• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Implementing Single Sign On

 
Sakthivelmurugan Kg
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

I have two web applications running in two different tomcat servers. I want to implement single sign on feature in one of my applications. Users in both the applications are same. Can anyone tell me how to implement it?

If you have any code snippets, please send it to me.

Thanks in advance.

Regards,
Sakthi
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat has the SSO Valve, but I think that only works within a single Tomcat instance.

Check out the various available Java SSO implementations; some are listed in the http://faq.javaranch.com/java/SecurityFaq#web-apps
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18098
50
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:Tomcat has the SSO Valve, but I think that only works within a single Tomcat instance.

Check out the various available Java SSO implementations; some are listed in the http://faq.javaranch.com/java/SecurityFaq#web-apps


There was an SSO facility called CAS that provided site-wide SSO.
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:There was an SSO facility called CAS that provided site-wide SSO.

...which is listed on that page, along with JOSSO and OpenSSO :-)
 
James Ward
Ranch Hand
Posts: 263
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Poor Mans SSO:

Web Application A (http://WebApplicationA/)
Web Application B (http://WebApplicationB/)

User logs into Web Application A.
He clicks on a link inside Web Application A page (of the kind): http://WebApplicationB/go?sessionId=ABC&user=me@me.com

When Application B receives this request, it makes a http call to Application A to verify this information.
In other words it sends a http request (server to server) like: http://WebApplicationA/verifyUserSession?sessionId=ABC&user=me@me.com. WebApplication A checks its list of logged-in users/sessions and responds with a VERIFIED or FAILURE.

If the response was VERIFIED, WebApplicationB knows this is a logged in user inside WebApplicationA - and it proceeds to create a session for the user, and allows him in.

So, thats the idea.

You will notice that - you must arrive at the second application via a link from the first application, so that you can present your existing sessionId/username for verification.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18098
50
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's kind of what OpenID is about. However, that strategy only works when you're doing your own security.

http://www.mousetech.com/blog/?p=11

 
Pat Gonzalez
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

This project has some easy to follow SSO documentation for Tomcat using an HTTP Servlet Filter.

http://spnego.sourceforge.net/spnego_tomcat.html

 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pat Gonzalez wrote:http://spnego.sourceforge.net/

If I understand correctly, then this provides SSO across web apps running on a single servlet container instance, yes? Or can it be used across multiple instances?
 
Pat Gonzalez
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Correct.

Across many web apps, across many instances, and across many physical hosts.

This works as long as each web app is configured to use the filter.

For example, it is possible to configure an app server such that any web app
running on that app server will invoke a specified filter.

It is also possible to configure an app server such that each web app must
be configured to invoke a specified filter.

The former is more of a global setting whereas the latter is local to the web app.

In other words, the number of physical host is irrelevant and/or the number
of app server instances on a physical host.

The number of web apps is also irrelevant... as long as the app server instance
that the web app is running on has the servlet filter installed.




 
salvin francis
Bartender
Posts: 1268
10
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
when you say "global setting" have you taken into consideration two different tomcat servers ?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic