4 Replies Latest reply on Aug 23, 2005 4:28 AM by lyo liren

    multiple war applications - single sign on

    Hans Newbie

      Hi there,

      I have 2 Web-Applications (war), which I have protected
      in my web.xml (url-pattern, roles...).
      Both need the same role. How can I achive that it's
      sufficient to sign on at the first application host/app1
      and then access host/app2 without having to
      identify again??
      (JBoss 3.x.x, Tomcat 4.1.x)

      Thanks four your help!!!

        • 1. 3762617
          jason poley Newbie

          since you can't share http session state between webapps, you should use an EJB (entity bean) that can be accessed from both, and you can use a browser cookie (provided both webapps are in same dns domain) to determine if they are logged on, (and if that special, encrypted cookie exists, then you fetch the ejb from either app)

          -jp

          • 2. Re: multiple war applications - single sign on
            Fernando Lozano Newbie

            You are plain wrong. The servlet 2.3 and j2ee 1.3 specs states that a web container should provide for single sign-on between multiple WARs that use form based authentication. Security contexts have nothing to do with session contexts.

            if you use jboss-tomcat, you have to change the tomcat-service*.xml to configure a Valve that enables single signon. There's a bug report filled on this (looks like only when Tomcat is inside jboss) so I guess it won't work but it should.

            If you use jetty, you are in bad luck. Jetty won't follow the specs on this respect, but the jetty developers already acknowledged the problem and are working on this.

            So it should work but it looks like it won't work now.

            • 3. Re: multiple war applications - single sign on
              jason poley Newbie

              sorry, i misspoke. i assumed that he also wanted to share session state. thats usually the next thing people ask for after auth.

              -j

              • 4. Re: multiple war applications - single sign on
                lyo liren Newbie

                 

                "flozano" wrote:
                You are plain wrong. The servlet 2.3 and j2ee 1.3 specs states that a web container should provide for single sign-on between multiple WARs that use form based authentication. Security contexts have nothing to do with session contexts.

                if you use jboss-tomcat, you have to change the tomcat-service*.xml to configure a Valve that enables single signon. There's a bug report filled on this (looks like only when Tomcat is inside jboss) so I guess it won't work but it should.

                If you use jetty, you are in bad luck. Jetty won't follow the specs on this respect, but the jetty developers already acknowledged the problem and are working on this.

                So it should work but it looks like it won't work now.


                Hi friends:

                I also want to know how to implement single sign on in JBoss Portal. Someone could help?