File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Single Signon and (vs?) Webapp Realms Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Single Signon and (vs?) Webapp Realms" Watch "Single Signon and (vs?) Webapp Realms" New topic

Single Signon and (vs?) Webapp Realms

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

We've been looking at a Single Signon solution for our corporate webapps and portlets. Probably something like Yale's CAS system. We'd be authenticating and authorizing against Microsoft's Active Directory. Authentication appears to be no problem, but I'm unclear about authorization.

There are 2 ways to configure roles in Tomcat. You can create a global realm for all the webapps in the server, or you can create a separate realm for each webapp (I'll ignore the various hybrid options to keep the discussion simple).

I don't really want a global realm, as it requires me to set up a "one size fits all" role mapper for all apps. I could live with that, but searching such a broad base just to get a handful of roles for a specific webapp context - also returning about 20 times as many roles that have no meaning for that webapp seems like too much overhead.

So the question is: Is there a way using a SSO solution to define authorizations on a per-webapp basis? Specifically for Tomcat, but also in general?
Francis Shillitoe

Joined: Aug 30, 2002
Posts: 22
The web.xml file in a web app is the place to define role mappings between roles and URLs to protect. See the <security-constraint> tag.


<a href="" target="_blank" rel="nofollow"></a>
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

No, the question is, "Can I narrow the list of roles that tomcat is going to read in to a per-app basis and still have single signon?"

The problem comes firstly from tomcat's reading in EVERY eligible role from its domain definition, even if the role doesn't appear in any app's web.xml.

Secondarily (and more importantly), I'd really rather be able to load the roles for a given webapp on-demand - meaning when the first reference to a given app is made - instead of taking a massive hit loading ALL the roles for ALL the apps the first time the user validates to Tomcat. Aside from really slowing down the initial authentication, it's a waste of memory resources to hold items that aren't being referenced.
I agree. Here's the link:
subject: Single Signon and (vs?) Webapp Realms
It's not a secret anymore!