Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Single sign on for multiple webapps

 
Jyoti Sri
Greenhorn
Posts: 12
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

We have a webapps(3rd party) which uses j_security_check as the authentication mechanisms , i want to integrate & use it with my current web application such that user just have to login in my main application & it should automatically login user for the other application.

I have heard about single sign on ,do i need to use single sign on to achieve this ?If yes , then which mechanism to use (JAAS ?) & how to implement it !

My main application has to run on both JBoss as well as weblogic.

Can some one please suggest any way of acheiving this ?

Thanks in advance

Regards
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE Java MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Single sign on, as you would have read, is a concept suggesting that if there are related applications, every one of them do not need to authenticate the same user again and again. Any one of them can do it once and others can use the result.
For example if you login to yahoo once, you do not need to produce your credentials (user name and password) again for any of the specific applications like mail, finance, etc. Although, all these applications will ask for your credentials if you directly login to let us say yahoo mail.
The idea being that the authentication result is being sent with every session (in form of a cookie, session id or something else) and the application decides to allow the user or throw a login page accordingly.
As you would have noticed above, in order to assert whether the user is logged in or not, the application requires the authentication information, if any. This information can be sent in different formats. It can be a cookie or as part of the HTML message or as a soap header, SAML token in case of web services, etc.
You need to decide which is the way your applications need to do this.
In a very simple way, you can store a flag in the session whether the user is authenticated or not. For every request you check whether the flag is present, if not, you can redirect to the login page, else process the request.

NOTE: JAAS does not deal with single sign on. It is a technology to club various login modules together. This essentially is not single sign on.
 
Jyoti Sri
Greenhorn
Posts: 12
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your response Nitesh.

My problem is this 3rd party webapp uses j_security_check for authentication, so whenever a user tries to access this appln he will be redirected to login page first & then that loginform has "j_security_check" in the post method.

So basically i want to skip this step , i tried avoiding form based authentication by removing "<login-config>" in web.xml but after this it throws an error saying this is a secure resource.

Moreover I think it is not a good idea to modify the war file supplied by 3rd party to achieve any solution because tommorow if they release another version i have to change the war again.

I hope you got what i m trying to achieve.

Please give your suggestions/solutions.

Thanks
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64204
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Jyoti", please check your private messages for an important administrative matter.
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE Java MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jyoti:

So basically i want to skip this step , i tried avoiding form based authentication by removing "<login-config>" in web.xml but after this it throws an error saying this is a secure resource.


I have not used j_security_check,so will not be able to comment on that.
However, can you use j_security_check in your application also, so that the result of authentication is set in the session (read somewhere that j_security_check stores it in session.) and the other application after seeing the result deduces that the user is logged in.
 
Jyoti Sri
Greenhorn
Posts: 12
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can try doing that , but i had a doubt that because both of them are different web applications will they still be having common session or whatever j_security_check uses to store the logincontext ?

anywayz i'll try to do that & see if it works
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE Java MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jyoti S:
I can try doing that , but i had a doubt that because both of them are different web applications will they still be having common session or whatever j_security_check uses to store the logincontext ?

anywayz i'll try to do that & see if it works

Sure, let us know.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic