tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Kewl" <>
Subject Re: Single sign on issue with Tomcat and Apache
Date Thu, 05 Jun 2008 16:16:43 GMT

----- Original Message ----- 
From: "sridharmnj" <>
To: <>
Sent: Thursday, June 05, 2008 4:33 PM
Subject: Re: Single sign on issue with Tomcat and Apache

> Many thanks to all of you for responding to my problem.
> I apologize, I hope I didnot mention my system architecture clearly. (As I
> mentioned, it is an old application, which was developed 9 yrs ago, and no
> documentation at all :-(  )
> I am accessing those applications like..
> -> (aaa webapp) Its based on Tomcat FORM based
> authentication. (JDBC Realm)
> -> Here some static pages are deployed into Apache 
> and
> based on BASIC authentication.(mod_auth_mysql)
> -> (ccc webapp) Here dynamic pages are deployed on
> Tomcat based on BASIC authentication.(JDBC Realm)
> All the above applications are using same usertable for credentials.
> Scenario 1: When I logs into the bbb, (Apache-BASIC) it is poping up a
> dialog box with username and password and after providing the details it 
> is
> authenticating using mod_auth_mysql. I have a link to the ccc 
> (Tomcat-BASIC)
> from bbb pages. When I clicked that link, I am able to navigate those 
> pages
> without providing the credentials again. (I hope, here tomcat is finding
> auth headers which are set by Apache)
> Scenario 2: When I directly logs into ccc (Tomcat-BASIC) it is poping up a
> dialog box with username and password and after providing the details, it 
> is
> authenticating using Tomcat BASIC authentication. If I click a link to 
> bbb,
> I am able to navigate to it without providing the details 2nd time. (I 
> hope,
> here Apache is finding the credentials which are set by Tomcat).
> Scenario 3: When I logs into aaa, (TOMCAT-FORM) after authentication, I am
> able to access ccc (TOMCAT-BASIC) without providing the credentials again.
> (I hope, here Tomcat is sharing the credentials between FORM and BASIC
> authentication credentials, as SingleSignOnValve is enabled).
> These Scenarios 1,2,3 are working perfectly, and I need those as is.
> Scenario 4: When I logs into aaa, (Tomcat-Form) after authentication, If I
> click a link to bbb (Apache-BASIC) again its poping up a window for 
> username
> and password.

Ok this is very different to what we first thought.
This is a guess...

I think the problem is that you mixing auth methods...
You have to make them all BASIC in this case.
The browser is on the same domain... so I think it will be returning the 
auth header info, can check with a dump valve or get wireshark and just make 
sure it is returning header info... but I think it is, the problem is that 
the auth info is not the same.

I've never used FORM authentication, but I guess it just reads the UID and 
Password fields and then TC starts tracking that cookie as authenticated.
BASIC does not do that... there the browser returns a Base64 encoded mash 
and that is interpreted.

So if you go to say ccc (BASIC) and then bbb (BASIC)..... you havnt said... 
but I think that will work.
But when you go to FORM.... all the browser sends Apache is a little old 
cookie... and the BASIC logic will go "what the hell"... and challenges the 

So the initial thought that it was a domain problem is not correct... you 
just mixing incompatible auth schemes.
I think you have to lose the FORM auth... and even though you cant change 
the web app, I think that is is possible externally... all thats going to 
happen is that the browser pops up a password box... and that auth FORM is 
now going to be redundant.

I think the FORM auth has to go, must be made BASIC... my guess.

The most powerful application server on earth.
The only real POJO Application Server.
See it in Action :

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message