tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Kewl" <j...@kewlstuff.co.za>
Subject Re: Single sign on issue with Tomcat and Apache
Date Wed, 04 Jun 2008 18:09:42 GMT

----- Original Message ----- 
From: "Propes, Barry L " <barry.l.propes@citi.com>
To: "Tomcat Users List" <users@tomcat.apache.org>

>Hi,
>I am integrating two websites using single sign on. I have two sites namely
>aaa.com and bbb.com.

>I enabled SingleSignOn valve in server.xml file, and trying to access

Its not going to work...
Its not because of TC, its because of the way cookies are handled by the 
browser.

Its been a long long time since I wrote a filter to do this, and there are 
probably better third party products out there.
But this is what I remember...

The SingleSignOn is addressing the issue of sign on across web apps and 
within a single TC... not across machines.
ie Tomcat has to at least be able to track the session. If thats covered 
then...

Then and I forget the terminology.
A browser will consider this the same domain....
aaa.com/webapp/servlet1
aaa.com/webapp/servlet2

and I think even
aaa.com/webapp2/servlet1

but as soon as that becomes bbb.com

the "browser" treats it like a stranger and does not return the session key, 
nor auth info for the other domain... so TC/Apache is screwed because the 
browser doesnt want to play.

Vaguely I remember setting "persistent" cookies in the browser, and then 
tracking my own cookies across  machines... but it also meant a complete 
redo of all the security and TC's generic security could not be used.

I remember seeing thrid party tools... but if you cant change the one 
webapp, you into something really creative, creating a filter wont work 
because security happens before the filter.... you have a creative problem 
on your hands ;)

I think if you can put TC behind Apache, thus getting it back to the same 
domain name, and the distinguishing only on sub context...
ie
 aaa.com/images/in apache
 aaa.com/webapp/someservlet and the call is passed thru to TC

Then the browser will like it and return the authentication details.... 
otherwise is going to be some kind of complex proxy type thing to trick the 
browser.

Good luck...

---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
--------------------------------------------------------------------------- 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message