tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Klotz Jr, Dennis" <>
Subject RE: SSO question
Date Fri, 11 Nov 2005 14:07:01 GMT
>-----Original Message-----
>From: Peter Crowther [] 
>Sent: Friday, November 11, 2005 4:20 AM
>To: Tomcat Users List
>Subject: RE: SSO question
>> From: Klotz Jr, Dennis [] 
>> Is it possible using LDAP, whether it is using custom JAAS code or a
>> third party product such as Vintela's VSJ
>> (, to do the following:
>> "... prevent, control or limit the simultaneous active usage 
>> of the same
>> user id. The number of simultaneous active sessions shall be settable
>> per user id."
>> The show stopper for me is whether I can inform the LDAP 
>> server when the
>> user has logged out. The default JNDIRealm does not, to my knowledge,
>> provide that ability. JNDIRealm is just for authenticating and role
>> retrieval.

>You *could* do something like this by storing a custom attribute in
>and incrementing/decrementing that when a user logs in/out.  I'm not
>sure where it'd get you, though, given users' distressing habits of
>closing browsers without logging out of an app and hence leaving the
>session open for a period.  That sounds like it's come straight out of
>requirements doc.  I'd ask who wrote the requirements doc, what's the
>business reason behind that requirement, and can it be accomplished
>another way?
>		- Peter

In our case the client is a single applet where we "will" know when the
user leaves the page or logs out. Hopefully we will be able to send a
message to the server when the applet is being unloaded.

You are correct about this coming from a requirements spec and
unfortunately the people that wrote it do not know or care whether my
code is controlling / preventing the multiple logins or an LDAP server.

I'm simply trying to figure out if LDAP servers have that functionality
built in. For example, can I specify login limitations for a specific
user within an LDAP server such as Active Directory? One co-worker
mentioned that Active Directory has no way of limiting logins per
"group". For example, if I make a "tomcat" group and assign that to the
users LDAP "memberof" attribute, AD has no way of limiting or knowing
that a login from a tomcat server is tied to that Group ID and thus
limiting the logins. That does make sense to me.

What I hope isn't happening is that our marketing people are confusing
who is actually doing the work. The main requirement is LDAP integration
so that IT doesn't have to manage two different user databases. In
addition to that they've been asked to provide this other functionality
such as limiting logins etc..  Does that mean we provide tighter
integration with LDAP so that the LDAP server can do that job? Or is
that something completely out of the scope of a LDAP server and I need
to code it on our tomcat server side?

If that is the case, that I need to code the per user limit for logging
into our tomcat server, am I not defeating the whole purpose of LDAP?
Won't I have to maintain another user database on our side to limit per
user logins?  A person could keep attributes per user that are updated
by a JAAS realm but is this how this functionality is typically

That is why I questioned whether LDAP servers have that functionality
built in.

Any help is greatly appreciated.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message