sridharmnj wrote: > My understanding: > > When server receives a request for a secured resource first time (depending > on url-pattern and security constraint settings in web.xml), first it asks > for credentials using dialog box if its BASIC authentication or login form > if its FORM authenticatin and performs authentication based on Realm (JDBC > or JNDI or memory). If the user is authenticated successfully, it sets the > Principal object in the request (you can see this using > request.getUserPrincipal()). For subsequent requests, it checks everytime > for the Principal object and flow continues. > Pure basics. I'll only say that with BASIC authentication, user credential are transmitted to the server on _every_ request -- even for images, javascript and css. > When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user to > navigate to other app (which is deployed in the same server) with out > prompting for authentication details again. Actually it shares the Principal > object in the request. > Right, but http is a stateless protocol and the client still has to provide something to let the server know it's been there before. In the absence of url rewriting, it's usually a cookie. Cookies can't cross domains. > In my case as I am already authenticated in aaa.com, I am able to access > bbb.com's dynamic data (which is deployed in tomcat) without providing the > authentication details second time. But not able to access the bbb.com's > static data which is deployed in apache. > I'm getting that nagging feeling in the back of my head there's a combination of Apache Httpd and Apache Tomcat here. If that's the case could you clarify what service is providing what resources? > In normal flow, (without SSO), if I authenticate bbb.com's apache pages > (using httpd and .htaccess), I could navigate to Tomcat's pages without > providing the authentication details. Means, here apache is caching > credentials using SOME mechanism (not only cookies. But something else.. I > am not sure..this) and tomcat is using those credentials and not asking for > authentication. > > Since Apache *Httpd* is using BASIC, and every request includes credentials, this is normal. Apache *Tomcat* would receive the same credentials in the BASIC auth header. > I need the reverse functionality. Means, when I provide credentials in > aaa.com (Tomcat Form based authentication) I should be able to navigate to > bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat pages). > > I am sorry for lengthy message. But I tried to explain complete scenario. > > > David Smith-2 wrote: > >> I'll first admit that I've never used single sign-on, so most of this is >> educated conjecture on my part. Hopefully it'll spark some discussion >> in the right direction. >> >> Your right -- jvm version is not going to make a difference with the >> issue you are seeing. Plus upgrading the jvm may break the nine year >> old app -- an excellent case to be made to your client/boss for >> rewriting/upgrading the old app. >> >> The real problem is how the single sign-on id is getting from aaa.com to >> bbb.com. Cookies won't work as the browser won't return a cookie for >> aaa.com to bbb.com. That's a security problem if it does. That leaves >> URL rewriting. Are you doing anything to make sure the URLs for bbb.com >> have the single sign-on id in the url? Seems like that's the only way >> for bbb.com to know it's getting a request from a previously >> authenticated user. >> >> --David >> >> sridharmnj wrote: >> >>> I hope you did not observe the following lines from my post. >>> >>> >>>> bbb.com is an old project which was developed around 9 yrs ago and I am >>>> not allowed to modify/reengineer the architecture. >>>> >>>> >>> It is successfully running on those versions in production and client >>> does >>> not want to upgrade versions for time being. I dont think that the java >>> version is creating any problem. Do you think so??? >>> >>> My problem is not related to Java version upgrades and its out of scope >>> for >>> discussion here. I am sure Java version update alone doesnot solve the >>> issue. >>> >>> >>> Propes, Barry L wrote: >>> >>> >>>> and you're stuck on Java 1.3.1 and cannot go forward? >>>> >>>> >>>> -----Original Message----- >>>> From: sridharmnj [mailto:sridharmnj@yahoo.co.in] >>>> Sent: Tuesday, June 03, 2008 4:17 PM >>>> To: users@tomcat.apache.org >>>> Subject: RE: Single sign on issue with Tomcat and Apache >>>> >>>> >>>> >>>> Apache 2.0.50 >>>> Tomcat 5.0.27 >>>> Java 1.3.1 >>>> >>>> >>>> Propes, Barry L wrote: >>>> >>>> >>>>> what versions are you using? Of each? >>>>> >>>>> -----Original Message----- >>>>> From: sridharmnj [mailto:sridharmnj@yahoo.co.in] >>>>> Sent: Tuesday, June 03, 2008 3:52 PM >>>>> To: users@tomcat.apache.org >>>>> Subject: Single sign on issue with Tomcat and Apache >>>>> >>>>> >>>>> >>>>> Hi, >>>>> I am integrating two websites using single sign on. I have two sites >>>>> namely >>>>> aaa.com and bbb.com. >>>>> >>>>> When a user navigates from aaa.com, as he is already authenticated in >>>>> it, >>>>> he >>>>> should be allowed to bbb.com without asking the credentials again. This >>>>> is >>>>> my requirement. >>>>> >>>>> aaa.com is based on Tomcat Form based authentication and working fine. >>>>> >>>>> bbb.com's static data is deployed on apache and it requires apache >>>>> BASIC >>>>> authentication (htttd, and .htaccess). And dynamic data is deployed on >>>>> Tomcat and based on Tomcat BASIC authentication. >>>>> >>>>> If I access static data of bbb.com, it first asks for credentials >>>>> (Using >>>>> a >>>>> popup), authenticates using mod_auth_mysql, and once the user is >>>>> authenticated, it is storing credentials in browser cache. When I >>>>> navigate >>>>> to dynamic content which is in tomcat, still its working without asking >>>>> credentials twice. (I ensured that in web.xml and AuthName >>>>> in >>>>> .htaccess file are same). >>>>> >>>>> I enabled SingleSignOn valve in server.xml file, and trying to access >>>>> bbb.com from aaa.com. When I try to access dynamic data of bbb.com from >>>>> aaa.com, as both are based on Tomcat security, they are sharing the >>>>> browser >>>>> cached credentials. (Though one is based on form and another is based >>>>> on >>>>> basic authentication model). But, when I try to access bbb.com's static >>>>> data >>>>> (which is in apache) from aaa.com, again its asking credentials, using >>>>> a >>>>> popup. >>>>> >>>>> bbb.com is an old project which was developed around 9 yrs ago and I am >>>>> not >>>>> allowed to modify/reengineer the architecture. >>>>> >>>>> Could any one please guide me in right direction. I appreciate your >>>>> help. >>>>> >>>>> Thanks, >>>>> Sridhar >>>>> -- >>>>> View this message in context: >>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html >>>>> Sent from the Tomcat - User mailing list archive at Nabble.com. >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To start a new topic, e-mail: users@tomcat.apache.org >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To start a new topic, e-mail: users@tomcat.apache.org >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>> >>>>> >>>>> >>>>> >>>>> >>>> -- >>>> View this message in context: >>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html >>>> Sent from the Tomcat - User mailing list archive at Nabble.com. >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To start a new topic, e-mail: users@tomcat.apache.org >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To start a new topic, e-mail: users@tomcat.apache.org >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>> >>>> >>>> >>>> >>>> >>> >>> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> >> >> > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org