Single Sign On (JBoss-3.2.3)


The tomcat4.1.x/5.0.x single sign-on behavior has been updated to allow for propagation of the web app security context to the ejb container and other secured resources.


     Configuration: In the jbossweb-tomcat41.sar/META-INF/jboss-service.xml file,

      inside the element of any virtual hosts for which you want

      single sign-on support, add a element:


    < Valve className="org.jboss.web.tomcat.tc4.authenticator.SingleSignOn" debug="0"/ >


For Tomcat 5.x: jbossweb-tomcat50.sar/server.xml


        <!-- Uncomment to enable single sign-on across web apps
        deployed to this host.
        <Valve className="org.apache.catalina.authenticator.SingleSignOn"


      The "debug" attribute specifies the detail level of debugging messages created by this component.

      By default, this is set to zero (0), which means no debug output. A value of two (2) produces

      a large amount of output, similar to DEBUG or TRACE level logging with Log4j.


     Please note the Tomcat SingleSignOn valve stores SSO keys in a map maintained in the

      local JVM; it is not shared across a cluster. This release does not deal with that limitation;

      it allows SSO between multiple webapps deployed on one server, but it isn't cluster-aware.


     Notes on mixing different authentication schemes in webapps under the same virtual host:

      There are some differences between the way this valve works and the way the standard Tomcat valve

      works in a situation where different webapps under the same virtual host use different authentication

      schemes. This is because JBoss requires that each request from the user be reauthenticated; therefore

      when each request comes in, the SingleSignOn valve needs to have available in its cache sufficient

      security information to reauthenticate the user.


      If when accessing a virtual host the user first visits a webapp that uses FORM or BASIC authentication, and then they visit another webapp that requires DIGEST, the cached username/password from the FORM/BASIC authentication will not be sufficient information to do a digest authentication, so the user will be prompted for a digest login. Once a digest login succeeds, the browser automatically sends authentication information with each request, so thereafter the user can switch between DIGEST and FORM/BASIC webapps without issue


Clustered Single Sign On (JBoss-3.2.4RC2)

As of the JBoss-3.2.4RC2 release, there is support for single sign-on of web applications across a cluster. To enable this, edit the jbossweb-tomcat50.sar/server.xml file and

      <!-- Uncomment to enable single sign-on across web apps
         deployed to this host AND to all other hosts in the cluster
         with the same virtual hostname.

         If this valve is used, do not use the standard Tomcat SingleSignOn
         valve shown above.

         This valve uses JGroups to communicate across the cluster.  The
         JGroups Channel used for this communication can be configured
         by editing the "sso-channel.xml" file found in the same folder
         as this file.  If this valve is running on a machine with multiple
         IP addresses, configuring the "bind_addr" property of the JGroups
         UDP protocol may be necessary.  Another possible configuration
         change would be to enable encryption of intra-cluster communications.
         See the sso-channel.xml file for more details.

         Besides the attributes supported by the standard Tomcat
         SingleSignOn valve (see the Tomcat docs), this version also supports
         the following attribute:

         partitionName     the name of the cluster partition in which
                        this node participates.  If not set, the default
                        value is "sso-partition/" + the value of the
                        "name" attribute of the Host element that
                        encloses this element (e.g. "sso-partition/localhost")
         <Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn"