tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sridharmnj <sridhar...@yahoo.co.in>
Subject Re: Single sign on issue with Tomcat and Apache
Date Thu, 05 Jun 2008 14:33:16 GMT

Many thanks to all of you for responding to my problem.
I apologize, I hope I didnot mention my system architecture clearly. (As I
mentioned, it is an old application, which was developed 9 yrs ago, and no
documentation at all :-(  )

I am accessing those applications like..

www.mywebsite.com/aaa -> (aaa webapp) Its based on Tomcat FORM based
authentication. (JDBC Realm)
www.mywebsite.com/bbb -> Here some static pages are deployed into Apache and
based on BASIC authentication.(mod_auth_mysql)
www.mywebsite.com/ccc -> (ccc webapp) Here dynamic pages are deployed on
Tomcat based on BASIC authentication.(JDBC Realm)

All the above applications are using same usertable for credentials.

Scenario 1: When I logs into the bbb, (Apache-BASIC) it is poping up a
dialog box with username and password and after providing the details it is
authenticating using mod_auth_mysql. I have a link to the ccc (Tomcat-BASIC)
from bbb pages. When I clicked that link, I am able to navigate those pages
without providing the credentials again. (I hope, here tomcat is finding
auth headers which are set by Apache)

Scenario 2: When I directly logs into ccc (Tomcat-BASIC) it is poping up a
dialog box with username and password and after providing the details, it is
authenticating using Tomcat BASIC authentication. If I click a link to bbb,
I am able to navigate to it without providing the details 2nd time. (I hope,
here Apache is finding the credentials which are set by Tomcat).

Scenario 3: When I logs into aaa, (TOMCAT-FORM) after authentication, I am
able to access ccc (TOMCAT-BASIC) without providing the credentials again.
(I hope, here Tomcat is sharing the credentials between FORM and BASIC
authentication credentials, as SingleSignOnValve is enabled).

These Scenarios 1,2,3 are working perfectly, and I need those as is.

Scenario 4: When I logs into aaa, (Tomcat-Form) after authentication, If I
click a link to bbb (Apache-BASIC) again its poping up a window for username
and password.

This is (Scenario 4) what I need to change. When a user logs into aaa using
Tomcat-Form based authentication and clicks a link to bbb, he should be
directly allowed to it without asking the credentials 2nd time.

Is there any way to do it, without modifying the Apache Authencitation?

I am really sorry if I am confusing you. Please let me know still if you
need any other details.

Thanks,
Sridhar


Pid-2 wrote:
> 
> Johnny Kewl wrote:
>> 
>> ----- Original Message ----- From: "Propes, Barry L " 
>> <barry.l.propes@citi.com>
>> To: "Tomcat Users List" <users@tomcat.apache.org>
>> 
>>> Hi,
>>> I am integrating two websites using single sign on. I have two sites 
>>> namely
>>> aaa.com and bbb.com.
>> 
>>> I enabled SingleSignOn valve in server.xml file, and trying to access
>> 
>> Its not going to work...
>> Its not because of TC, its because of the way cookies are handled by the 
>> browser.
>> 
>> Its been a long long time since I wrote a filter to do this, and there 
>> are probably better third party products out there.
>> But this is what I remember...
>> 
>> The SingleSignOn is addressing the issue of sign on across web apps and 
>> within a single TC... not across machines.
>> ie Tomcat has to at least be able to track the session. If thats covered 
>> then...
>> 
>> Then and I forget the terminology.
>> A browser will consider this the same domain....
>> aaa.com/webapp/servlet1
>> aaa.com/webapp/servlet2
>> 
>> and I think even
>> aaa.com/webapp2/servlet1
>> 
>> but as soon as that becomes bbb.com
>> 
>> the "browser" treats it like a stranger and does not return the session 
>> key, nor auth info for the other domain... so TC/Apache is screwed 
>> because the browser doesnt want to play.
>> 
>> Vaguely I remember setting "persistent" cookies in the browser, and then 
>> tracking my own cookies across  machines... but it also meant a complete 
>> redo of all the security and TC's generic security could not be used.
>> 
>> I remember seeing thrid party tools... but if you cant change the one 
>> webapp, you into something really creative, creating a filter wont work 
>> because security happens before the filter.... you have a creative 
>> problem on your hands ;)
> 
> E.g. OpenID, JOSSO etc
> 
> Search google for "Java Single Sign On".
> 
> As has been stated, SingleSignOnValve isn't a true SSO solution.
> 
> 
> p
> 
> 
>> I think if you can put TC behind Apache, thus getting it back to the 
>> same domain name, and the distinguishing only on sub context...
>> ie
>> aaa.com/images/in apache
>> aaa.com/webapp/someservlet and the call is passed thru to TC
>> 
>> Then the browser will like it and return the authentication details.... 
>> otherwise is going to be some kind of complex proxy type thing to trick 
>> the browser.
>> 
>> Good luck...
>> 
>> ---------------------------------------------------------------------------
>> HARBOR : http://www.kewlstuff.co.za/index.htm
>> The most powerful application server on earth.
>> The only real POJO Application Server.
>> See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
>> ---------------------------------------------------------------------------
>> 
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17671253.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message