Thank you both for the replies Yes David, custom management of authentication is indeed an option but a bit painful if it can be avoided.
CAS on the other hand just looks like what we need, and it's open source, and looks mature, we'll give it a go. Thanks again Aaron. On 29/03/06, Steele, Aaron <[EMAIL PROTECTED]> wrote: > > We are using CAS, http://www.ja-sig.org/products/cas/, for something > similar. I do not know if its exactly what you need. It does not, I > believe, share any session information besides the login info. > > > Thank You, > > Aaron Steele > YRI Enterprise Solutions > https://ris.yumnet.com > w: 972.338.6862 > c: 817.401.0831 > > > -----Original Message----- > From: David Smith [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 29, 2006 1:25 PM > To: Tomcat Users List > Subject: Re: Single sign-on with multiple Tomcats served via one Apache > httpdserver > > The single sign-on valve only really shares an authenticated session > accross the contexts of one tomcat server. Most likely other tomcat > servers only if they are clustered. But you have two separate, > non-clustered tomcat's whose only commonality is the Apache front-end > and the user realm database. I don't know of any way in which one would > be aware of sessions created and trusted in the other. You might want > to consider your own sign-on mechanism to support this. > > --David > > Nic Daniau wrote: > > >Hi, believe it or not, this problem which I though to be a very > >standard one, didn't get a single reply?! Even if you know this can't > >be done, please tell me! Thanks a lot in advance. > > > >Configuration: > >a. Apache httpd 2.0 server (IP0, port 80) with some content served from > > >/cms b. Worker to a Tomcat 4.1 running on a separate box (IP1:8080) > >mapped to > >/app1 > >c. Anpother worker to another Tomcat 5.5 running on separate box > >(IP2:8080) mapped to /app2 > > > >Both Tomcats are using the same configuration for security realm > >(pointing to the same DataSource parameters of course): > > > > <Realm className=" org.apache.catalina.realm.DataSourceRealm" > > dataSourceName="jdbc/default" > > debug="99" > > userTable="corporate.dbo.t_userlogin" > > userNameCol="c_username" > > userCredCol="c_password" > > userRoleTable="corporate.dbo.t_userpermission" > > roleNameCol="c_rolename" > > digest="md5"/> > > > >and have their Single Sign-on valve turned on: > > > > <Valve > className="org.apache.catalina.authenticator.SingleSignOn" > >debug="0"/> > > > >However, if you're required to authenticate to access say, > >/app1/aSecure.jsp, you will be asked to authenticate again to access > >say, /app2/anotherSecure.jsp, though from the user point of view, this > >is the same username/password on the same URL. > > > >Is there a way to carry over the single sign-on from each Tomcat to the > > >Apache server, so that /app2/anotherSecure.jsp can trust the > >authentication done while visiting /app1/aSecure.jsp, or should this be > > >done in a completely different way? > > > >We have to keep those two separate Tomcats (distinct hardware, > >different versions, performance issues). > > > >Thanks for your help! > >Nic > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > This communication is confidential and may be legally privileged. If you > are not the intended recipient, (i) please do not read or disclose to > others, (ii) please notify the sender by reply mail, and (iii) please delete > this communication from your system. Failure to follow this process may be > unlawful. Thank you for your cooperation. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
