• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Sharing authentication

 
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We are using JAAS and a custom login module to authenticate users to our J2EE app. We are now required to share authentication with another J2EE app running on the same server (i.e. a user can go back and forth without having to re-authenticate). Is this even possible? We're running on Oracle 9iAS, which does support SSO but this not really the approach that we are looking for (but may have to consider).
Thanks.
 
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Wes,
SSO is simple, really - as long as every app uses the same authentication token (or course, getting agreement on the token is the hard part )
What type of token does your custom login module create? I assume a homegrown userid+expiryDate+XYZ, all encrypted via JCE? If so, you will need to change the other J2EE app to extract the user id from your token (in web land, from the cookie - cookies will work if both apps use the same domain). Of course, you probably don't have the source code for this other app, or are not allowed to change it.
If the other app is using the container's auth mechanism (i.e. WebSphere uses LTPA, not sure what Oracle uses), then you will need to follow suit. Perhaps oracle has a public API for generating tokens that your login module can call? If they are like IBM, it is private and you can't use it.
I am in a similar situation. I want to write my own auth manager, but I am afraid about integration with other apps. I want to call IBM's code to create the LTPA, but the &&@$%@'s have a private impl (man, I need JBoss!). So, I am left calling the j_security_check servlet programmatically. What a bloody hack.
Hope this helps. Let me know...
--Dave.

Originally posted by Wes Hughes:
We are using JAAS and a custom login module to authenticate users to our J2EE app. We are now required to share authentication with another J2EE app running on the same server (i.e. a user can go back and forth without having to re-authenticate). Is this even possible? We're running on Oracle 9iAS, which does support SSO but this not really the approach that we are looking for (but may have to consider).
Thanks.

reply
    Bookmark Topic Watch Topic
  • New Topic