This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Security and the fly likes Single sign on for multiple webapps Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Single sign on for multiple webapps" Watch "Single sign on for multiple webapps" New topic
Author

Single sign on for multiple webapps

Jyoti Sri
Greenhorn

Joined: Mar 10, 2008
Posts: 12
Hi all,

We have a webapps(3rd party) which uses j_security_check as the authentication mechanisms , i want to integrate & use it with my current web application such that user just have to login in my main application & it should automatically login user for the other application.

I have heard about single sign on ,do i need to use single sign on to achieve this ?If yes , then which mechanism to use (JAAS ?) & how to implement it !

My main application has to run on both JBoss as well as weblogic.

Can some one please suggest any way of acheiving this ?

Thanks in advance

Regards
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

Single sign on, as you would have read, is a concept suggesting that if there are related applications, every one of them do not need to authenticate the same user again and again. Any one of them can do it once and others can use the result.
For example if you login to yahoo once, you do not need to produce your credentials (user name and password) again for any of the specific applications like mail, finance, etc. Although, all these applications will ask for your credentials if you directly login to let us say yahoo mail.
The idea being that the authentication result is being sent with every session (in form of a cookie, session id or something else) and the application decides to allow the user or throw a login page accordingly.
As you would have noticed above, in order to assert whether the user is logged in or not, the application requires the authentication information, if any. This information can be sent in different formats. It can be a cookie or as part of the HTML message or as a soap header, SAML token in case of web services, etc.
You need to decide which is the way your applications need to do this.
In a very simple way, you can store a flag in the session whether the user is authenticated or not. For every request you check whether the flag is present, if not, you can redirect to the login page, else process the request.

NOTE: JAAS does not deal with single sign on. It is a technology to club various login modules together. This essentially is not single sign on.


apigee, a better way to API!
Jyoti Sri
Greenhorn

Joined: Mar 10, 2008
Posts: 12
Thanks for your response Nitesh.

My problem is this 3rd party webapp uses j_security_check for authentication, so whenever a user tries to access this appln he will be redirected to login page first & then that loginform has "j_security_check" in the post method.

So basically i want to skip this step , i tried avoiding form based authentication by removing "<login-config>" in web.xml but after this it throws an error saying this is a secure resource.

Moreover I think it is not a good idea to modify the war file supplied by 3rd party to achieve any solution because tommorow if they release another version i have to change the war again.

I hope you got what i m trying to achieve.

Please give your suggestions/solutions.

Thanks
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60766
    
  65

"Jyoti", please check your private messages for an important administrative matter.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

Originally posted by Jyoti:

So basically i want to skip this step , i tried avoiding form based authentication by removing "<login-config>" in web.xml but after this it throws an error saying this is a secure resource.


I have not used j_security_check,so will not be able to comment on that.
However, can you use j_security_check in your application also, so that the result of authentication is set in the session (read somewhere that j_security_check stores it in session.) and the other application after seeing the result deduces that the user is logged in.
Jyoti Sri
Greenhorn

Joined: Mar 10, 2008
Posts: 12
I can try doing that , but i had a doubt that because both of them are different web applications will they still be having common session or whatever j_security_check uses to store the logincontext ?

anywayz i'll try to do that & see if it works
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

Originally posted by Jyoti S:
I can try doing that , but i had a doubt that because both of them are different web applications will they still be having common session or whatever j_security_check uses to store the logincontext ?

anywayz i'll try to do that & see if it works

Sure, let us know.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

"Jyoti S",
Please check your private messages.
-Ben


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Single sign on for multiple webapps
 
Similar Threads
Single sign on for multiple webapps
implementation of LDAP
Single sign on for multiple webapps
how to implement single sign on for applications deployed in sun glass fish server
Single Sign On implementation help