I have set up my two applications in single tomcat instance using the procedure described in Can I SSO between multiple Wars in the same servlet with Stormpath and Apache Shiro?
Both of the WARs run fine individually with the users registered in Stormpath directory. But when I link the two applications and do successful login in War A, still redirected to the Login Page of WAR B and I need to login again. I also see the jSessionId is different on login page of WAR A and WAR B. So somehow both the applications are not getting linked.
Shiro has a session mechanism which allows you clustering. See http://shiro.apache.org/session-management.html#SessionManagement-SessionClustering
Shiro has also an extension: buji-pac4j (https://github.com/bujiio/buji-pac4j) which new version (1.4.0) has a support for Stormpath.
So using both will help you achieve SSO with Stormpath.
Related
We use Apache Shiro to provide security for 4 applications running within one Tomcat instance. They are deployed as 4 WARs, with all the Shiro config and security in a 5th WAR.
In order to provide SSO across these applications, we've configured ehCache to share sessions between all 5 web apps (the original intention was to use multiple containers, but this never happened).
The problem we are facing is that in sharing the sessions across the apps, we are also sharing all object data placed into the session. This is a problem because the apps have different dependencies and hence different classpaths, leading to ClassNotFoundExceptions. I think I'm right in saying that by default in a Tomcat container each WAR would have a separate session and so this would not be problem, but then we would not be able to share the Shiro user data!
So my question is this: Is it possible to have separate Shiro and Container sessions? This would allow the desired outcome i.e. any login data that Shiro uses would be placed into the 'Shiro' session and shared across the multiple apps, while the Container sessions would be separate for each app and therefore no data would be shared between them.
Shiro needs to run in each container. Then those containers need to share the Shiro session. https://shiro.apache.org/session-management.html#session-storage
You could do this using the container's session sharing capabilities or with Shiro's.
We want to realize a SSO-infrastructure with some IBM Domino / Websphere products and one custom web application. All IBM products are configured for SSO. Therefore, the WebSphere Application Server 8 generates an LTPAToken2 after successful login in one of the IBM products. We want to achieve the same behaviour for our own custom web application. After login into this web app, a LTPAToken2 should be generated.
Therefore my question: Is it possible to generate a valid LTPAToken2 in our custom web application? Or maybe, is it possible to use the WebSphere Application Server APIs for this generation? Which steps would be nessecary to achieve this? At the moment, our custom web application is not hosted in a WAS, but on a Tomcat.
Thanks and best regards
Ben
As long as you have your application hosted on a tomcat server that is not possible. There is no open API from IBM for creating LTPA tokens.
If you would have had the same user directory and using standard Java Security Mechanisms you could move your application to WAS, where SSO is configured. Not only would it be possible, your LTPA tokens would be created on login to your web application without any further configuration.
As it seems have a solution with two different user directories, sharing the same user id but not the password, you need to take other measures to achieve SSO.
One is to have an Access manager software which handles login for all your applications,
A second solution is to write some custom code. Login into the tomcat server could generate a custom cookie. You need to write code to generate this cookie. Then you can write a TAI to intercept it on the WebSphere server thus accepting the login. The TAI would be configured in the container rather than in a separate application itself. (example)
I also assume you could solve this by writing servlet filters to handle the login, rather than a TAI.
If your Tomcat app is on the same domain as (one of) the WebSphere servers, and the Tomcat server has network access to the WebSphere instance, you could have a servlet in your Tomcat app accept credentials on its request and pass them in an outbound http request to something like /<secured app>/j_security_check on the WAS instance, record the LtpaToken2 if successful and then add a cookie with its value in the servlet response on Tomcat.
As long as the two servers are on the same domain the browser will send the cookie back if the Tomcat app links/redirects the user to a secured URI on the WAS app, and you have SSO.
I'm have the next scenario on my enviroment
Tomcat running as services in Windows server
The service is configured with a Domain Account, it is an Active Directory Account.
Now in a Spring Controller I need to acces to a site, this site is configured with Integrated Security.
So what I want is to access to this site using the same credentials that is running the tomcat account. So I'm beleave thath I need to access to this credentials and pass it to a http client.
Thanks.
There's a number of ways you can integrate a Java application into an Active Directory / Windows Authentication system:
I would start by understanding the Kerberos and NTLM authentication systems (and which apply to your environment) and reading up on the documentation: http://docs.oracle.com/javase/6/docs/technotes/guides/net/http-auth.html
Given you are using Spring already, I would strongly consider using Spring Security, which has NTLM support: http://blog.mediasoft.be/ntlm-with-spring-security-20/
let say in tomcat application server we deployed 2 web applications , web application A, web application B. How to pro-grammatically sync session from web application A to web application B . In other words, as long as user login to web application A, he is already login to web application B. As well when he log out.
You may check Sharing session data between contexts HOW-TO to see if it solves your problem.
Is this about authenticating user only once with same username and password for multiple sites?
If so google Single Sign On. There are a number of frameworks out there for doing just that.
Use the single sign on valve.
I have a self built JSP webapp and at the moment I'm using tomcats built in admin pannel to manage user accounts (that are stored in tomcats config xml files) but this is limited because i can not create new accounts from within the web-app (eg. I can not have a sign up website) and need to manually create the accounts.
What is the most straight forward way of implementing accounts in a tomcat environment?
dennis
Set up a database realm in Tomcat, either a simple JDBC realm or a DataSource realm that will allow for connection pooling. Then adding users is a very simple CRUD web application, possibly combined with some confirmation emails.
If you are on Windows (not specified in the question) and want to use a windows logon to authenticate you might want to check out JCIFS. JCIFS allows you to obtain the user name of an authenticated windows logon in Java. It is easy to install and relatively foolproof.
Not for every situation but in windows only environments it can get you up and running quickly.