Thanks Brian. Earlier I looked at this link and didn't interest me much since this is the tomcat way of implementing SSO using valve.
Reading so much about JAAS, I feel that I should have some way of setting up SSO using JAAS instead of Tomcat Valve. Is there another way that JBoss provides that would purely use JAAS?
The problem is with each request your browser needs to present some kind of credentials to the webserver, which the webserver can then use to pass necessary information to the JAAS layer. In a simple one app scenario, this is the session cookie. With two apps, how does the security layer know who the caller is when the 1st request for app2 comes in?
Does this mean the whole SSO mechanism of JAAS is only a hype and not of any practical use?
I came across one article, which discusses the single sign-on using JAAS. Though it doesn't specify to which application servers it would apply, it seems to indicate that single signon is something that someone has attempted.
Can someone tell me what this article is about and how it applies to JBoss?
When you have realms or any other container facilities that provide sso features, you are talking of flexible declarative support. You do not have to explictly program for SSO. Everything is done by the container (in our case Tomcat).
The article that you refer relies on the configuration that is set statically via
The article talks about programmatic SSO in web applications, saying that each webapp will have a single loginmodule and the sso is achieved via the sharedstate map that is passed between the LoginModules (or the webapps).
This may be a viable option, but the work is done by you, not by the container.
JAAS provides a protocol/container independent authentication mechanism. Thats all there is to it, apart from the pluggability aspect of it.
It is better to look at container provided features to minimize the development work, but if you are really interested in portability, maybe you can disable all container security for your webapps and use code with a common store like ldap/db to store ur shared auth state.