6 Replies Latest reply on Dec 29, 2005 11:38 PM by anil.saldhana

Setting up SSO on JBoss 3.2.x using JAAS

rameshsr Dec 29, 2005 10:10 AM

I have two different webapps app1 and app2. Both of them needs to go through a single sign-on mechanism using JAAS. I will first login to app1, which should prompt me for login/password. In the same browser instance, I access app2 and it should NOT prompt me for authentication again.

I have been playing with the login-config.xml file to do this, but no luck. Can anyone help me in this?

1. Re: Setting up SSO on JBoss 3.2.x using JAAS

brian.stansberry Dec 29, 2005 10:50 AM (in response to rameshsr)

See http://wiki.jboss.org/wiki/Wiki.jsp?page=SingleSignOn
Actions
2. Re: Setting up SSO on JBoss 3.2.x using JAAS

rameshsr Dec 29, 2005 10:58 AM (in response to rameshsr)

Thanks Brian. Earlier I looked at this link and didn't interest me much since this is the tomcat way of implementing SSO using valve.

Reading so much about JAAS, I feel that I should have some way of setting up SSO using JAAS instead of Tomcat Valve. Is there another way that JBoss provides that would purely use JAAS?
Actions
3. Re: Setting up SSO on JBoss 3.2.x using JAAS

brian.stansberry Dec 29, 2005 11:14 AM (in response to rameshsr)

The problem is with each request your browser needs to present some kind of credentials to the webserver, which the webserver can then use to pass necessary information to the JAAS layer. In a simple one app scenario, this is the session cookie. With two apps, how does the security layer know who the caller is when the 1st request for app2 comes in?
Actions
4. Re: Setting up SSO on JBoss 3.2.x using JAAS

rameshsr Dec 29, 2005 11:19 AM (in response to rameshsr)

Does this mean the whole SSO mechanism of JAAS is only a hype and not of any practical use?
Actions
5. Re: Setting up SSO on JBoss 3.2.x using JAAS

rameshsr Dec 29, 2005 10:39 PM (in response to rameshsr)

I came across one article, which discusses the single sign-on using JAAS. Though it doesn't specify to which application servers it would apply, it seems to indicate that single signon is something that someone has attempted.

Can someone tell me what this article is about and how it applies to JBoss?

http://www.devx.com/Java/Article/7865
Actions
6. Re: Setting up SSO on JBoss 3.2.x using JAAS

anil.saldhana Dec 29, 2005 11:38 PM (in response to rameshsr)

When you have realms or any other container facilities that provide sso features, you are talking of flexible declarative support. You do not have to explictly program for SSO. Everything is done by the container (in our case Tomcat).

The article that you refer relies on the configuration that is set statically via
http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/login/Configuration.html#getConfiguration()

The article talks about programmatic SSO in web applications, saying that each webapp will have a single loginmodule and the sso is achieved via the sharedstate map that is passed between the LoginModules (or the webapps).

This may be a viable option, but the work is done by you, not by the container.

JAAS provides a protocol/container independent authentication mechanism. Thats all there is to it, apart from the pluggability aspect of it.

It is better to look at container provided features to minimize the development work, but if you are really interested in portability, maybe you can disable all container security for your webapps and use code with a common store like ldap/db to store ur shared auth state.
Actions

Go to original post