-----Original Message----- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 22, 2001 10:35 AM To: [EMAIL PROTECTED] Subject: RE: single login form for single sign on On Thu, 22 Mar 2001 [EMAIL PROTECTED] wrote: > > > So in essense the question is: Is there a way to specify a > > "global" login > > > and error page that will be used by all webapps? > > > > > > > No. Each web application is still a stand-alone entity. > > > > What single sign on support does for you is remember that > > you've signed on > > already. You are still using whatever login mechanism is > > defined for each > > individual web app. They don't even have to all use the same approach > > (some could be BASIC, some could be FORM, for example). > > > > What's the thinking behind this? Single sign on would imply having, at least > the option of having a single login page, even if an individual web > application could override the default and provide its own (for instance I > guess webdav can't use FORM, so would have to override a FORM default to use > BASIC/DIGEST). > The primary thinking behind this is to obey the servlet specification's requirements :-). The typical use case is a "portal" site (say, like Yahoo) where there are a variety of applications that require you to log on before use, mixed in with a ton of stuff that is available to everyone. Each of the applications has it's own individual look-and-feel (within the broad UI of the entire site), and doesn't necessarily *want* to have to share a page. Now, I can go browse around Yahoo to my heart's content. As soon as I access an app that needs a login, I'm asked to do so (within the context of that app). To avoid making me unhappy, the site remembers who I am so that when I switch to a different application that needs login, I go straight to what I asked for without having to identify myself again. > Having to define login for each we application: > 1. provides a maintenance problem if you do want a common login page across > all webapps Seems like a simple problem to solve in your build scripts. Copying commonly used components from a single source repository is quite straightforward. > 2. begins to enter into "using my password for something I haven't approved > it to be used for" teritory. i.e. the login page says you are logging into > webapp1, but in fact your login will be used for webapp2. A single login > page would tell you you are logging into both. > So, all you have to do is say so on the login page, and this confusion cannot happen, right? If you follow the suggestion above and copy the common login page to each app you will have certainly done this. > Hence my initial question - is this just the way it has been done, or does > the Spec say it must be done that way etc.? > http://java.sun.com/products/servlet/download.html See the "Security" chapter in the Servlet 2.2 spec. You will also want to review the requirements on servlet contexts (i.e. web applications) and sessions (scoped to a single web app) that affect application design for environments like the one discussed above. > Many thanks > > Tim Craig McClanahan
