tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Single sign on issue with Tomcat and Apache
Date Thu, 05 Jun 2008 07:01:59 GMT
Johnny Kewl wrote:
> ----- Original Message ----- From: "Propes, Barry L " 
> <>
> To: "Tomcat Users List" <>
>> Hi,
>> I am integrating two websites using single sign on. I have two sites 
>> namely
>> and
>> I enabled SingleSignOn valve in server.xml file, and trying to access
> Its not going to work...
> Its not because of TC, its because of the way cookies are handled by the 
> browser.
> Its been a long long time since I wrote a filter to do this, and there 
> are probably better third party products out there.
> But this is what I remember...
> The SingleSignOn is addressing the issue of sign on across web apps and 
> within a single TC... not across machines.
> ie Tomcat has to at least be able to track the session. If thats covered 
> then...
> Then and I forget the terminology.
> A browser will consider this the same domain....
> and I think even
> but as soon as that becomes
> the "browser" treats it like a stranger and does not return the session 
> key, nor auth info for the other domain... so TC/Apache is screwed 
> because the browser doesnt want to play.
> Vaguely I remember setting "persistent" cookies in the browser, and then 
> tracking my own cookies across  machines... but it also meant a complete 
> redo of all the security and TC's generic security could not be used.
> I remember seeing thrid party tools... but if you cant change the one 
> webapp, you into something really creative, creating a filter wont work 
> because security happens before the filter.... you have a creative 
> problem on your hands ;)

E.g. OpenID, JOSSO etc

Search google for "Java Single Sign On".

As has been stated, SingleSignOnValve isn't a true SSO solution.


> I think if you can put TC behind Apache, thus getting it back to the 
> same domain name, and the distinguishing only on sub context...
> ie
> apache
> and the call is passed thru to TC
> Then the browser will like it and return the authentication details.... 
> otherwise is going to be some kind of complex proxy type thing to trick 
> the browser.
> Good luck...
> ---------------------------------------------------------------------------
> The most powerful application server on earth.
> The only real POJO Application Server.
> See it in Action :
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message