You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Jason Harrop <jh...@bigpond.net.au> on 2001/03/01 14:55:34 UTC

[TC4] SingleSignOnSupport broken?

Hi

I'm using the TC4 sources from cvs from Feb 17 (well after the last 
commit to org.apache.catalina.authenticator.SingleSignOn), with SlideRealm.

I had been using three different webapps; each web.xml file had 
identical realm name, as in:

    <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>myRealm</realm-name>

Without the SingleSignOn valve, this worked well; well, subject to a 
problem with Internet Explorer which i'm asking about in a separate post.

Because of that problem with Internet Explorer, i tried single sign on 
support instead.  However, it doesn't appear to work, in that I get an 
authentication challenge for each new realm (when i give the realm in 
each webapp a different name), and the logs always say "Checking for SSO 
cookie - SSO cookie is not present", as in:

2001-03-02 00:28:50 StandardHost[localhost]: Mapping request URI 
'/TestDrive-webdav/'
2001-03-02 00:28:50 StandardHost[localhost]:   Trying the longest 
context path prefix
2001-03-02 00:28:50 StandardHost[localhost]:  Mapped to context 
'/TestDrive-webdav'
2001-03-02 00:28:56 SingleSignOn[localhost]: Process request for 
'/TestDrive-webdav/'
2001-03-02 00:28:56 SingleSignOn[localhost]:  Checking for SSO cookie
2001-03-02 00:28:56 SingleSignOn[localhost]:  SSO cookie is not present

i have turned on user cookie approval in the browser, and the only 
cookie which is getting set is the JSESSIONID cookie.

Am i doing something which is obviously wrong? I've got the valve at the 
Host level.

thanks

Jason

Re: [TC4] SingleSignOnSupport broken?

Posted by Jason Harrop <jh...@bigpond.net.au>.

Craig R. McClanahan wrote:

> There is an (undocumented) restriction in the current implementation when using
> BASIC or DIGEST authentication with single sign on support -- the value you
> specify for <realm> in the security constraints needs to be the same for all of
> the webapps that are participating in the single sign on environment.  This is
> probably a bug (most of my development work was on using form-based login with
> this), but it should work if you use the same realm string.
> 

Craig, I did try it with identical <realm-name> in each web.xml file, 
before trying it with different ones.

If the realm names are identical, and i just use http basic 
authentication (which i do), what role would single sign on support 
play? I don't understand why it is needed at all - shouldn't the browser 
just send the authentication information to TC after receiving the 401 
with a WWW-Authenticate header?

thanks

Jason

Re: [TC4] SingleSignOnSupport broken?

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Jason Harrop wrote:

> Hi
>
> I'm using the TC4 sources from cvs from Feb 17 (well after the last
> commit to org.apache.catalina.authenticator.SingleSignOn), with SlideRealm.
>
> I had been using three different webapps; each web.xml file had
> identical realm name, as in:
>
>     <login-config>
>      <auth-method>BASIC</auth-method>
>      <realm-name>myRealm</realm-name>
>
> Without the SingleSignOn valve, this worked well; well, subject to a
> problem with Internet Explorer which i'm asking about in a separate post.
>
> Because of that problem with Internet Explorer, i tried single sign on
> support instead.  However, it doesn't appear to work, in that I get an
> authentication challenge for each new realm (when i give the realm in
> each webapp a different name), and the logs always say "Checking for SSO
> cookie - SSO cookie is not present", as in:
>
> 2001-03-02 00:28:50 StandardHost[localhost]: Mapping request URI
> '/TestDrive-webdav/'
> 2001-03-02 00:28:50 StandardHost[localhost]:   Trying the longest
> context path prefix
> 2001-03-02 00:28:50 StandardHost[localhost]:  Mapped to context
> '/TestDrive-webdav'
> 2001-03-02 00:28:56 SingleSignOn[localhost]: Process request for
> '/TestDrive-webdav/'
> 2001-03-02 00:28:56 SingleSignOn[localhost]:  Checking for SSO cookie
> 2001-03-02 00:28:56 SingleSignOn[localhost]:  SSO cookie is not present
>
> i have turned on user cookie approval in the browser, and the only
> cookie which is getting set is the JSESSIONID cookie.
>
> Am i doing something which is obviously wrong? I've got the valve at the
> Host level.
>

There is an (undocumented) restriction in the current implementation when using
BASIC or DIGEST authentication with single sign on support -- the value you
specify for <realm> in the security constraints needs to be the same for all of
the webapps that are participating in the single sign on environment.  This is
probably a bug (most of my development work was on using form-based login with
this), but it should work if you use the same realm string.

>
> thanks
>
> Jason

Craig

Re: [TC4] SingleSignOnSupport broken?

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Jason Harrop wrote:

> Hi
>
> I'm using the TC4 sources from cvs from Feb 17 (well after the last
> commit to org.apache.catalina.authenticator.SingleSignOn), with SlideRealm.
>
> I had been using three different webapps; each web.xml file had
> identical realm name, as in:
>
>     <login-config>
>      <auth-method>BASIC</auth-method>
>      <realm-name>myRealm</realm-name>
>
> Without the SingleSignOn valve, this worked well; well, subject to a
> problem with Internet Explorer which i'm asking about in a separate post.
>
> Because of that problem with Internet Explorer, i tried single sign on
> support instead.  However, it doesn't appear to work, in that I get an
> authentication challenge for each new realm (when i give the realm in
> each webapp a different name), and the logs always say "Checking for SSO
> cookie - SSO cookie is not present", as in:
>
> 2001-03-02 00:28:50 StandardHost[localhost]: Mapping request URI
> '/TestDrive-webdav/'
> 2001-03-02 00:28:50 StandardHost[localhost]:   Trying the longest
> context path prefix
> 2001-03-02 00:28:50 StandardHost[localhost]:  Mapped to context
> '/TestDrive-webdav'
> 2001-03-02 00:28:56 SingleSignOn[localhost]: Process request for
> '/TestDrive-webdav/'
> 2001-03-02 00:28:56 SingleSignOn[localhost]:  Checking for SSO cookie
> 2001-03-02 00:28:56 SingleSignOn[localhost]:  SSO cookie is not present
>
> i have turned on user cookie approval in the browser, and the only
> cookie which is getting set is the JSESSIONID cookie.
>
> Am i doing something which is obviously wrong? I've got the valve at the
> Host level.
>

There is an (undocumented) restriction in the current implementation when using
BASIC or DIGEST authentication with single sign on support -- the value you
specify for <realm> in the security constraints needs to be the same for all of
the webapps that are participating in the single sign on environment.  This is
probably a bug (most of my development work was on using form-based login with
this), but it should work if you use the same realm string.

>
> thanks
>
> Jason

Craig