Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: neutral (athena.apache.org: 71.74.56.124 is neither permitted
 nor denied by domain of dns4@cornell.edu)
Message-ID: <4845FAE8.2020509@cornell.edu>
Date: Tue, 03 Jun 2008 22:16:08 -0400
From: David Smith <dns4@cornell.edu>
User-Agent: Thunderbird 1.5 (X11/20051201)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Single sign on issue with Tomcat and Apache
References: <17633391.post@talk.nabble.com>
 <3A55348B50FD2A40AAA40ABA16C6B6D60E7CDA89@EXNJMB23.nam.nsroot.net>
 <17636089.post@talk.nabble.com> <4845DA1B.1050905@cornell.edu>
 <17636823.post@talk.nabble.com> <4845EB9C.3050602@cornell.edu>
 <17637401.post@talk.nabble.com> <17637575.post@talk.nabble.com>
In-Reply-To: <17637575.post@talk.nabble.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

With BASIC authentication, the credentials are stored in browser memory 
for the life of the browser process whether that be minutes or days.  It 
won't ask again until it's closed and a new browser process started.  
The browser requests a resource, the server comes back with either a 403 
or 401 response (I don't remember which at the moment, there are RFCs 
describing all this).  The browser then either sends back pre-cached 
credentials for that domain and realm or puts up the dialog box.  I'm 
sure there's material on the web describing it better than I am.

Regarding how Apache httpd is working and where the credentials are 
stored, you already mentioned in your original post you had 
mod_auth_mysql configured and working.   I'm guessing tomcat for bbb.com 
is configured with a realm in server.xml to the same database.

--David

sridharmnj wrote:
> Following lines are from apache user guide.
> (http://httpd.apache.org/docs/1.3/howto/auth.html#basicworks)
>
> Because the HTTP protocol is stateless, each request will be treated in the
> same way, even though they are from the same client. That is, every resource
> which is requested from the server will have to supply authentication
> credentials over again in order to receive the resource.
>
> Fortunately, the browser takes care of the details here, so that you only
> have to type in your username and password one time per browser session -
> that is, you might have to type it in again the next time you open up your
> browser and visit the same web site.
>
> I am not clear these lines. How the browser take care of those details.
>
>
> sridharmnj wrote:
>   
>> I am really sorry if my explanation was confused you.
>>
>> aaa.com -> Deployed in Tomcat and using FORM authentication.
>>
>> bbb.com -> 1) Static data files are deployed in apache and Httpd &
>> .htaccess is used for authentication. 
>>                  2) Dynamic data files are deployed in Tomcat and BASIC
>> authentication is used.
>>                      (Again I am sorry, this is existing system, I cant
>> change it.)
>>
>> Please clarify me how Httpd and .htaccess are working. I mean where it is
>> storing the credentials? If you can provide me some inputs on this, it
>> helps me alot. I tried apache user guide, visited some forums and also
>> googled but, nothing cleared my doubts.
>>
>> I really appreciate your help.
>>
>>
>> David Smith-2 wrote:
>>     
>>> sridharmnj wrote:
>>>       
>>>> My understanding:
>>>>
>>>> When server receives a request for a secured resource first time
>>>> (depending
>>>> on url-pattern and security constraint settings in web.xml), first it
>>>> asks
>>>> for credentials using dialog box if its BASIC authentication or login
>>>> form
>>>> if its FORM authenticatin and performs authentication based on Realm
>>>> (JDBC
>>>> or JNDI or memory). If the user is authenticated successfully, it sets
>>>> the
>>>> Principal object in the request (you can see this using
>>>> request.getUserPrincipal()). For subsequent requests, it checks
>>>> everytime
>>>> for the Principal object and flow continues.
>>>>   
>>>>         
>>> Pure basics.  I'll only say that with BASIC authentication, user 
>>> credential are transmitted to the server on _every_ request -- even for 
>>> images, javascript and css.
