Single Sign On doubt
gil_fernandes Nov 17, 2005 12:05 PMHi.
I have this SSO doubt:
I have in the same server (localhost) two web apps (app1 and app2).
For both I use the default security policy (users.properties and roles.properties).
My security files are set like this:
users.properties:
user1=user1pwd
user2=user2pwd
roles.properties:
user1=role1
user2=role2
app1 web.xml is like this:
<?xml version="1.0" encoding="ISO-8859-1"?> <web-app> <display-name>app1</display-name> <security-constraint> <web-resource-collection> <web-resource-name>public-resources</web-resource-name> <url-pattern>/*</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>role1</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>role1</realm-name> </login-config> <security-role > <role-name>role1</role-name> </security-role> </web-app>
.. . and app2 web.xml is like this:
<?xml version="1.0" encoding="ISO-8859-1"?> <web-app> <display-name>app2</display-name> <security-constraint> <web-resource-collection> <web-resource-name>public-resources</web-resource-name> <url-pattern>/*</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>role2</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>role2</realm-name> </login-config> <security-role > <role-name>role2</role-name> </security-role> </web-app>
In the BOSS_HOME\server\default\deploy\jbossweb-tomcat55.sar\server.xml I have under the Host tag the valve:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="2"/>
When in my browser I do http://localhost:8080/app1 I?m prompted to insert the user and password. I write user1/user1pwd and the index.jsp of app1 is loaded.
In the same window (session) I do http://localhost:8080/app2, and http error with status 403 (Access to the requested resource has been denied) appear.
It is not supposed that, once authenticated in the session I should have access to all application under the same host?
If so, what I?m doing wrong?
I have JBoss 4.0.3SP1.
Thanks.
Gil