2 Replies Latest reply on Nov 21, 2005 3:31 AM by gil_fernandes

    Single Sign On doubt

    gil_fernandes

      Hi.

      I have this SSO doubt:

      I have in the same server (localhost) two web apps (app1 and app2).
      For both I use the default security policy (users.properties and roles.properties).
      My security files are set like this:

      users.properties:
      user1=user1pwd
      user2=user2pwd

      roles.properties:
      user1=role1
      user2=role2

      app1 web.xml is like this:

      <?xml version="1.0" encoding="ISO-8859-1"?>
      <web-app>
       <display-name>app1</display-name>
      
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>public-resources</web-resource-name>
       <url-pattern>/*</url-pattern>
       <http-method>HEAD</http-method>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
       </web-resource-collection>
      
       <auth-constraint>
       <role-name>role1</role-name>
       </auth-constraint>
      
       </security-constraint>
      
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>role1</realm-name>
       </login-config>
      
       <security-role >
       <role-name>role1</role-name>
       </security-role>
      
      </web-app>



      .. . and app2 web.xml is like this:

      <?xml version="1.0" encoding="ISO-8859-1"?>
      <web-app>
       <display-name>app2</display-name>
      
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>public-resources</web-resource-name>
       <url-pattern>/*</url-pattern>
       <http-method>HEAD</http-method>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
       </web-resource-collection>
      
       <auth-constraint>
       <role-name>role2</role-name>
       </auth-constraint>
      
       </security-constraint>
      
       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>role2</realm-name>
       </login-config>
      
       <security-role >
       <role-name>role2</role-name>
       </security-role>
      
      </web-app>


      In the BOSS_HOME\server\default\deploy\jbossweb-tomcat55.sar\server.xml I have under the Host tag the valve:
      <Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="2"/>


      When in my browser I do http://localhost:8080/app1 I?m prompted to insert the user and password. I write user1/user1pwd and the index.jsp of app1 is loaded.

      In the same window (session) I do http://localhost:8080/app2, and http error with status 403 (Access to the requested resource has been denied) appear.

      It is not supposed that, once authenticated in the session I should have access to all application under the same host?
      If so, what I?m doing wrong?

      I have JBoss 4.0.3SP1.

      Thanks.

      Gil



        • 1. Re: Single Sign On doubt
          mikepastor

          Gil,

          I may be missing something here, but it looks like user1 only has 'role1' capabilities. Have you tried adding 'role2' to user1 ?

          You may also want to try putting your security declarations in the central/global web.xml (e.g. C:\jboss-4.0.3SP1\server\default\deploy\jbossweb-tomcat55.sar\conf\web.xml).

          Mike Pastor

          • 2. Re: Single Sign On doubt
            gil_fernandes

            Hi Mike. Thanks for your reply.

            Of course you are wright, but I only want to know the difference between a BOSS_HOME\server\default\deploy\jbossweb-tomcat55.sar\server.xml configuration where it's included the valve

            <Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="2"/>
            and one that is not included.

            Gil