tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Questions on "Single Sign On"?
Date Mon, 12 Oct 2009 14:01:20 GMT
Josh Gooding wrote:
> To my knowledge the Single Sign on in Tomcat is a way for all of your back
> end applications in your VH to recognize that you have logged in to one
> place, and all of the apps belonging to that VH will be logged into.
Well, "kind of"..

> What I am trying to do is restrict the login from users to one single
> session.  (i.e. if you are logged in once, you cannot log in again unless
> your session expires or you log out.)  Is this possible with what is
> included with Tomcat or is this going to take some custom code?  Either way
> us fine, i'm just trying to use the server to handle as much of the work
> load as possible and lessen the actual coding load.
It really depends on what kind of "login" (or rather, user 
authentication) you have set up.
If you are using Tomcat's integrated (or container-based) authentication 
mechanism, then as far as I know the authenticated user-id is something 
that will be stored in the session data.  As long as the session is 
valid, the user will not be asked to re-authenticate.  As soon as the 
session is invalidated and they try to access a webapp that is submitted 
to AAA, they will be asked to login again.  This is true for all webapps 
that are in the same "realm".
It is fairly well explained here :

The keys here are which kind of AAA you are using, the Realm of your 
webapps, the session and its associated cookie.

Note that this kind of SSO is Tomcat-specific, and valid only for a 
single Tomcat.
What many of my customers understand by SSO is a bit different : it 
means that they wish to login once in the morning when they turn on 
their workstation, and never again during the day.  They then want this 
single login to be valid, automatically, for all servers and 
applications they access during the day, whether they are running under 
Tomcat or not (but also the ones running under Tomcat).
That's a different story.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message