• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Form based authentication and SSO

 
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ranchers,
In WebSphere 4.x, when you want to use a form based authentication mechanism, you have to enable sso on your server. Otherwise, it does not work.
I am wondering why, and most of all, how that is compliant with the spec.
I'm really interesting in knowing how the form based authentication is implemented with other app servers ?
Does WebLogic forces you to enable sso ?
What about jBoss ?
And Oracle ? and others....
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Nobody ??
 
author
Posts: 3892
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Bill, SSO is a WebSphere specific implementation detail -- it's totally outside the spec, which is why no one has responded because the question is meaningless outside of WebSphere.
Kyle
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Kyle,
I don't fully agree with you on that point or maybe I misunderstood your post.
WebLogic has a SingleSignOn feature available.
Just like Sybase EAServer.
And all the servers have the form based login, as it is in the spec.
So the question is : Do these servers forces you to enable their single sign on when you choose the form based login mecanism, just like WebSphere does ???
With WebSphere, the drowback on using SSO is that when the HTTPSession expires, the credentials are still valid (ltpa token).
My understanding of the spec is that when the HttpSession expires, the user should be automatically re-challenged to log in again.
 
Kyle Brown
author
Posts: 3892
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Bill, what I'm saying is that the single-signon feature is NOT part of the spec. Only the authentication mechanism (Form-based, Cert, Digest or Basic) is in the spec. Each vendor does authorization differently, and thus the settings will be completely different and not directly comparable.
Kyle
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok Kyle, then I agree.
But from the spec (12.5.3.1):
"If the user is authenticated using form login and has created an HTTP session,
the timeout or invalidation of that session leads to the user being logged out in the sense that subsequent requests must cause the user to be re-authenticated."
The way WAS 4 has implemented the form based login does not work accordingly to this statement.
I hope WAS 5 is different on that point
reply
    Bookmark Topic Watch Topic
  • New Topic