tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sridharmnj <sridhar...@yahoo.co.in>
Subject Re: Single sign on issue with Tomcat and Apache
Date Wed, 04 Jun 2008 01:37:59 GMT

I am really sorry if my explanation was confused you.

aaa.com -> Deployed in Tomcat and using FORM authentication.

bbb.com -> 1) Static data files are deployed in apache and Httpd & .htaccess
is used for authentication. 
                 2) Dynamic data files are deployed in Tomcat and BASIC
authentication is used.
                     (Again I am sorry, this is existing system, I cant
change it.)

Please clarify me how Httpd and .htaccess are working. I mean where it is
storing the credentials? If you can provide me some inputs on this, it helps
me alot. I tried apache user guide, visited some forums and also googled
but, nothing cleared my doubts.

I really appreciate your help.


David Smith-2 wrote:
> 
> sridharmnj wrote:
>> My understanding:
>>
>> When server receives a request for a secured resource first time
>> (depending
>> on url-pattern and security constraint settings in web.xml), first it
>> asks
>> for credentials using dialog box if its BASIC authentication or login
>> form
>> if its FORM authenticatin and performs authentication based on Realm
>> (JDBC
>> or JNDI or memory). If the user is authenticated successfully, it sets
>> the
>> Principal object in the request (you can see this using
>> request.getUserPrincipal()). For subsequent requests, it checks everytime
>> for the Principal object and flow continues.
>>   
> Pure basics.  I'll only say that with BASIC authentication, user 
> credential are transmitted to the server on _every_ request -- even for 
> images, javascript and css.
> 
>> When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user
>> to
>> navigate to other app (which is deployed in the same server) with out
>> prompting for authentication details again. Actually it shares the
>> Principal
>> object in the request.
>>   
> Right, but http is a stateless protocol and the client still has to 
> provide something to let the server know it's been there before.  In the 
> absence of url rewriting, it's usually a cookie.  Cookies can't cross 
> domains.
> 
>> In my case as I am already authenticated in aaa.com, I am able to access
>> bbb.com's dynamic data (which is deployed in tomcat) without providing
>> the
>> authentication details second time. But not able to access the bbb.com's
>> static data which is deployed in apache.
>>   
> I'm getting that nagging feeling in the back of my head there's a 
> combination of Apache Httpd and Apache Tomcat here.  If that's the case 
> could you clarify what service is providing what resources?
> 
>> In normal flow, (without SSO), if I authenticate bbb.com's apache pages
>> (using httpd and .htaccess), I could navigate to Tomcat's pages without
>> providing the authentication details. Means, here apache is caching
>> credentials using SOME mechanism (not only cookies. But something else..
>> I
>> am not sure..this) and tomcat is using those credentials and not asking
>> for
>> authentication. 
>>
>>   
> Since Apache *Httpd* is using BASIC, and every request includes 
> credentials, this is normal.  Apache *Tomcat* would receive the same 
> credentials in the BASIC auth header.
> 
>> I need the reverse functionality. Means, when I provide credentials in
>> aaa.com (Tomcat Form based authentication) I should be able to navigate
>> to
>> bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat
>> pages).
>>
>> I am sorry for lengthy message. But I tried to explain complete scenario.
>>
>>
>> David Smith-2 wrote:
>>   
>>> I'll first admit that I've never used single sign-on, so most of this is 
>>> educated conjecture on my part.  Hopefully it'll spark some discussion 
>>> in the right direction.
>>>
>>> Your right -- jvm version is not going to make a difference with the 
>>> issue you are seeing.  Plus upgrading the jvm may break the nine year 
>>> old app -- an excellent case to be made to your client/boss for 
>>> rewriting/upgrading the old app.
>>>
>>> The real problem is how the single sign-on id is getting from aaa.com to 
>>> bbb.com.  Cookies won't work as the browser won't return a cookie for 
>>> aaa.com to bbb.com.  That's a security problem if it does.  That leaves 
