Hi Leo and Subrahmanyam,
> Hi,
>
> > We are using the WebApp model to develop multiple webapps and deploy
> > them in a servlet2.2 container.
> > We would like a single sign-on solution, so that if a user has been
> > authenticated into one webapp, he/she can
> > access the other webapps (all webapps are protected using Form based
> > login) without having to
> > reauthenticate.
>
> - This authentication is valid for a single session.
>
> - Multiple applications deployed on a single web container will have
> multiple sessions established for the same client.
>
> - So, the authentication is valid for a single session of a single
> application.
>
> > My reading of the 2.2 spec indicates that the above is doable. Could
> > someone please confirm ? Also, any
>
> Given the above, this is not automatic.
>
> Any comments?
The specification explicitly states that if the user has authenticated against one web
app, he should not
have to authenticate against another web app deployed in the same web container. A
reasonable
interpretation of this (and actually the one that Tomcat takes) is that the previous
statement should hold
true while the user has an active http session. When his last session times out, his
next call in should
force him to re-authenticate.
Hope this helps,
- Danny
Danny Coward
Servlet Specification & Web Java
Java Software Group, Sun Microsystems
[EMAIL PROTECTED]
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
