About SSO between Apache2 and Tomcat...

[pushme <pu...@gmail.com>]

Hello,

so I had the brilliant idea to develop a web application using GWT
(basically javascript at the client which communicates over rpc with java
servlets) and embed it into a Joomla site. The servlets are running on
Tomcat behind an Apache2 webserver at which joomla is running. Now I need
some clarification about single sign on and how to achieve it between Apache
and Tomcat.
Here's what i'd like to do:
1. User authenticates against Joomla (running on Apache).
2. GWT (javascript) client side code queries the Joomla
userId/sessionId/orWhateverItsCalled and passes it to the servlets at each
rpc call.
3. The Servlet (running on Tomcat) asks Apache if the
userId/sessionId/orWhateverItsCalled-WhatsItCalledBTW? is still valid.
4. then Servlet continues or refuses...

The short question is how can this be achieved with as less effort as
possible? I.e. Does this setup make sense at all? and if so, how do i have
to setup Tomcat and Apache in order to allow a servlert (running on tomcat)
to query Apache if a given userId/sessionId/whatever is still valid?
I don't know if this is possible at all so any information is welcome.

Thanks for your support!
-- 
View this message in context: http://old.nabble.com/About-SSO-between-Apache2-and-Tomcat...-tp32305140p32305140.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: About SSO between Apache2 and Tomcat...

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To whom it may concern,

On 8/21/2011 7:30 AM, pushme wrote:
> Here's what i'd like to do: 1. User authenticates against Joomla
> (running on Apache).

For those playing along at home, Joomla is PHP-based. Pushme, how does
Joomla perform it's authentication? Presumably it's not Apache-based,
but something internal to Joomla, right?

> 2. GWT (javascript) client side code queries the Joomla 
> userId/sessionId/orWhateverItsCalled and passes it to the servlets
> at each rpc call. 3. The Servlet (running on Tomcat) asks Apache if
> the userId/sessionId/orWhateverItsCalled-WhatsItCalledBTW? is still
> valid.

I would think that the servlet would have to ask Joomla about the
credentials and/or session identification. The first question is: does
the servlet even have access to anything like that? Is there even a
cookie/request parameter going to the servlet that can be used to ask
Joomla?

> The short question is how can this be achieved with as less effort
> as possible?

I think you'd have to create an authentication verification service
within Joomla. Perhaps one already exists (but probably not).

> I.e. Does this setup make sense at all?

Yes, but it's awkward :)

> and if so, how do i have to setup Tomcat and Apache in order to
> allow a servlert (running on tomcat) to query Apache if a given
> userId/sessionId/whatever is still valid?

I think you'll have to implement everything yourself. A (relatively)
simple hey-Joomla-is-this-user-token-currently-valid message is all
that would be needed... just call that from the servlet and read the
response. If all is well, continue processing, otherwise return some
appropriate error code and/or redirect the user toward whatever the
login mechanism is.

> I don't know if this is possible at all so any information is
> welcome.

Sure, it's possible.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5TtqkACgkQ9CaO5/Lv0PAOFwCfd8eYUDNhwV2Uw/f1ybYHL22T
XlMAoIM3cirB1866oQGgOwgJk5kAVkc1
=MGiW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org