I have 2 web sites. The first one is hosted in J2EE server and the second one is hosted on IIS. I am trying a Single-Sign On from the first web app to the second web app. How do we do this? I am trying to set response.setHeader() in my JSP. But this is not working. I am not even sure if the headers are right. Thanks, Ajay
Commercial products like Netegrity do this stuff by inserting a filter (terminology varies by web server) in front of normal processing. In very general terms ... the filter looks for an authentication token in the HTTP request. It checks the token against its own server (not the two web servers you're securing) and either allows the request to go through or redirects the browser to a log-in page. So if you log in and get the token, you can then go to any other web server. Your apps never have to be aware of the token, so less work. The filter adds a context of some kind to the request which your app can query to get user identity and any authorization information the security subsystem might hold. My level of exposure to this is barely deeper than reading the market literature. Anybody have real details? Is it something one could try to write instead of buy?
A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi