How to implement EAR-wide JAAS

Question

I'd like to implement JAAS across the whole of my EAR file containing multiple wars.

I have successfuly set it up on each war, but that means when the user is switching between wars (via hyperlinks between) they have to log-in again for each, even though each war is configured to use the same realm.

How can I create a single sign-on process for the whole of the EAR?

Thanks.

score 2 · Answer 1 · answered Feb 28 '11 at 12:34

This is usually container-specific. For JBoss, you can use yourapp.ear/META-INF/jboss-app.xml for this purpose. Here, you define a security-domain element that points to the respective login-policy. Excerpt from the DTD:

<!ELEMENT security-domain (#PCDATA)>

Hi thanks for the help, Yes I have done this with Geronimo (v2.1). but its still requesting a log-in on each module. Im guessing that's because it's a new session each time? I have all configuration set up in the geronimo-application.xml except the security constraints which are in the appropriate web.xml — Mark W, Feb 28 '11 at 14:10

score 2 · Accepted Answer · answered Mar 02 '11 at 18:10

2

I have found the answer! - single sign on across all apps in the same servlet context and for the same security realm. Its available with tomcat. I simply updated the config.xml as advised on the below url and it now only asks to sign in once.

http://publib.boulder.ibm.com/wasce/V2.1.0/en/valves.html#Valves-AddingtheSingleSignonValvetotheinitialvalvechain

answered Mar 02 '11 at 18:10

Mark W

5,824
15
59
97

http://tomcat.apache.org/tomcat-5.5-doc/config/host.html#Single_Sign_On might be of use too. – Mark W Mar 02 '11 at 18:49
1

Just to make it clear for others who may later visit this question: this valve is great for web-only applications (web, soap, rest), but not enough when you also have clients that want to talk to the application over rmi (or its vendor equivalent). – Heiko Rupp Mar 02 '11 at 19:41

How to implement EAR-wide JAAS

2 Answers2