Implementing Single Sign On

Hi All,

I have two web applications running in two different tomcat servers. I want to implement single sign on feature in one of my applications. Users in both the applications are same. Can anyone tell me how to implement it?

If you have any code snippets, please send it to me.

Thanks in advance.

Regards,
Sakthi

Tomcat has the SSO Valve, but I think that only works within a single Tomcat instance.

Check out the various available Java SSO implementations; some are listed in the http://faq.javaranch.com/java/SecurityFaq#web-apps

Ulf Dittmer wrote:Tomcat has the SSO Valve, but I think that only works within a single Tomcat instance.

Check out the various available Java SSO implementations; some are listed in the http://faq.javaranch.com/java/SecurityFaq#web-apps

There was an SSO facility called CAS that provided site-wide SSO.

Tim Holloway wrote:There was an SSO facility called CAS that provided site-wide SSO.

...which is listed on that page, along with JOSSO and OpenSSO :-)

Poor Mans SSO:

Web Application A (http://WebApplicationA/)
Web Application B (http://WebApplicationB/)

User logs into Web Application A.
He clicks on a link inside Web Application A page (of the kind): http://WebApplicationB/go?sessionId=ABC&user=me@me.com

When Application B receives this request, it makes a http call to Application A to verify this information.
In other words it sends a http request (server to server) like: http://WebApplicationA/verifyUserSession?sessionId=ABC&user=me@me.com. WebApplication A checks its list of logged-in users/sessions and responds with a VERIFIED or FAILURE.

If the response was VERIFIED, WebApplicationB knows this is a logged in user inside WebApplicationA - and it proceeds to create a session for the user, and allows him in.

So, thats the idea.

You will notice that - you must arrive at the second application via a link from the first application, so that you can present your existing sessionId/username for verification.

That's kind of what OpenID is about. However, that strategy only works when you're doing your own security.

http://www.mousetech.com/blog/?p=11

This project has some easy to follow SSO documentation for Tomcat using an HTTP Servlet Filter.

http://spnego.sourceforge.net/spnego_tomcat.html

Pat Gonzalez wrote:http://spnego.sourceforge.net/

If I understand correctly, then this provides SSO across web apps running on a single servlet container instance, yes? Or can it be used across multiple instances?

Correct.

Across many web apps, across many instances, and across many physical hosts.

This works as long as each web app is configured to use the filter.

For example, it is possible to configure an app server such that any web app
running on that app server will invoke a specified filter.

It is also possible to configure an app server such that each web app must
be configured to invoke a specified filter.

The former is more of a global setting whereas the latter is local to the web app.

In other words, the number of physical host is irrelevant and/or the number
of app server instances on a physical host.

The number of web apps is also irrelevant... as long as the app server instance
that the web app is running on has the servlet filter installed.

when you say "global setting" have you taken into consideration two different tomcat servers ?