1 Reply Latest reply on Feb 22, 2004 12:57 AM by Scott Stark

    Help! How to configure SSO in JBoss 3.2.3

    nerotnt Newbie

      Can someone please help me configure or setup single sign on in JBoss 3.2.3.
      Want to use it between two webapps.

      Thanks in advance.

        • 1. Re: Help! How to configure SSO in JBoss 3.2.3
          Scott Stark Master

          From the jboss-3.2.3 release notes:

          The tomcat4.1.x single sign-on behavior has been updated to allow for propagation of the web app security context to the ejb container and other secured resources.

          Configuration: In the jbossweb-tomcat41.sar/META-INF/jboss-service.xml file,
          inside the element of any virtual hosts for which you want
          single sign-on support, add a element:

          < Valve className="org.jboss.web.tomcat.tc4.authenticator.SingleSignOn" debug="0"/ >

          The "debug" attribute specifies the detail level of debugging messages created by this component.
          By default, this is set to zero (0), which means no debug output. A value of two (2) produces
          a large amount of output, similar to DEBUG or TRACE level logging with Log4j.

          Please note the Tomcat SingleSignOn valve stores SSO keys in a map maintained in the
          local JVM; it is not shared across a cluster. This release does not deal with that limitation;
          it allows SSO between multiple webapps deployed on one server, but it isn't cluster-aware.

          Notes on mixing different authentication schemes in webapps under the same virtual host:
          There are some differences between the way this valve works and the way the standard Tomcat valve
          works in a situation where different webapps under the same virtual host use different authentication
          schemes. This is because JBoss requires that each request from the user be reauthenticated; therefore
          when each request comes in, the SingleSignOn valve needs to have available in its cache sufficient
          security information to reauthenticate the user.

          If when accessing a virtual host the user first visits a webapp that uses FORM or BASIC authentication, and then they visit another webapp that requires DIGEST, the cached username/password from the FORM/BASIC authentication will not be sufficient information to do a digest authentication, so the user will be prompted for a digest login. Once a digest login succeeds, the browser automatically sends authentication information with each request, so thereafter the user can switch between DIGEST and FORM/BASIC webapps without issue