tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid...@pidster.com>
Subject Re: Single sign on issue with Tomcat and Apache
Date Thu, 05 Jun 2008 07:01:59 GMT
Johnny Kewl wrote:
> 
> ----- Original Message ----- From: "Propes, Barry L " 
> <barry.l.propes@citi.com>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> 
>> Hi,
>> I am integrating two websites using single sign on. I have two sites 
>> namely
>> aaa.com and bbb.com.
> 
>> I enabled SingleSignOn valve in server.xml file, and trying to access
> 
> Its not going to work...
> Its not because of TC, its because of the way cookies are handled by the 
> browser.
> 
> Its been a long long time since I wrote a filter to do this, and there 
> are probably better third party products out there.
> But this is what I remember...
> 
> The SingleSignOn is addressing the issue of sign on across web apps and 
> within a single TC... not across machines.
> ie Tomcat has to at least be able to track the session. If thats covered 
> then...
> 
> Then and I forget the terminology.
> A browser will consider this the same domain....
> aaa.com/webapp/servlet1
> aaa.com/webapp/servlet2
> 
> and I think even
> aaa.com/webapp2/servlet1
> 
> but as soon as that becomes bbb.com
> 
> the "browser" treats it like a stranger and does not return the session 
> key, nor auth info for the other domain... so TC/Apache is screwed 
> because the browser doesnt want to play.
> 
> Vaguely I remember setting "persistent" cookies in the browser, and then 
> tracking my own cookies across  machines... but it also meant a complete 
> redo of all the security and TC's generic security could not be used.
> 
> I remember seeing thrid party tools... but if you cant change the one 
> webapp, you into something really creative, creating a filter wont work 
> because security happens before the filter.... you have a creative 
> problem on your hands ;)

E.g. OpenID, JOSSO etc

Search google for "Java Single Sign On".

As has been stated, SingleSignOnValve isn't a true SSO solution.


p


> I think if you can put TC behind Apache, thus getting it back to the 
> same domain name, and the distinguishing only on sub context...
> ie
> aaa.com/images/in apache
> aaa.com/webapp/someservlet and the call is passed thru to TC
> 
> Then the browser will like it and return the authentication details.... 
> otherwise is going to be some kind of complex proxy type thing to trick 
> the browser.
> 
> Good luck...
> 
> ---------------------------------------------------------------------------
> HARBOR : http://www.kewlstuff.co.za/index.htm
> The most powerful application server on earth.
> The only real POJO Application Server.
> See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
> ---------------------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message