Single Sign on with Tomcat
I’ve been asked by a client to take a look at integrating two of their applications to use single signon. They currently have a “members” area which contains secure webpages for individual clients to see. Typically, each client has their own secure area that no one else can access. This is implemented using BasicAuth in an .htaccess file.
The web application is a Java based (Struts) content management system which uses tomcat’s j_security_check for authentication.
The way that I’ve tried to integrate these two is to convert the apache security over to tomcat. This was easy to do. I just basically created a new context and moved the content into the appropriate directory. The only thing I needed to do was create the WEB-INF/web.xml directory/file. I needed to tweek the web.xml to restrict files the way I wanted it to. Basically, if someone goes to http://www.example.com/members/ the are forced to login (Basic authentication for now). There’s an index.jsp file that check the user name and redirects the client to http://www.example.com/members/”username”/.
Integrating the two webapps was also fairly easy. I needed to move the realm from each of the contexts and move them into the host portion of the server.xml file. Basically, this forces all of the contexts in the host to use the same authentication module and thus they can share sessions. The only other thing was to add this…
<Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"/>
…inside of the host portion as well.
There’s a whole lot more that can be done, but this is great for a start since it only took a few hours to figure out and fix any problems I encountered.