tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <Yoav.Shap...@mpi.com>
Subject RE: Cross site "single sign on"
Date Wed, 03 Dec 2003 13:57:23 GMT

Howdy,
We have a standalone authentication web service used by all our apps.
It's cookie-based.

Yoav Shapira
Millennium ChemInformatics


>-----Original Message-----
>From: Tim Funk [mailto:funkman@joedog.org]
>Sent: Wednesday, December 03, 2003 6:54 AM
>To: Tomcat Users List
>Subject: Re: Cross site "single sign on"
>
>Sounds like pubcookie:
>http://pubcookie.org/
>
>-Tim
>
>Will Hartung wrote:
>> Hi all!
>>
>> Not necessarily Tomcat specific, but I'm curious what others may have
>done
>> to support cross site single sign on.
>>
>> The basic problem is that customer goes to site A, and logs in. Then
>while
>> navigating that site, they eventually head over to site B.
>>
>> Of course when they hit site B, the customer should already be
"logged
>in".
>>
>> If site A and site B live in the same domain space (say, site.com and
>> b.site.com), then a "site.com" cookie should be able to be used as a
>token
>> that show login. Of course, this requires cookies. It also requires
both
>> sites to "maintain" the cookie if the cookie is allowed to expire
(say,
>it's
>> only useful for 30 minutes).
>>
>> However I think this would have to be a "signed" cookie, where both
>> participating servers encrypt to cookie with a known key (perhaps a
>shared
>> public key).
>>
>> Now, if you have sitea.com and siteb.com, then the cookie technique
can't
>> work (as neither can set a cookie for the other). So, I'm thinking
that
>you
>> can do something similiar, a signed token, in a hidden field and then
>having
>> to submit a form to get to the new site.
>>
>> Of course, you can always stick the token on the URL as well.
>>
>> Does that sum it up? Any other ways for cooperating sites to
>"transparently"
>> exchange credentials? I suppose the back ends can do it. Send signed
>packets
>> to each other during their log in processes to notify cooperating
>services.
>>
>> But if your logins "time out", you still need to constantly update
the
>> session information. It's not enough to know that "Bob signed in at
10am,
>> and expires at 10:30". If Bob actively uses the site, you want the
time
>out
>> to be since last activity.
>>
>> How are others doing this and what have you found effective?
>>
>> Regards,
>>
>> Will Hartung
>> (willh@msoft.com)
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message