• Post Reply Bookmark Topic Watch Topic
  • New Topic

Form based authentication and SSO  RSS feed

 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ranchers,
In WebSphere 4.x, when you want to use a form based authentication mechanism, you have to enable sso on your server. Otherwise, it does not work.
I am wondering why, and most of all, how that is compliant with the spec.
I'm really interesting in knowing how the form based authentication is implemented with other app servers ?
Does WebLogic forces you to enable sso ?
What about jBoss ?
And Oracle ? and others....
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nobody ??
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bill, SSO is a WebSphere specific implementation detail -- it's totally outside the spec, which is why no one has responded because the question is meaningless outside of WebSphere.
Kyle
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kyle,
I don't fully agree with you on that point or maybe I misunderstood your post.
WebLogic has a SingleSignOn feature available.
Just like Sybase EAServer.
And all the servers have the form based login, as it is in the spec.
So the question is : Do these servers forces you to enable their single sign on when you choose the form based login mecanism, just like WebSphere does ???
With WebSphere, the drowback on using SSO is that when the HTTPSession expires, the credentials are still valid (ltpa token).
My understanding of the spec is that when the HttpSession expires, the user should be automatically re-challenged to log in again.
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bill, what I'm saying is that the single-signon feature is NOT part of the spec. Only the authentication mechanism (Form-based, Cert, Digest or Basic) is in the spec. Each vendor does authorization differently, and thus the settings will be completely different and not directly comparable.
Kyle
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok Kyle, then I agree.
But from the spec (12.5.3.1):
"If the user is authenticated using form login and has created an HTTP session,
the timeout or invalidation of that session leads to the user being logged out in the sense that subsequent requests must cause the user to be re-authenticated."
The way WAS 4 has implemented the form based login does not work accordingly to this statement.
I hope WAS 5 is different on that point
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!