You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ben Bookey <br...@hotmail.com> on 2005/07/08 12:19:35 UTC
Using Single Sign on to access another webapp.
Dear List,
We are using Tomcat 4.1.xx. We are NOT using the built in security framework
which comes with TC. In the login.jsp page the user/password is validated by
an external organisation wide process, which returns simply true or false.
If the user is valid, the user is forwarded to the application JSP pages.
The user can not access the application pages at will, because the pages
check to see if a particular session flag is checked.
Now my problem. I have been asked to assess if single sign On (SSO) could be
used to create a URL link to another similar webapp's JSP page (TC with no
security framework), where the user doesnt need to login for a second time.
There is not so much info. about SSO around, but from what I gather it
persists login info. inside a session which is passed between web
applications. My first problem is that "my application" never knows what the
password is. Can anyone see a possibilty of using SSO for me, allowing
direct access to another webapps JSP page with out re-login ?
Would really appreciate any help on this. Especially ones with info. more
than simply "No" ;-)
kind regards,
Ben
p.s. might be that the 2nd app has to create a web-service or something to
provide the information for us!!
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Using Single Sign on to access another webapp.
Posted by Christoph Kutzinski <ku...@gmx.de>.
Check this for a way to implement this with Tomcat (you must use 5.5 ore
higher, though):
http://weblogs.java.net/blog/wholder/archive/2005/02/session_session.html
Or this is a solution I found with an external authentication server:
http://www.developertutorials.com/tutorials/java/single-sign-on/page4.html
hth,
Christoph
Ben Bookey wrote:
> Dear List,
>
> We are using Tomcat 4.1.xx. We are NOT using the built in security
> framework which comes with TC. In the login.jsp page the user/password
> is validated by an external organisation wide process, which returns
> simply true or false. If the user is valid, the user is forwarded to the
> application JSP pages. The user can not access the application pages at
> will, because the pages check to see if a particular session flag is
> checked.
>
> Now my problem. I have been asked to assess if single sign On (SSO)
> could be used to create a URL link to another similar webapp's JSP page
> (TC with no security framework), where the user doesnt need to login for
> a second time. There is not so much info. about SSO around, but from
> what I gather it persists login info. inside a session which is passed
> between web applications. My first problem is that "my application"
> never knows what the password is. Can anyone see a possibilty of using
> SSO for me, allowing direct access to another webapps JSP page with out
> re-login ?
>
> Would really appreciate any help on this. Especially ones with info.
> more than simply "No" ;-)
>
> kind regards,
> Ben
> p.s. might be that the 2nd app has to create a web-service or something
> to provide the information for us!!
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Using Single Sign on to access another webapp.
Posted by Ivan Rodriguez <iv...@interd4u.com>.
Take a look at
http://tp.its.yale.edu/tiki/tiki-index.php?page=CentralAuthenticationService
Tim Funk escribió:
>
> One way to do SSO is to utilize a cookie (lets call it SSO, and to be
> really secure - it should only be transfered over https). The
> existence of a cookie says the person might be logged in. The value of
> the cookie needs to be checked. The value of the cookie shold NOT be
> the user id. It can be an encrytped form of the user id, or it can be
> a token which the web server would use in a hash lookup to get the
> real user id. In the case of the hash - you'd need a "service" to be
> be able to handle maintenance of getting userids/tokens into the hash.
>
> Luckily for you, there are some projects out there that do this.
> Google is your friend here.
>
> -Tim
>
> Ben Bookey wrote:
>
>> Dear List,
>>
>> We are using Tomcat 4.1.xx. We are NOT using the built in security
>> framework which comes with TC. In the login.jsp page the
>> user/password is validated by an external organisation wide process,
>> which returns simply true or false. If the user is valid, the user is
>> forwarded to the application JSP pages. The user can not access the
>> application pages at will, because the pages check to see if a
>> particular session flag is checked.
>>
>> Now my problem. I have been asked to assess if single sign On (SSO)
>> could be used to create a URL link to another similar webapp's JSP
>> page (TC with no security framework), where the user doesnt need to
>> login for a second time. There is not so much info. about SSO around,
>> but from what I gather it persists login info. inside a session which
>> is passed between web applications. My first problem is that "my
>> application" never knows what the password is. Can anyone see a
>> possibilty of using SSO for me, allowing direct access to another
>> webapps JSP page with out re-login ?