>>> URL rewriting.  Are you doing anything to make sure the URLs for bbb.com 
>>> have the single sign-on id in the url?  Seems like that's the only way 
>>> for bbb.com to know it's getting a request from a previously 
>>> authenticated user.
>>>
>>> --David
>>>
>>> sridharmnj wrote:
>>>     
>>>> I hope you did not observe the following lines from my post.
>>>>   
>>>>       
>>>>> bbb.com is an old project which was developed around 9 yrs ago and I
>>>>> am
>>>>> not allowed to modify/reengineer the architecture. 
>>>>>     
>>>>>         
>>>> It is successfully running on those versions in production and client
>>>> does
>>>> not want to upgrade versions for time being. I dont think that the java
>>>> version is creating any problem. Do you think so???
>>>>
>>>> My problem is not related to Java version upgrades and its out of scope
>>>> for
>>>> discussion here. I am sure Java version update alone doesnot solve the
>>>> issue.
>>>>
>>>>
>>>> Propes, Barry L wrote:
>>>>   
>>>>       
>>>>> and you're stuck on Java 1.3.1 and cannot go forward?
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: sridharmnj [mailto:sridharmnj@yahoo.co.in]
>>>>> Sent: Tuesday, June 03, 2008 4:17 PM
>>>>> To: users@tomcat.apache.org
>>>>> Subject: RE: Single sign on issue with Tomcat and Apache
>>>>>
>>>>>
>>>>>
>>>>> Apache 2.0.50
>>>>> Tomcat 5.0.27
>>>>> Java 1.3.1
>>>>>
>>>>>
>>>>> Propes, Barry L wrote:
>>>>>     
>>>>>         
>>>>>> what versions are you using? Of each?
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: sridharmnj [mailto:sridharmnj@yahoo.co.in]
>>>>>> Sent: Tuesday, June 03, 2008 3:52 PM
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Single sign on issue with Tomcat and Apache
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>> I am integrating two websites using single sign on. I have two sites
>>>>>> namely
>>>>>> aaa.com and bbb.com.
>>>>>>
>>>>>> When a user navigates from aaa.com, as he is already authenticated
in
>>>>>> it,
>>>>>> he
>>>>>> should be allowed to bbb.com without asking the credentials again.
>>>>>> This
>>>>>> is
>>>>>> my requirement. 
>>>>>>
>>>>>> aaa.com is based on Tomcat Form based authentication and working
>>>>>> fine.
>>>>>>
>>>>>> bbb.com's static data is deployed on apache and it requires apache
>>>>>> BASIC
>>>>>> authentication (htttd, and .htaccess). And dynamic data is deployed
>>>>>> on
>>>>>> Tomcat and based on Tomcat BASIC authentication.
>>>>>>
>>>>>> If I access static data of bbb.com, it first asks for credentials
>>>>>> (Using
>>>>>> a
>>>>>> popup), authenticates using mod_auth_mysql, and once the user is
>>>>>> authenticated, it is storing credentials in browser cache. When I
>>>>>> navigate
>>>>>> to dynamic content which is in tomcat, still its working without
>>>>>> asking
>>>>>> credentials twice. (I ensured that <realm-name> in web.xml
and
>>>>>> AuthName
>>>>>> in
>>>>>> .htaccess file are same). 
>>>>>>
>>>>>> I enabled SingleSignOn valve in server.xml file, and trying to access
>>>>>> bbb.com from aaa.com. When I try to access dynamic data of bbb.com
>>>>>> from
>>>>>> aaa.com, as both are based on Tomcat security, they are sharing the
>>>>>> browser
>>>>>> cached credentials. (Though one is based on form and another is based
>>>>>> on
>>>>>> basic authentication model). But, when I try to access bbb.com's
>>>>>> static
>>>>>> data
>>>>>> (which is in apache) from aaa.com, again its asking credentials,
>>>>>> using
>>>>>> a
>>>>>> popup.
>>>>>>
>>>>>> bbb.com is an old project which was developed around 9 yrs ago and
I
>>>>>> am
>>>>>> not
>>>>>> allowed to modify/reengineer the architecture. 
>>>>>>
>>>>>> Could any one please guide me in right direction. I appreciate your
>>>>>> help.
>>>>>>
>>>>>> Thanks,
>>>>>> Sridhar 
>>>>>> -- 
>>>>>> View this message in context:
>>>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html
>>>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>>       
>>>>>>           
>>>>> -- 
>>>>> View this message in context:
>>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html
>>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>>     
>>>>>         
>>>>   
>>>>       
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>>     
>>
>>   
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17637401.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message