2 Replies Latest reply on Jan 18, 2006 6:37 AM by Joris Wijlens

    Single login page for whole server/cluster with singlesignon

    Joris Wijlens Newbie


      I have got singlesignon working in jboss. I use the LDAP login module. And from several web applications I use that. But my problem is that I have to include the login page with every web appl. I want to use form as my authentication method.

      I first wanted to use apache in front of jboss and let apache handle the single sign on. But i saw that the module mod_auth_ldap is experimental. So I chose not to use that.

      How can I have single sign on with one login page that is used by all applications?

      Thanks anyway,

      Joris Wijlens

        • 1. Re: Single login page for whole server/cluster with singlesi
          Brian Stansberry Master

          I saw the following trick used once in another forum post. This only works if the set of apps have a common "home page" that people should see after they log on.

          1) Use either the Tomcat SingleSignOn valve or JBoss's ClusteredSingleSignOn.

          2) In one war, the "main war", have your logon form, plus the home page, e.g. index.jsp. This war is configured normally for FORM authentication in web.xml.

          3) In the other wars, apply security constraints to the pages, but don't include a login-config element in web.xml. Instead, include an error-page element that directs tomcat to use a special page "redirect.jsp" for 403 errors.

          4) That "redirect.jsp" page is very simple - has no output, just issues a browser redirect to the index.jsp in "main.war".

          If a user tries to access any war except the main one without logging in, Tomcat will issue a 403. This triggers the redirect.jsp, which redirects the user to /main/index.jsp. There they hit the normal FORM authentication. Once they authenticate, they see index.jsp. After that the credentials cached with SSO allow them to access the other apps.

          Of course now you've got a "redirect.jsp" in every war instead of a "login.jsp", so I'm not sure why they did all this. But I guess it saves you having to package ancillary login-related images, css, javascript etc in each war.

          • 2. Re: Single login page for whole server/cluster with singlesi
            Joris Wijlens Newbie

            Thanks for the reply,

            I could imagine us having a home page with all the links to the separate webapps. But then again we have to update that page for every new deployment. We develop in a 24 * 7 environment so I can't interfere with live applications. The troubles to put a login screen in every application is less than this I'm afraid.

            What about josso can that project solve this problem for me? Or this there anything more structural in the making. Talking about use cases I think this one is very basic in terms of single sign on.


            Joris Wijlens

            Philips Semiconductors