Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates
 212.85.38.228 as permitted sender)
Message-ID: <4AD3454E.1010309@ice-sa.com>
Date: Mon, 12 Oct 2009 17:03:42 +0200
From: =?ISO-8859-1?Q?Andr=E9_Warnier?= <aw@ice-sa.com>
Reply-To: Tomcat Users List <users@tomcat.apache.org>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Questions on "Single Sign On"?
References: <4d7e0b220910120617r48c917f1yf74f026e70f2bb73@mail.gmail.com>
	 <e0c148a0910120637w30be71fs112aa1e7d3aca2a8@mail.gmail.com>
	 <4AD3342E.90101@pidster.com>
 <4d7e0b220910120716t4e258329l2770a112dd007dc4@mail.gmail.com>
In-Reply-To: <4d7e0b220910120716t4e258329l2770a112dd007dc4@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Josh Gooding wrote:
...
> 
> Andre, your talking about something like Active Directory for Windows
> Domain's to use with say Communicator, Outlook, etc, across windows
> environments with domain authentication?  
Yes, although Windows domain authentication is not the only game in town.

I understand what the Tomcat's and
> most org's SSO means, but I am trying to translate into something that I can
> talk about and not have a huge amount of keystrokes in typing.
> 
And I suggest that you to think this through from the beginning, and not 
rush into a Tomcat-only authentication, if your users for instance are 
going to get weary very quickly to have to login (again!) each time they 
want to access this application on this host.
The other snag is if in order to do your type of authentication you need 
to have your own store of user-id's and passwords.  User-id's are 
usually OK (they can be the same as the user's usual login), but to get 
a network admin to give you the users passwords, so that you can store 
them in your own Tomcat-only store, is going to be more tricky.
(Users do not, as a rule, like to have to remember several passwords).

There are basically two types of authentication usable in Tomcat : the 
container-based authentication of which mainly question so far, and the 
"servlet filter" based authentication mechanisms.
These consist of wrapping all your to-be-protected webapps in a servlet 
filter, which authenticates each request before it even gets to your 
webapp.  Servlet filters are defined at the Servlet Spec level, so are 
portable.  To the webapp, it is transparent.  It just finds an 
authenticated user whenever it runs.  The filter itself determines what 
kind of authentication happens, using which back-end etc..
Here are two examples :
http://securityfilter.sourceforge.net/
http://www.ioplex.com
Reading their docs should give you some material to think about.

There exists a 3rd way : if you have a webserver in front of Tomcat (IIS 
or Apache), they can do the user authentication, and via mod_jk (*) pass 
an authenticated user-id to Tomcat (roles is another story).

(* : plus, for Apache only, mod_proxy_ajp)

In any case, I don't really think that you will need to create new code. 
  There are enough ready-to-use solutions floating around that this 
should be unnecessary. And, as some people already indirectly pointed 
out, coding AAA and doing it right can be very tricky.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org