aspose file tools*
The moose likes Security and the fly likes Sharing authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Sharing authentication" Watch "Sharing authentication" New topic
Author

Sharing authentication

Wes Hughes
Ranch Hand

Joined: Jul 29, 2002
Posts: 31
We are using JAAS and a custom login module to authenticate users to our J2EE app. We are now required to share authentication with another J2EE app running on the same server (i.e. a user can go back and forth without having to re-authenticate). Is this even possible? We're running on Oracle 9iAS, which does support SSO but this not really the approach that we are looking for (but may have to consider).
Thanks.
Dave Teare
Ranch Hand

Joined: Oct 09, 2002
Posts: 80
Hi Wes,
SSO is simple, really - as long as every app uses the same authentication token (or course, getting agreement on the token is the hard part )
What type of token does your custom login module create? I assume a homegrown userid+expiryDate+XYZ, all encrypted via JCE? If so, you will need to change the other J2EE app to extract the user id from your token (in web land, from the cookie - cookies will work if both apps use the same domain). Of course, you probably don't have the source code for this other app, or are not allowed to change it.
If the other app is using the container's auth mechanism (i.e. WebSphere uses LTPA, not sure what Oracle uses), then you will need to follow suit. Perhaps oracle has a public API for generating tokens that your login module can call? If they are like IBM, it is private and you can't use it.
I am in a similar situation. I want to write my own auth manager, but I am afraid about integration with other apps. I want to call IBM's code to create the LTPA, but the &&@$%@'s have a private impl (man, I need JBoss!). So, I am left calling the j_security_check servlet programmatically. What a bloody hack.
Hope this helps. Let me know...
--Dave.
Originally posted by Wes Hughes:
We are using JAAS and a custom login module to authenticate users to our J2EE app. We are now required to share authentication with another J2EE app running on the same server (i.e. a user can go back and forth without having to re-authenticate). Is this even possible? We're running on Oracle 9iAS, which does support SSO but this not really the approach that we are looking for (but may have to consider).
Thanks.
 
wood burning stoves
 
subject: Sharing authentication