Tomcat Realms not working between apps with FORM

Hey All,

Hope someone here can help me out. Let me start by stating my knowledge of JAVA is pretty much none. The only reason I am using tomcat server is because a client asked that I used a java based forum. So for the forum I am using jforum which mentioned that you can incorporate it into your current site with SSO.

In the server.xml file I modified the realm to use a database,

<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" digest="MD5" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost:3306/myusers?user=root&password=" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name"/>


And the layout of my tomcat webapps,

webapps |--jforum | |--login.jsp | |--error.jsp |--myWebSite |--login.jsp |--error.jsp

in each of the webapps I added the following to the web.xml,

<security-constraint> <web-resource-collection> <web-resource-name>User Auth</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <!-- <login-config> <auth-method>BASIC</auth-method> </login-config> --> <login-config> <auth-method>FORM</auth-method> <realm-name>User Auth</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>user</role-name> </security-role>

As you can see I commented out the BASIC method which would work just fine between the apps. The FORM method will not work between the apps for some reason. So if I open my browser and go to myWebSite it will redirect to the login.jsp. I enter a username and password that exists in the database and then it will go back to the index page for myWebSite. Then if I click the forum link in myWebSite to go to the jforum app (http://localhost:9090/jforum/forums/list.page) it will redirect once again to the login.jsp. Again if I set the method in the web.xml to BASIC then I only need to login once in the same scenario.

So if someone has some insight into why the FORM method would not be working or if there is an error in the way I am accessing between the webapps I would love to get some input. Also if there is something I did not post that would be helpful in figuring out my issue let me know and I will get it up here.

Welcome to the JavaRanch, Jeremy!

Am I understanding correctly that your problem is that each application is requiring you to login? If so, that's because they're supposed to. To have single signon for all apps requires the use of an SSO Tomcat Realm. The basic realms all work only per-application. SSO allows creation and sharing of a single global security context.

I'm not totally sure about why BASIC authentication would operate differently, but the client-side mechanisms are different for BASIC authentication and it may merely be retaining the credentials and doing undercover logins for you. That's one of the problems with BASIC authentication. To log out, you're pretty much required to shut down the brower as there's no easy way to flush out the credentials, once entered.

BASIC authentication isn't usually recommended for secure sites, however. It uses a very weak encryption scheme, and the retention of credentials mean that if someone gains access to the client machine while it's unattended, they can have even more "fun" with it than they could on more secure setups.

I was taking a look at the documentation of adding a single sign-on valve inside of the server.xml file which I thought I was doing correctly but I am still getting the same result. I moved my realm from the Engine tag to the Host tag and added a valve line for the single sign-on. Here is what the host section of my server.xml file looks like,

<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" digest="MD5" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost:3306/myusers?user=root&password=" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name"/> </Host>

Does this look correct? If not what do I need to change. Also for the web.xml in each app is there something I need to set to make the work with the single sign-on? Here is my web.xml file,

<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0" metadata-complete="true"> <display-name>Welcome to Tomcat</display-name> <description> Welcome to Tomcat </description> <security-constraint> <web-resource-collection> <web-resource-name>User Auth</web-resource-name> <url-pattern>/protected/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>User Auth</realm-name> <form-login-config> <form-login-page>/forms/login.jsp</form-login-page> <form-error-page>/forms/login.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>user</role-name> </security-role> </web-app>

J2EE container-managed security is a complete "black box" to the webapp, so whether you're using SSO or per-app security realms makes no difference.

The JDBCRealm doesn't support SSO. You need an actual SSO Realm for that, not just a Valve.

Could you point me to a good reference for information about this?

Aw, dang it, now you've gone and made me RTFM.

http://tomcat.apache.org/tomcat-5.5-doc/config/host.html#Single%20Sign%20On

Although what I've been talking about is multi-server SSO, such as the CAS system, you can use the Tomcat SSO valve as long as users are using cookies and as long as the Realm is defined at the Host level and not at the application (Context) level. And as long as your SSO valve doesn't have improper reauthorization settings.

Unlike CAS, the SSO only applies to that instance of Tomcat. CAS is designed for site-wide SSO, where you can signon once and talk to multiple Tomcats, IIS servers, and so forth.

Thanks for the update Tim, still banging my head against the wall over here trying to get this all worked out. The link you sent me is what I was looking at trying to get this to work.

Tim Holloway wrote:as long as your SSO valve doesn't have improper reauthorization settings.

What should I look at to determine this is not the case? My previous posting I posted my server.xml settings for the host which looks correct. I also posted what I had for each apps web.xml. Can you take a look and see if those look like they are configured correctly? Also does the SSO Valve need to have an authenticator? Read something about that while reading through articles & docs.

Thanks for all the help.

At that point I'd have to do a lot of work I can't spare time for at the moment. I didn't completely understand the docs myself.

However, web.xml does not have to be changed for SSO. As I said before, the authentication and authorization mechanism is a black box.

After looking at numbers of documents I decided to try an older install of tomcat. Originally I installed 7 which was the latest version, so I went and grabbed 5.5 and installed that. Configured it up the same way and it worked with my login form on the first try. So there must of been a bug or something in tomcat 7. Lesson learned, always grab a stable version.

Thanks for the all the help again tim.