I would like to implement single sign-on for/between two of my J2EE applications.
I have set up the Custom Registry (Global Security -> Custom ) in my RAD 7.
I have also set up the security aspect in my application - have created security role and protected resources through <security-constraint> tag. I tested and found the FORM based authentication working.
Now, as a part of enabling SSO across applications what would be the next step ? How does the login credential/information get transferred to the other application?
I was actually looking at a "customized" approach. Let me make my question specific.
The following was what i had tried. I had two applications with groups and roles appropriately defined. I defined the roles through the
<security-constraint> tag in the web.xml file. Both the applications were working fine independently.
Now, to test SSO concept, i had enabled SSO in RAD 7 (which uses WebSphere test environment). What i wanted was to navigate from a secure page in applicationA to a secure page in applicationB without the user having to authenticate himself again. However, when the user tried to navigate to a secure page in applicationB, he was prompted to enter his userid/password since the <login-config> value was set to FORM. Considering that the user had logged in to applicationA, and SSO was enabled in RAD7 - why is it that the security credentials are not being made available while entering applicationB ?
If it's all web apps on the same server that you want to apply SSO to, then WebSphere may have some setting that would enable that. For example, Tomcat has an SSO valve built in. WebSphere may have something similar.
Indeed the tomcat 'SSO' valve is exactly what we use between web apps on the same server.
For example, we have a standard war for portlets on JBoss Portal and a non-portlet war which we use for some AJAX requests and a variety of portlet 'unallowed' requests.
"..As soon as the user logs out of one web application (for example, by invalidating the corresponding session if form based login is used), the user's sessions in all web applications will be invalidated. Any subsequent attempt to access a protected resource in any application will require the user to authenticate himself or herself again..."
Would the session Id be the same when we move across web applications or would it be a case of one session Id per application ?
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop