Take a look at
http://tp.its.yale.edu/tiki/tiki-index.php?page=CentralAuthenticationService
Tim Funk escribió:
One way to do SSO is to utilize a cookie (lets call it SSO, and to be
really secure - it should only be transfered over https). The
existence of a cookie says the person might be logged in. The value of
the cookie needs to be checked. The value of the cookie shold NOT be
the user id. It can be an encrytped form of the user id, or it can be
a token which the web server would use in a hash lookup to get the
real user id. In the case of the hash - you'd need a "service" to be
be able to handle maintenance of getting userids/tokens into the hash.
Luckily for you, there are some projects out there that do this.
Google is your friend here.
-Tim
Ben Bookey wrote:
Dear List,
We are using Tomcat 4.1.xx. We are NOT using the built in security
framework which comes with TC. In the login.jsp page the
user/password is validated by an external organisation wide process,
which returns simply true or false. If the user is valid, the user is
forwarded to the application JSP pages. The user can not access the
application pages at will, because the pages check to see if a
particular session flag is checked.
Now my problem. I have been asked to assess if single sign On (SSO)
could be used to create a URL link to another similar webapp's JSP
page (TC with no security framework), where the user doesnt need to
login for a second time. There is not so much info. about SSO around,
but from what I gather it persists login info. inside a session which
is passed between web applications. My first problem is that "my
application" never knows what the password is. Can anyone see a
possibilty of using SSO for me, allowing direct access to another
webapps JSP page with out re-login ?
Would really appreciate any help on this. Especially ones with info.
more than simply "No" ;-)
kind regards,
Ben
p.s. might be that the 2nd app has to create a web-service or
something to provide the information for us!!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
