I have an external authentication through Apache using the spnego protocol (automatic authentication with Kerberos of a user that uses Internet Explorer inside an Active Directory Domain). I need to create the user principal using the REMOTE_USER http request header supplied by apache.

Our team's main need is really an enhancement to jBoss's existing SSO, that is to handle SSO across multiple hosts on the same domain. A simple example would be abc.sample.com and xyz.sample.com. I understand that JOSSO is capable of this, but it does not appear that it works with 4.0.3 as of yet. Plus, a built in solution would be preferrable to configuring a third party.

Aside from that, you existing modules handle all our needs.

To allow your use case of abc.sample.com and xyz.sample.com requires a simple change to Tomcat's AuthenticatorBase class -- the addition of an "ssoCookieDomain" property that if set would override the current "/" domain with "sample.com". This property would best be set in the SingleSignOn valve class, but it's AuthenticatorBase that issues the cookie, so that class would have to be changed as well to access it.

Submitting a patch for that to Tomcat is on my to-do list; if anyone in the community wants to do it that would be most appreciated :).

Brian, if there is a way I can help, I'd be more than happy to do so.

"david.l.small" wrote:
Brian, if there is a way I can help, I'd be more than happy to do so.

Brian, this is great news. I'll keep a lookout for the next jBoss release.

Anil, sorry for hijacking your thread. I have used SiteMinder and I can safely say that I MUCH prefer jBoss's authenitcation/authorization mechanism. It is simple to configure (without all the SiteMinder policy files) and simple to setup authorization with built-in J2EE configuration.

Hello:

We had come across multipe times for the need for session sharing among multiple web apps (usually modules of the same app in separeate wars in same ear). If this feature is present as a configurable item, then it will be very useful.

thanks and regards,

-- Kannan.

Dear gang,

I have recently completed some work in this area that may be of interest. In my environment, users can be authenticated (in the web domain) by the presence of a specific cookie generated by an centralized authentication web application (i.e. the IDP). I had no involvement in development of this IDP. My only concern was to develop a way to allow us to use it to authenticate users so our applications do not have the security risks associated with authentication. Once user has authenticated and cookie has been validated, we have an internal authorization realm that can authorize user.

In order to use this service, I ...

a.) created a custom Tomcat Authenticator
b) extended the JBossSecurityMgrRealm
and
c.) developed custom LoginModules that either authenticated to cookie, or authorized the user.

If anyone is interested in more detail let me know. Also, I would like to be considered for any help needed in this area. In the mean time I will start looking into what has already been done.

thanks, cgriffith

There's an open JIRA task for adding a sharable session type: see http://jira.jboss.com/jira/browse/JBAS-1909

Re: the feature request to add a sharable session type, Chris informed me the JIRA issue I referenced wasn't public (thanks, Chris!). I've created a new public JIRA issue for the same thing: http://jira.jboss.com/jira/browse/JBAS-2861 .

Hi,

What we need at our site is an interceptor intercepts requests to multiple web applications. This in combination with the SSO feature of tomcat so that we don't have to build a login screen for every application we deploy.

I have the assignment to build this component for our department because as far as I know this is not possible right now. Any idea on how to do this or anyone who is working on the same issue?

Joris Wijlens

Did you consider using https://opensso.dev.java.net. It is a full fledged WebSSO project. It does have JBOSS agent for SSO and policy.