Single Sign On (JBoss-3.2.3)
The tomcat4.1.x/5.0.x single sign-on behavior has been updated to allow for propagation of the web app security context to the ejb container and other secured resources.
Configuration: In the jbossweb-tomcat41.sar/META-INF/jboss-service.xml file,
inside the element of any virtual hosts for which you want
single sign-on support, add a element:
< Valve className="org.jboss.web.tomcat.tc4.authenticator.SingleSignOn" debug="0"/ >
For Tomcat 5.x: jbossweb-tomcat50.sar/server.xml
<!-- Uncomment to enable single sign-on across web apps deployed to this host. <Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"></Valve> -->
The "debug" attribute specifies the detail level of debugging messages created by this component.
By default, this is set to zero (0), which means no debug output. A value of two (2) produces
a large amount of output, similar to DEBUG or TRACE level logging with Log4j.
Please note the Tomcat SingleSignOn valve stores SSO keys in a map maintained in the
local JVM; it is not shared across a cluster. This release does not deal with that limitation;
it allows SSO between multiple webapps deployed on one server, but it isn't cluster-aware.
Notes on mixing different authentication schemes in webapps under the same virtual host:
There are some differences between the way this valve works and the way the standard Tomcat valve
works in a situation where different webapps under the same virtual host use different authentication
schemes. This is because JBoss requires that each request from the user be reauthenticated; therefore
when each request comes in, the SingleSignOn valve needs to have available in its cache sufficient
security information to reauthenticate the user.
If when accessing a virtual host the user first visits a webapp that uses FORM or BASIC authentication, and then they visit another webapp that requires DIGEST, the cached username/password from the FORM/BASIC authentication will not be sufficient information to do a digest authentication, so the user will be prompted for a digest login. Once a digest login succeeds, the browser automatically sends authentication information with each request, so thereafter the user can switch between DIGEST and FORM/BASIC webapps without issue
Clustered Single Sign On (JBoss-3.2.4RC2)
As of the JBoss-3.2.4RC2 release, there is support for single sign-on of web applications across a cluster. To enable this, edit the jbossweb-tomcat50.sar/server.xml file and
<!-- Uncomment to enable single sign-on across web apps deployed to this host AND to all other hosts in the cluster with the same virtual hostname. If this valve is used, do not use the standard Tomcat SingleSignOn valve shown above. This valve uses JGroups to communicate across the cluster. The JGroups Channel used for this communication can be configured by editing the "sso-channel.xml" file found in the same folder as this file. If this valve is running on a machine with multiple IP addresses, configuring the "bind_addr" property of the JGroups UDP protocol may be necessary. Another possible configuration change would be to enable encryption of intra-cluster communications. See the sso-channel.xml file for more details. Besides the attributes supported by the standard Tomcat SingleSignOn valve (see the Tomcat docs), this version also supports the following attribute: partitionName the name of the cluster partition in which this node participates. If not set, the default value is "sso-partition/" + the value of the "name" attribute of the Host element that encloses this element (e.g. "sso-partition/localhost") --> <Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn" debug="0"></Valve>