Win a copy of Java Concurrency Live Lessons this week in the Threads forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Enabling SSO in J2EE application  RSS feed

 
Sub swamy
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would like to implement single sign-on for/between two of my J2EE applications.

I have set up the Custom Registry (Global Security -> Custom ) in my RAD 7.
I have also set up the security aspect in my application - have created security role and protected resources through <security-constraint> tag. I tested and found the FORM based authentication working.

Now, as a part of enabling SSO across applications what would be the next step ? How does the login credential/information get transferred to the other application?

Would appreciate any help in this regard.

 
Joachim Rohde
Ranch Hand
Posts: 433
Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you had already a look at OpenSSO (https://opensso.dev.java.net/)? Never needed to implement SSO myself so I'm not sure if it fits your needs.
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Besides OpenSSO, other options include CAS and JOSSO.
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Single Sign-on Using Kerberos in Java
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/single-signon.html
 
Sub swamy
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Appreciate your response.

I was actually looking at a "customized" approach. Let me make my question specific.

The following was what i had tried. I had two applications with groups and roles appropriately defined. I defined the roles through the
<security-constraint> tag in the web.xml file. Both the applications were working fine independently.

Now, to test SSO concept, i had enabled SSO in RAD 7 (which uses WebSphere test environment). What i wanted was to navigate from a secure page in applicationA to a secure page in applicationB without the user having to authenticate himself again. However, when the user tried to navigate to a secure page in applicationB, he was prompted to enter his userid/password since the <login-config> value was set to FORM. Considering that the user had logged in to applicationA, and SSO was enabled in RAD7 - why is it that the security credentials are not being made available while entering applicationB ?

 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If it's all web apps on the same server that you want to apply SSO to, then WebSphere may have some setting that would enable that. For example, Tomcat has an SSO valve built in. WebSphere may have something similar.
 
Dean Pullen
Ranch Hand
Posts: 58
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Indeed the tomcat 'SSO' valve is exactly what we use between web apps on the same server.
For example, we have a standard war for portlets on JBoss Portal and a non-portlet war which we use for some AJAX requests and a variety of portlet 'unallowed' requests.

This needs the valve configured for SSO.
 
Sub swamy
Ranch Hand
Posts: 121
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the response. I did go through the link - http://tomcat.apache.org/tomcat-5.5-doc/config/host.html#Single%20Sign%20On which talks about the Valve concept in Tomcat. I have a clarification in the following section

"..As soon as the user logs out of one web application (for example, by invalidating the corresponding session if form based login is used), the user's sessions in all web applications will be invalidated. Any subsequent attempt to access a protected resource in any application will require the user to authenticate himself or herself again..."

Would the session Id be the same when we move across web applications or would it be a case of one session Id per application ?
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!