I have turned on SingleSignOn on my Tomcat 6.0.18 Web server. I have two
applications running on the server and I would like that the user only have
to log in once to have access to either applications. I am not sure I fully
understand how SingleSignOn should be used. From a user perspective, I would
like that if a user logs in the first application, he/she could access the
second application without requiring authentication. I have been able to
verify single sign on. However, my main issue right now is that if a user
logs in to the first application, but solely uses the second application,
the session that was created while logging in to the first application will
eventually expire and if the user tries to access the first application,
he/she will be booted out, even if he/she recently accessed the second
application.
I have tried to find a workaround, for instance, forwarding to the second
application every time a page from the first application is accessed. Here
is a blurb of the code I have added to one of the JSP pages in the second
application:
ServletContext ctx = application.getContext("/app1");
RequestDispatcher dispatcher = ctx.getRequestDispatcher("/page");
dispatcher.forward(request, response);
I thought this would prevent the session of the first application to
timeout. However, Tomcat does not reuse the session created upon login when
forwarding. Instead, it creates another session. This is why eventually the
session for the first application will time out. If the user accesses the
first application after the session becomes inactive, Tomcat returns a 403
error.
I am wondering if there is anything I could do to ensure that neither of the
application sessions would expire if a user accesses either of the
applications.
Martin
