1 Reply Latest reply on Feb 22, 2004 12:57 AM by starksm64

    Help! How to configure SSO in JBoss 3.2.3

    nerotnt
    nerotnt Feb 20, 2004 6:53 AM

      Can someone please help me configure or setup single sign on in JBoss 3.2.3.
      Want to use it between two webapps.

      Thanks in advance.

      • 3122 Views
      • Tags:
        • 1. Re: Help! How to configure SSO in JBoss 3.2.3
          starksm64
          starksm64 Feb 22, 2004 12:57 AM (in response to nerotnt)

          From the jboss-3.2.3 release notes:

          The tomcat4.1.x single sign-on behavior has been updated to allow for propagation of the web app security context to the ejb container and other secured resources.

          Configuration: In the jbossweb-tomcat41.sar/META-INF/jboss-service.xml file,
          inside the element of any virtual hosts for which you want
          single sign-on support, add a element:


          < Valve className="org.jboss.web.tomcat.tc4.authenticator.SingleSignOn" debug="0"/ >

          The "debug" attribute specifies the detail level of debugging messages created by this component.
          By default, this is set to zero (0), which means no debug output. A value of two (2) produces
          a large amount of output, similar to DEBUG or TRACE level logging with Log4j.

          Please note the Tomcat SingleSignOn valve stores SSO keys in a map maintained in the
          local JVM; it is not shared across a cluster. This release does not deal with that limitation;
          it allows SSO between multiple webapps deployed on one server, but it isn't cluster-aware.

          Notes on mixing different authentication schemes in webapps under the same virtual host:
          There are some differences between the way this valve works and the way the standard Tomcat valve
          works in a situation where different webapps under the same virtual host use different authentication
          schemes. This is because JBoss requires that each request from the user be reauthenticated; therefore
          when each request comes in, the SingleSignOn valve needs to have available in its cache sufficient
          security information to reauthenticate the user.

          If when accessing a virtual host the user first visits a webapp that uses FORM or BASIC authentication, and then they visit another webapp that requires DIGEST, the cached username/password from the FORM/BASIC authentication will not be sufficient information to do a digest authentication, so the user will be prompted for a digest login. Once a digest login succeeds, the browser automatically sends authentication information with each request, so thereafter the user can switch between DIGEST and FORM/BASIC webapps without issue

            • Actions