wood burning stoves 2.0*
The moose likes Tomcat and the fly likes Implementing Single Sign On Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Implementing Single Sign On" Watch "Implementing Single Sign On" New topic
Author

Implementing Single Sign On

Sakthivelmurugan Kg
Greenhorn

Joined: Aug 07, 2009
Posts: 3
Hi All,

I have two web applications running in two different tomcat servers. I want to implement single sign on feature in one of my applications. Users in both the applications are same. Can anyone tell me how to implement it?

If you have any code snippets, please send it to me.

Thanks in advance.

Regards,
Sakthi
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41124
    
  45
Tomcat has the SSO Valve, but I think that only works within a single Tomcat instance.

Check out the various available Java SSO implementations; some are listed in the http://faq.javaranch.com/java/SecurityFaq#web-apps


Ping & DNS - my free Android networking tools app
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15958
    
  19

Ulf Dittmer wrote:Tomcat has the SSO Valve, but I think that only works within a single Tomcat instance.

Check out the various available Java SSO implementations; some are listed in the http://faq.javaranch.com/java/SecurityFaq#web-apps


There was an SSO facility called CAS that provided site-wide SSO.


Customer surveys are for companies who didn't pay proper attention to begin with.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41124
    
  45
Tim Holloway wrote:There was an SSO facility called CAS that provided site-wide SSO.

...which is listed on that page, along with JOSSO and OpenSSO :-)
James Ward
Ranch Hand

Joined: Apr 27, 2003
Posts: 263
Poor Mans SSO:

Web Application A (http://WebApplicationA/)
Web Application B (http://WebApplicationB/)

User logs into Web Application A.
He clicks on a link inside Web Application A page (of the kind): http://WebApplicationB/go?sessionId=ABC&user=me@me.com

When Application B receives this request, it makes a http call to Application A to verify this information.
In other words it sends a http request (server to server) like: http://WebApplicationA/verifyUserSession?sessionId=ABC&user=me@me.com. WebApplication A checks its list of logged-in users/sessions and responds with a VERIFIED or FAILURE.

If the response was VERIFIED, WebApplicationB knows this is a logged in user inside WebApplicationA - and it proceeds to create a session for the user, and allows him in.

So, thats the idea.

You will notice that - you must arrive at the second application via a link from the first application, so that you can present your existing sessionId/username for verification.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15958
    
  19

That's kind of what OpenID is about. However, that strategy only works when you're doing your own security.

http://www.mousetech.com/blog/?p=11

Pat Gonzalez
Greenhorn

Joined: Oct 18, 2009
Posts: 19

This project has some easy to follow SSO documentation for Tomcat using an HTTP Servlet Filter.

http://spnego.sourceforge.net/spnego_tomcat.html

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41124
    
  45
Pat Gonzalez wrote:http://spnego.sourceforge.net/

If I understand correctly, then this provides SSO across web apps running on a single servlet container instance, yes? Or can it be used across multiple instances?
Pat Gonzalez
Greenhorn

Joined: Oct 18, 2009
Posts: 19
Correct.

Across many web apps, across many instances, and across many physical hosts.

This works as long as each web app is configured to use the filter.

For example, it is possible to configure an app server such that any web app
running on that app server will invoke a specified filter.

It is also possible to configure an app server such that each web app must
be configured to invoke a specified filter.

The former is more of a global setting whereas the latter is local to the web app.

In other words, the number of physical host is irrelevant and/or the number
of app server instances on a physical host.

The number of web apps is also irrelevant... as long as the app server instance
that the web app is running on has the servlet filter installed.




salvin francis
Ranch Hand

Joined: Jan 12, 2009
Posts: 917

when you say "global setting" have you taken into consideration two different tomcat servers ?


My Website: [Salvin.in] Cool your mind:[Salvin.in/painting] My Sally:[Salvin.in/sally]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Implementing Single Sign On
 
Similar Threads
Enabling SSO in J2EE application
Single sign-on system
SSO and NT Domain Security
OAM v/s CAS
how to implement single sign on for applications deployed in sun glass fish server