own
>>distinct timers, rather than a global timer for the single-sign-on session.
>>
>>    
>>
>
>True ... there is no such thing as a cross-application session defined in
>the servlet spec.
>
>  
>
>>Using Yahoo as an example, and, say, a 15 minute timeout, it would a fair
>>expectation that if I log in to Yahoo, go read my mail, and then go and play
>>Yahoo Cribbage for 30 minutes, then I would expect at the end of my last
>>game to be able to pop back over to Yahoo Mail and still be authenticated.
>>
>>What is being described here sounds as if in this contrived example that the
>>Yahoo Mail will time out in 15 minutes because it wasn't accessed, even
>>though I was still "logged in" and active over on Yahoo Games.
>>
>>    
>>
>>>In the servlet world, session timeout logs you out (if you're using form
>>>based login).  Therefore, it should be (and is) treated the same as an
>>>explicit logout by the user.
>>>      
>>>
>>Of course. The difficulty here is that the actual application sessions
>>perhaps needs some kind of tie to the overall master single-sign on session,
>>and not timeout until the SSO session times out.
>>
>>    
>>
>
>You're outside the bounds of the servlet spec when you talk about this,
>but nothing stops a container from providing something like it.
>
>  
>
>>Regards,
>>
>>Will Hartung
>>(willh@msoft.com)
>>
>>    
>>
>
>Craig
>
>
>--
>To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
>
>  
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message