• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Paul Clapham
  • Devaka Cooray
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Frits Walraven
Bartenders:
  • Carey Brown
  • salvin francis
  • Claude Moore

Is it still good to use single sign in today world ?  RSS feed

 
Ranch Hand
Posts: 491
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello experts,

I am now at a stage where I need to implement a secured log in for my web-app on a site which is SSL secured.

However, before I launch into things, I would like to know if single sign on using Tomcat with jsp and servlet is it a good solution ?

Are there other secured log in I should consider to work with tomcat, jsp and servlet or REST?

Thank you for sharing in advance.

 
Saloon Keeper
Posts: 20657
122
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, SSL-encrypted and "secured' are two different things. To be secure you almost certainly need a secure transport channel, but you also need security constraints to protect sensitive resources. For that you need 2 things: Authentication and Authorization.

Authorization simply means what you can or cannot do. But in order to be able to tell who can do what, you need authentication so that you know who is whom. If I claim to be Fred and go on to do things that only Fred can do, that's not authentic. So the authentication mechanism makes me prove I really am Fred.

In the J2EE container security standard, authentication is done by the webapp server, not by the web application. The server detects secured URL requests (matches a security pattern in web.xml), checks to see if the request submitter has been authenticated, and if not, diverts the URL request and initiates login using a loginform or dialog. Only after the user has successfully logged in will the original request be allowed to continue.

Note that since the container manages the login process, there is no login code in the web application. Instead, authentication is handled by plug-in modules called Realms. The Realms also check role requests to see if a user is allowed to act in the requested role.

SSO is a special type of Authentication where the user logs in once, and all other apps will accept that identity instead of making the user log in to each application separately. It can make life a lot simpler, and if you're using a dashboard-type application whose content is an amalgamation of requests from other apps, it can be very valuable (imagine a page where each frame had a separate login screen!).

Since Tomcat Realms are plug-replaceable without the need for application modification, you can easily switch from SSO authentication to one of the other Realms such as JDBC or JNDI (Active Directory).

While I do recommend the standard container authorization for most webapps, ReST apps can be a bit of a problem, since they're not really intended to work with a human operator, so the usual login screen is not a good fit. In such cases, there are other options, but I'll leave explaining them to someone else.
 
tangara goh
Ranch Hand
Posts: 491
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you both.
Now, I have just come to know that the web hosting company take control of the Tomcat server - as in I can't start and stop Tomcat on my own, even though I am subscribing to a private instance of Tomcat server.

How will the authentication and setting of realm keep things private?

All all other web hosting companies work the same ? as in usually the control will be with them ?  
 
Tim Holloway
Saloon Keeper
Posts: 20657
122
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Most hosting companies these days will rent you a complete VM, so for such cases, you would have control of Tomcat. However, some, like some of the more specialized services like Amazon's Elastic Beanstalk might do what you said.

In any event, you can define the Realm for a Tomcat webapp in the webapp's deployment descriptor. So unless they also don't let you deploy your own webapps, that's all you need.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!