Are customer of mine asked advice to enable single-sign-on in his J2EE application. Currently they have multiple applications running in their own tomcat server. As usual there is no one size fits all.
Solution 0: Do It Yourself
Security is dangers and only done right by good people . Just kidding....
You SHOULD NOT DO THIS ;-) You will not keep up with new authentication schemes, bugs ...
Solution 1: Non-Clustered SSO:
Deploy all applications within the same Tomcat/ Virtual host
Pro: You can use the Tomcat internal mechanism that allows SSO for all applications within it's container
Cons: This might not work if these applications share different domains (http://www.one.com
)Solution 2: Clustered SSO:
This would allow you to do clustering over different domains or different Tomcats. But it seems that Tomcat itself did not implement it, but Jboss extended it .
<Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn"<br /> treeCacheName="jboss.cache:service=TomcatClusteringCache" debug="0 >
Related you might want to have a look at session replication, or how to direct the traffic to the correct server:
Pro: Add additional redundancy
Cons: complex not really supported in Tomcat itself,not well documented, Clustering is not easy for tomcats in different locations/ISP's.Solution 3: Tomcat behind a webproxy
In this case a web proxy f.i. apache) will handle the authentication and passes remote_user environment variable to the servlet so that it can check the username once authenticated.
Pro: Removes the need for clustering of doing your own authentication
Cons: users are managed elsewhere, a new critical component (if proxy is down, no site is available), routing traffic over the internet is not adviced: A proxy will be at one location and needs to fetch data from another applicationSolution 4: Tomcat with agents of a dedicated SSO solution
Every large vendor has started to create it's own SSO solution. In essence it often consists of a dedicated application for authentication which has multiple plugins for authentication schemas and allows you to create sessions and has a slick UI for managing rules and users.
Pro: if you are familiar with filters and deploying war files most things should come out of the box.
Cons: vendor lock in; well not really but you are installing agents and become dependent on the API provide. So choose wise.