2

I have a service on Tomcat available at the following domains:

sub1.domain1.com
sub2.domain1.com

sub1.domain2.com
sub2.domain2.com

Now I need transparent authorization (Spring Security) for domain1. If user logs in to the sub1.domain1.com he is authorized on sub2.domain1.com too.

This can be done with Tomcat's setting

sessionCookieDomain=".domain1.com"

But now authorization on sub1.domain2.com doesn't work at all because all JSESSIONID cookie domain is always set to ".domain1.com".

How could I make tomcat use only second level of current domain for the cookies?

Andrey Minogin
  • 4,521
  • 6
  • 38
  • 60
  • possible duplicate of [Single Sign On across multiple domains](http://stackoverflow.com/questions/44509/single-sign-on-across-multiple-domains) - The answers to this question describe the (rather complicated) mechanisms that need to be used, and list some existing SSO technologies that will do the job. – Stephen C May 26 '11 at 12:01

1 Answers1

2

The simple answer is that there is no simple answer. Essentially you need a primary login site, and scheme whereby secondary sites get to set cookies for their domain that clone the primary site's session token. Implementing this is complicated.

Two possible SSO technologies are Shibboleth and JASIG CAS.

For more details, refer to the answers to Single Sign On across multiple domains

What if I somehow overload cookie creation and set .domain1.com and .domain2.com where required?

If foo.domain1.com tries to set a cookie with path .domain2.com or anything.domain2.com, the browser will ignore it for security reasons. You have to go through a complex dance of redirections to set the cookies on both domains. Read the question / answers I linked to (above) for more details.

Community
  • 1
  • 1
Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • What if I somehow overload cookie creation and set .domain1.com and .domain2.com where required? – Andrey Minogin May 26 '11 at 16:20
  • I don't need transparent authorization for all the domains. Users from domain1 cannot go to domain2. But I need SSO across all the domain1 subdomains and all the domain2 subdomains separately. – Andrey Minogin May 28 '11 at 20:00
  • @Andrey - it sounds like you just need to set the `sessionCookieDomain` attribute differently in each webapp's context.xml. – Stephen C May 29 '11 at 03:03
  • The problem is that there is only one webapp but it uses different domains. It's a kind of multi-tenant (SAAS) application. – Andrey Minogin May 29 '11 at 08:10