>>>
>>>       
>>>> When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user
>>>> to
>>>> navigate to other app (which is deployed in the same server) with out
>>>> prompting for authentication details again. Actually it shares the
>>>> Principal
>>>> object in the request.
>>>>   
>>>>         
>>> Right, but http is a stateless protocol and the client still has to 
>>> provide something to let the server know it's been there before.  In the 
>>> absence of url rewriting, it's usually a cookie.  Cookies can't cross 
>>> domains.
>>>
>>>       
>>>> In my case as I am already authenticated in aaa.com, I am able to access
>>>> bbb.com's dynamic data (which is deployed in tomcat) without providing
>>>> the
>>>> authentication details second time. But not able to access the bbb.com's
>>>> static data which is deployed in apache.
>>>>   
>>>>         
>>> I'm getting that nagging feeling in the back of my head there's a 
>>> combination of Apache Httpd and Apache Tomcat here.  If that's the case 
>>> could you clarify what service is providing what resources?
>>>
>>>       
>>>> In normal flow, (without SSO), if I authenticate bbb.com's apache pages
>>>> (using httpd and .htaccess), I could navigate to Tomcat's pages without
>>>> providing the authentication details. Means, here apache is caching
>>>> credentials using SOME mechanism (not only cookies. But something else..
>>>> I
>>>> am not sure..this) and tomcat is using those credentials and not asking
>>>> for
>>>> authentication. 
>>>>
>>>>   
>>>>         
>>> Since Apache *Httpd* is using BASIC, and every request includes 
>>> credentials, this is normal.  Apache *Tomcat* would receive the same 
>>> credentials in the BASIC auth header.
>>>
>>>       
>>>> I need the reverse functionality. Means, when I provide credentials in
>>>> aaa.com (Tomcat Form based authentication) I should be able to navigate
>>>> to
>>>> bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat
>>>> pages).
>>>>
>>>> I am sorry for lengthy message. But I tried to explain complete
>>>> scenario.
>>>>
>>>>
>>>> David Smith-2 wrote:
>>>>   
>>>>         
>>>>> I'll first admit that I've never used single sign-on, so most of this
>>>>> is 
>>>>> educated conjecture on my part.  Hopefully it'll spark some discussion 
>>>>> in the right direction.
>>>>>
>>>>> Your right -- jvm version is not going to make a difference with the 
>>>>> issue you are seeing.  Plus upgrading the jvm may break the nine year 
>>>>> old app -- an excellent case to be made to your client/boss for 
>>>>> rewriting/upgrading the old app.
>>>>>
>>>>> The real problem is how the single sign-on id is getting from aaa.com
>>>>> to 
>>>>> bbb.com.  Cookies won't work as the browser won't return a cookie for 
>>>>> aaa.com to bbb.com.  That's a security problem if it does.  That leaves 
>>>>> URL rewriting.  Are you doing anything to make sure the URLs for
>>>>> bbb.com 
>>>>> have the single sign-on id in the url?  Seems like that's the only way 
>>>>> for bbb.com to know it's getting a request from a previously 
>>>>> authenticated user.
>>>>>
>>>>> --David
>>>>>
>>>>> sridharmnj wrote:
>>>>>     
>>>>>           
>>>>>> I hope you did not observe the following lines from my post.
>>>>>>   
>>>>>>       
>>>>>>             
>>>>>>> bbb.com is an old project which was developed around 9 yrs ago and I
>>>>>>> am
>>>>>>> not allowed to modify/reengineer the architecture. 
>>>>>>>     
>>>>>>>         
>>>>>>>               
>>>>>> It is successfully running on those versions in production and client
>>>>>> does
>>>>>> not want to upgrade versions for time being. I dont think that the
>>>>>> java
>>>>>> version is creating any problem. Do you think so???
>>>>>>
>>>>>> My problem is not related to Java version upgrades and its out of
>>>>>> scope
>>>>>> for
>>>>>> discussion here. I am sure Java version update alone doesnot solve the
>>>>>> issue.
