SingleSignOn

    Single Sign On (JBoss-3.2.3)

     

    The tomcat4.1.x/5.0.x single sign-on behavior has been updated to allow for propagation of the web app security context to the ejb container and other secured resources.

     

         Configuration: In the jbossweb-tomcat41.sar/META-INF/jboss-service.xml file,

          inside the element of any virtual hosts for which you want

          single sign-on support, add a element:

     

        < Valve className="org.jboss.web.tomcat.tc4.authenticator.SingleSignOn" debug="0"/ >
    

     

    For Tomcat 5.x: jbossweb-tomcat50.sar/server.xml

     

            <!-- Uncomment to enable single sign-on across web apps
            deployed to this host.
            <Valve className="org.apache.catalina.authenticator.SingleSignOn"
               debug="0"></Valve>
            -->
    

     

          The "debug" attribute specifies the detail level of debugging messages created by this component.

          By default, this is set to zero (0), which means no debug output. A value of two (2) produces

          a large amount of output, similar to DEBUG or TRACE level logging with Log4j.

     

         Please note the Tomcat SingleSignOn valve stores SSO keys in a map maintained in the

          local JVM; it is not shared across a cluster. This release does not deal with that limitation;

          it allows SSO between multiple webapps deployed on one server, but it isn't cluster-aware.

     

         Notes on mixing different authentication schemes in webapps under the same virtual host:

          There are some differences between the way this valve works and the way the standard Tomcat valve

          works in a situation where different webapps under the same virtual host use different authentication

          schemes. This is because JBoss requires that each request from the user be reauthenticated; therefore

          when each request comes in, the SingleSignOn valve needs to have available in its cache sufficient

          security information to reauthenticate the user.

     

          If when accessing a virtual host the user first visits a webapp that uses FORM or BASIC authentication, and then they visit another webapp that requires DIGEST, the cached username/password from the FORM/BASIC authentication will not be sufficient information to do a digest authentication, so the user will be prompted for a digest login. Once a digest login succeeds, the browser automatically sends authentication information with each request, so thereafter the user can switch between DIGEST and FORM/BASIC webapps without issue

     

    Clustered Single Sign On (JBoss-3.2.4RC2)

    As of the JBoss-3.2.4RC2 release, there is support for single sign-on of web applications across a cluster. To enable this, edit the jbossweb-tomcat50.sar/server.xml file and

          <!-- Uncomment to enable single sign-on across web apps
             deployed to this host AND to all other hosts in the cluster
             with the same virtual hostname.
    
             If this valve is used, do not use the standard Tomcat SingleSignOn
             valve shown above.
    
             This valve uses JGroups to communicate across the cluster.  The
             JGroups Channel used for this communication can be configured
             by editing the "sso-channel.xml" file found in the same folder
             as this file.  If this valve is running on a machine with multiple
             IP addresses, configuring the "bind_addr" property of the JGroups
             UDP protocol may be necessary.  Another possible configuration
             change would be to enable encryption of intra-cluster communications.
             See the sso-channel.xml file for more details.
    
             Besides the attributes supported by the standard Tomcat
             SingleSignOn valve (see the Tomcat docs), this version also supports
             the following attribute:
    
             partitionName     the name of the cluster partition in which
                            this node participates.  If not set, the default
                            value is "sso-partition/" + the value of the
                            "name" attribute of the Host element that
                            encloses this element (e.g. "sso-partition/localhost")
             -->
             <Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn"
                debug="0"></Valve>