You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jason Harrop <jh...@bigpond.net.au> on 2001/03/01 14:55:34 UTC
[TC4] SingleSignOnSupport broken?
Hi
I'm using the TC4 sources from cvs from Feb 17 (well after the last
commit to org.apache.catalina.authenticator.SingleSignOn), with SlideRealm.
I had been using three different webapps; each web.xml file had
identical realm name, as in:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myRealm</realm-name>
Without the SingleSignOn valve, this worked well; well, subject to a
problem with Internet Explorer which i'm asking about in a separate post.
Because of that problem with Internet Explorer, i tried single sign on
support instead. However, it doesn't appear to work, in that I get an
authentication challenge for each new realm (when i give the realm in
each webapp a different name), and the logs always say "Checking for SSO
cookie - SSO cookie is not present", as in:
2001-03-02 00:28:50 StandardHost[localhost]: Mapping request URI
'/TestDrive-webdav/'
2001-03-02 00:28:50 StandardHost[localhost]: Trying the longest
context path prefix
2001-03-02 00:28:50 StandardHost[localhost]: Mapped to context
'/TestDrive-webdav'
2001-03-02 00:28:56 SingleSignOn[localhost]: Process request for
'/TestDrive-webdav/'
2001-03-02 00:28:56 SingleSignOn[localhost]: Checking for SSO cookie
2001-03-02 00:28:56 SingleSignOn[localhost]: SSO cookie is not present
i have turned on user cookie approval in the browser, and the only
cookie which is getting set is the JSESSIONID cookie.
Am i doing something which is obviously wrong? I've got the valve at the
Host level.
thanks
Jason
Re: [TC4] SingleSignOnSupport broken?
Posted by Jason Harrop <jh...@bigpond.net.au>.
Craig R. McClanahan wrote:
> There is an (undocumented) restriction in the current implementation when using
> BASIC or DIGEST authentication with single sign on support -- the value you
> specify for <realm> in the security constraints needs to be the same for all of
> the webapps that are participating in the single sign on environment. This is
> probably a bug (most of my development work was on using form-based login with
> this), but it should work if you use the same realm string.
>
Craig, I did try it with identical <realm-name> in each web.xml file,
before trying it with different ones.
If the realm names are identical, and i just use http basic
authentication (which i do), what role would single sign on support
play? I don't understand why it is needed at all - shouldn't the browser
just send the authentication information to TC after receiving the 401
with a WWW-Authenticate header?
thanks
Jason
Re: [TC4] SingleSignOnSupport broken?
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Jason Harrop wrote:
> Hi
>
> I'm using the TC4 sources from cvs from Feb 17 (well after the last
> commit to org.apache.catalina.authenticator.SingleSignOn), with SlideRealm.
>
> I had been using three different webapps; each web.xml file had
> identical realm name, as in:
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>myRealm</realm-name>
>
> Without the SingleSignOn valve, this worked well; well, subject to a
> problem with Internet Explorer which i'm asking about in a separate post.
>
> Because of that problem with Internet Explorer, i tried single sign on
> support instead. However, it doesn't appear to work, in that I get an
> authentication challenge for each new realm (when i give the realm in
> each webapp a different name), and the logs always say "Checking for SSO
> cookie - SSO cookie is not present", as in:
>
> 2001-03-02 00:28:50 StandardHost[localhost]: Mapping request URI
> '/TestDrive-webdav/'
> 2001-03-02 00:28:50 StandardHost[localhost]: Trying the longest
> context path prefix
> 2001-03-02 00:28:50 StandardHost[localhost]: Mapped to context
> '/TestDrive-webdav'
> 2001-03-02 00:28:56 SingleSignOn[localhost]: Process request for
> '/TestDrive-webdav/'
> 2001-03-02 00:28:56 SingleSignOn[localhost]: Checking for SSO cookie
> 2001-03-02 00:28:56 SingleSignOn[localhost]: SSO cookie is not present
>
> i have turned on user cookie approval in the browser, and the only
> cookie which is getting set is the JSESSIONID cookie.
>
> Am i doing something which is obviously wrong? I've got the valve at the
> Host level.
>
There is an (undocumented) restriction in the current implementation when using
BASIC or DIGEST authentication with single sign on support -- the value you
specify for <realm> in the security constraints needs to be the same for all of
the webapps that are participating in the single sign on environment. This is
probably a bug (most of my development work was on using form-based login with
this), but it should work if you use the same realm string.
>
> thanks
>
> Jason
Craig
Re: [TC4] SingleSignOnSupport broken?
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Jason Harrop wrote:
> Hi
>
> I'm using the TC4 sources from cvs from Feb 17 (well after the last
> commit to org.apache.catalina.authenticator.SingleSignOn), with SlideRealm.
>
> I had been using three different webapps; each web.xml file had
> identical realm name, as in:
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>myRealm</realm-name>
>
> Without the SingleSignOn valve, this worked well; well, subject to a
> problem with Internet Explorer which i'm asking about in a separate post.
>
> Because of that problem with Internet Explorer, i tried single sign on
> support instead. However, it doesn't appear to work, in that I get an
> authentication challenge for each new realm (when i give the realm in
> each webapp a different name), and the logs always say "Checking for SSO
> cookie - SSO cookie is not present", as in:
>
> 2001-03-02 00:28:50 StandardHost[localhost]: Mapping request URI
> '/TestDrive-webdav/'
> 2001-03-02 00:28:50 StandardHost[localhost]: Trying the longest
> context path prefix
> 2001-03-02 00:28:50 StandardHost[localhost]: Mapped to context
> '/TestDrive-webdav'
> 2001-03-02 00:28:56 SingleSignOn[localhost]: Process request for
> '/TestDrive-webdav/'
> 2001-03-02 00:28:56 SingleSignOn[localhost]: Checking for SSO cookie
> 2001-03-02 00:28:56 SingleSignOn[localhost]: SSO cookie is not present
>
> i have turned on user cookie approval in the browser, and the only
> cookie which is getting set is the JSESSIONID cookie.
>
> Am i doing something which is obviously wrong? I've got the valve at the
> Host level.
>
There is an (undocumented) restriction in the current implementation when using
BASIC or DIGEST authentication with single sign on support -- the value you
specify for <realm> in the security constraints needs to be the same for all of
the webapps that are participating in the single sign on environment. This is
probably a bug (most of my development work was on using form-based login with
this), but it should work if you use the same realm string.
>
> thanks
>
> Jason
Craig