>>>>>>
>>>>>>
>>>>>> Propes, Barry L wrote:
>>>>>>   
>>>>>>       
>>>>>>             
>>>>>>> and you're stuck on Java 1.3.1 and cannot go forward?
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: sridharmnj [mailto:sridharmnj@yahoo.co.in]
>>>>>>> Sent: Tuesday, June 03, 2008 4:17 PM
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: RE: Single sign on issue with Tomcat and Apache
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Apache 2.0.50
>>>>>>> Tomcat 5.0.27
>>>>>>> Java 1.3.1
>>>>>>>
>>>>>>>
>>>>>>> Propes, Barry L wrote:
>>>>>>>     
>>>>>>>         
>>>>>>>               
>>>>>>>> what versions are you using? Of each?
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: sridharmnj [mailto:sridharmnj@yahoo.co.in]
>>>>>>>> Sent: Tuesday, June 03, 2008 3:52 PM
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: Single sign on issue with Tomcat and Apache
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>> I am integrating two websites using single sign on. I have two sites
>>>>>>>> namely
>>>>>>>> aaa.com and bbb.com.
>>>>>>>>
>>>>>>>> When a user navigates from aaa.com, as he is already authenticated
>>>>>>>> in
>>>>>>>> it,
>>>>>>>> he
>>>>>>>> should be allowed to bbb.com without asking the credentials again.
>>>>>>>> This
>>>>>>>> is
>>>>>>>> my requirement. 
>>>>>>>>
>>>>>>>> aaa.com is based on Tomcat Form based authentication and working
>>>>>>>> fine.
>>>>>>>>
>>>>>>>> bbb.com's static data is deployed on apache and it requires apache
>>>>>>>> BASIC
>>>>>>>> authentication (htttd, and .htaccess). And dynamic data is deployed
>>>>>>>> on
>>>>>>>> Tomcat and based on Tomcat BASIC authentication.
>>>>>>>>
>>>>>>>> If I access static data of bbb.com, it first asks for credentials
>>>>>>>> (Using
>>>>>>>> a
>>>>>>>> popup), authenticates using mod_auth_mysql, and once the user is
>>>>>>>> authenticated, it is storing credentials in browser cache. When I
>>>>>>>> navigate
>>>>>>>> to dynamic content which is in tomcat, still its working without
>>>>>>>> asking
>>>>>>>> credentials twice. (I ensured that <realm-name> in web.xml and
>>>>>>>> AuthName
>>>>>>>> in
>>>>>>>> .htaccess file are same). 
>>>>>>>>
>>>>>>>> I enabled SingleSignOn valve in server.xml file, and trying to
>>>>>>>> access
>>>>>>>> bbb.com from aaa.com. When I try to access dynamic data of bbb.com
>>>>>>>> from
>>>>>>>> aaa.com, as both are based on Tomcat security, they are sharing the
>>>>>>>> browser
>>>>>>>> cached credentials. (Though one is based on form and another is
>>>>>>>> based
>>>>>>>> on
>>>>>>>> basic authentication model). But, when I try to access bbb.com's
>>>>>>>> static
>>>>>>>> data
>>>>>>>> (which is in apache) from aaa.com, again its asking credentials,
>>>>>>>> using
>>>>>>>> a
>>>>>>>> popup.
>>>>>>>>
>>>>>>>> bbb.com is an old project which was developed around 9 yrs ago and I
>>>>>>>> am
>>>>>>>> not
>>>>>>>> allowed to modify/reengineer the architecture. 
>>>>>>>>
>>>>>>>> Could any one please guide me in right direction. I appreciate your
>>>>>>>> help.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Sridhar 
>>>>>>>> -- 
>>>>>>>> View this message in context:
>>>>>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html
>>>>>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>>>>>
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>       
>>>>>>>>           
>>>>>>>>                 
>>>>>>> -- 
>>>>>>> View this message in context:
>>>>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html
>>>>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     
>>>>>>>         
>>>>>>>               
>>>>>>   
>>>>>>       
>>>>>>             
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>>     
>>>>>           
>>>>   
>>>>         
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>>       
>>     
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org