Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to Implement SSO on existing tomcat web application

Tags:

I have a tomcat 7 setup with oldApp.war and newApp.war deployed on it. Both the applications share the same login credentials for users on the database.

I can access the apps using https://localhost/oldApp and https:localhost/newApp respectively.

My oldApp is a Spring MVC java application and when the user is logged into the oldApp I want to have a link which will take the user into the newApp without asking for the login credentials.

I want to know how to implement SSO to do this. I preferably don't want to run any external service to handle this.

Thanks in advance.

like image 616
Qstacker Avatar asked Feb 19 '13 04:02

Qstacker

People also ask

What is SSO in Tomcat?

Tomcat provides a builtin SSO support using a valve. The Single Sign On Valve caches credentials on the server side, and then invisibly authenticate users when they reach different web applications. Credentials are stored in a host-wide session which means that SSO will be effective throughout the session.

Which file handles the configuration of single sign on in Tomcat?

3.2.xml configuration file that is inside the WEB-INF folder of each servlet. All the web apps that require SSO must have protected resources and use one of the Tomcat authentication methods.

Does Tomcat support SAML?

Tomcat SSO Commercial IdP Integrations AD is the most popular IDP as Windows servers are widely used. Supports SAML & OpenID with Active Directory integration.

How do I use basic authentication with Tomcat?

In Basic authentication, if you try to hit a web application url that is protected and you are currently unauthenticated, a popup window appears and you enter a particular username/password, which gets sent to Tomcat. Tomcat checks to see that the sent username and password match a user entry in tomcat-users.

2 Answers

Update: Its 2018 and the below info is out of date. If you’re starting a new application then use a federated identity protocol like Open ID Connect and you’ll get SSO for free.

There are a few approaches you could take:

  1. You could use Tomcat for authentication and use Tomcat's single sign on capabilities. If you're currently using Spring to authenticate the user you may need to change some things. Also, depending on how you're doing authentication, Tomcat's authentication may not be configurable enough.
  2. You could setup a third, CAS, servlet (or something similar), which both web applications authenticate against.
  3. You could set this up yourself using Spring and pre-authenticated filters. You would basically have to write your own pre-authenticated filter which checked some location that both servlets had access to (database?, shared context?) for existing credentials before falling back to old authentication methods. You'll want to make sure to clear this authentication in a filter somewhere so the next request doesn't get to automatically inherit the previous requests credentials.
like image 74
Pace Avatar answered Sep 23 '22 20:09

Pace

You can implement SSO in many different ways:

  1. Oauth 2 - http://oauth.net/2/
  2. SAML 2 - https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

SAML 2.0 has many implementations for Identity/Service provider roles.

For an IDP implementations list I can point you to this stackoverflow post: https://stackoverflow.com/a/761774/126414

If you are planning to implement a service provider there is a nice spring extension: http://static.springsource.org/spring-security/site/extensions/saml/index.html

like image 24
svlada Avatar answered Sep 22 '22 20:09

svlada
Sign in to Comment

Related questions

Decrease the width of the last line in multiline UILabel
Deploying Jekyll to Github Pages
Selenium / Firefox: Command ".click()" doesn't work with a found element
Event and Observable in FSharp
Procfile not found, Heroku python app
Combine two SELECT queries in PostgreSQL
GNU screen auto re-size with screen -x
c pointer to array of structs
How to get binary string from ArrayBuffer?
"The system cannot find the file specified" when running C++ program
Different between immutable and effectively immutable objects?
AngularJS - routeProvider resolve calling a service method

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!