tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 23881] - SingleSignOn and FormAuthenticator in embedded tomcat
Date Sun, 23 Nov 2003 00:18:30 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23881>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23881

SingleSignOn and FormAuthenticator in embedded tomcat





------- Additional Comments From b_stansberry@hotmail.com  2003-11-23 00:18 -------
Attached is a proposed patch.  It adds a configurable 
attribute "requiresReauthentication" to SingleSignOn.  If "false" (the 
default), applications will behave as they do now.  If "true", each incoming 
request will need to be reauthenticated to the Realm.  The various 
authenticators have been modified to handle this.  In this case the 
SingleSignOnEntry serves as a store of authentication credentials.

If the 1st webapp a user visits uses FORM or BASIC auth, and then they visit 
another app that requires DIGEST, the cached username/password from the 
FORM/BASIC authentication will not be sufficient information to do a digest 
authentication, so the user will be prompted for a digest login.  Possibly we 
could add a config option to allow a username/password authentication to 
override the DIGEST auth specified in the web.xml.

Similarly, if the user first visits a webapp with DIGEST auth, and then visits 
one that uses FORM or BASIC, again the cached credentials will not be 
sufficient (no cached password from the digest auth), so they will have to be 
prompted for their username/password.

The attached patch includes logic that deals with all this and ensures that a 
single SSO session is maintained throughout.

Of course, if webapps in a deployment don't mix their authentication schemes, 
none of the above details are an issue.

This bug was raised against TC 4; sorry the patch is against TC 5.  I can very 
easily pull together a TC4.1 version if desired.

This patch also addresses bug 10040.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message