>>
>> Would really appreciate any help on this. Especially ones with info.
>> more than simply "No" ;-)
>>
>> kind regards,
>> Ben
>> p.s. might be that the 2nd app has to create a web-service or
>> something to provide the information for us!!
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Using Single Sign on to access another webapp.
Posted by Ben Bookey <br...@hotmail.com>.
Hi Everyone,
Thanks for the replies. If i understand correctly, then the SSO should work
between Tomcat and another j2EE type servlet container? The other app. in
question is websphere.
regards,
Ben Bookey
>From: Tim Funk <fu...@joedog.org>
>Reply-To: "Tomcat Users List" <to...@jakarta.apache.org>
>To: Tomcat Users List <to...@jakarta.apache.org>
>Subject: Re: Using Single Sign on to access another webapp.
>Date: Fri, 08 Jul 2005 06:48:44 -0400
>
>
>One way to do SSO is to utilize a cookie (lets call it SSO, and to be
>really secure - it should only be transfered over https). The existence of
>a cookie says the person might be logged in. The value of the cookie needs
>to be checked. The value of the cookie shold NOT be the user id. It can be
>an encrytped form of the user id, or it can be a token which the web server
>would use in a hash lookup to get the real user id. In the case of the hash
>- you'd need a "service" to be be able to handle maintenance of getting
>userids/tokens into the hash.
>
>Luckily for you, there are some projects out there that do this. Google is
>your friend here.
>
>-Tim
>
>Ben Bookey wrote:
>>Dear List,
>>
>>We are using Tomcat 4.1.xx. We are NOT using the built in security
>>framework which comes with TC. In the login.jsp page the user/password is
>>validated by an external organisation wide process, which returns simply
>>true or false. If the user is valid, the user is forwarded to the
>>application JSP pages. The user can not access the application pages at
>>will, because the pages check to see if a particular session flag is
>>checked.
>>
>>Now my problem. I have been asked to assess if single sign On (SSO) could
>>be used to create a URL link to another similar webapp's JSP page (TC with
>>no security framework), where the user doesnt need to login for a second
>>time. There is not so much info. about SSO around, but from what I gather
>>it persists login info. inside a session which is passed between web
>>applications. My first problem is that "my application" never knows what
>>the password is. Can anyone see a possibilty of using SSO for me,
>>allowing direct access to another webapps JSP page with out re-login ?
>>
>>Would really appreciate any help on this. Especially ones with info. more
>>than simply "No" ;-)
>>
>>kind regards,
>>Ben
>>p.s. might be that the 2nd app has to create a web-service or something to
>>provide the information for us!!
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Using Single Sign on to access another webapp.
Posted by Tim Funk <fu...@joedog.org>.
One way to do SSO is to utilize a cookie (lets call it SSO, and to be really
secure - it should only be transfered over https). The existence of a cookie
says the person might be logged in. The value of the cookie needs to be
checked. The value of the cookie shold NOT be the user id. It can be an
encrytped form of the user id, or it can be a token which the web server
would use in a hash lookup to get the real user id. In the case of the hash -
you'd need a "service" to be be able to handle maintenance of getting
userids/tokens into the hash.
Luckily for you, there are some projects out there that do this. Google is
your friend here.
-Tim
Ben Bookey wrote:
> Dear List,
>
> We are using Tomcat 4.1.xx. We are NOT using the built in security
> framework which comes with TC. In the login.jsp page the user/password
> is validated by an external organisation wide process, which returns
> simply true or false. If the user is valid, the user is forwarded to the
> application JSP pages. The user can not access the application pages at
> will, because the pages check to see if a particular session flag is
> checked.
>
> Now my problem. I have been asked to assess if single sign On (SSO)
> could be used to create a URL link to another similar webapp's JSP page
> (TC with no security framework), where the user doesnt need to login for
> a second time. There is not so much info. about SSO around, but from
> what I gather it persists login info. inside a session which is passed
> between web applications. My first problem is that "my application"
> never knows what the password is. Can anyone see a possibilty of using
> SSO for me, allowing direct access to another webapps JSP page with out
> re-login ?
>
> Would really appreciate any help on this. Especially ones with info.
> more than simply "No" ;-)
>
> kind regards,
> Ben
> p.s. might be that the 2nd app has to create a web-service or something
> to provide the information for us!!
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org