Just Enough Developed Infrastructure

Single Sign On (SSO) for Tomcat

Are customer of mine asked advice to enable single-sign-on in his J2EE application. Currently they have multiple applications running in their own tomcat server. As usual there is no one size fits all.


Solution 0: Do It Yourself

Security is dangers and only done right by good people . Just kidding....
You SHOULD NOT DO THIS ;-) You will not keep up with new authentication schemes, bugs ...

Solution 1: Non-Clustered SSO:
 Deploy all applications within the same Tomcat/ Virtual host

  • Tomcat 4.x:
  • Tomcat 5.x
(cfr. http://wiki.jboss.org/wiki/SingleSignOn)

Pro: You can use the Tomcat internal mechanism that allows SSO for all applications within it's container

Cons: This might not work if these applications share different domains (http://www.one.com, http://www.two.com)



Solution 2: Clustered SSO:

This would allow you to do clustering over different domains or different Tomcats. But it seems that Tomcat itself did not implement it, but Jboss extended it .
<Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn"<br />              treeCacheName="jboss.cache:service=TomcatClusteringCache" debug="0 >
Related you might want to have a look at session replication, or how to direct the traffic to the correct server:
Pro: Add additional redundancy
Cons: complex not really supported in Tomcat itself,not well documented, Clustering is not easy for tomcats in different locations/ISP's.

Solution 3: Tomcat behind a webproxy
In this case a web proxy  f.i. apache) will handle the authentication and passes remote_user environment variable to the servlet so that it can check the username once authenticated.

Pro: Removes the need for clustering of doing your own authentication
Cons: users are managed elsewhere, a new critical component (if proxy is down, no site is available), routing traffic over the internet is not adviced: A proxy will be at one location and needs to fetch data from another application

Solution 4: Tomcat with agents of a dedicated SSO solution
Every large vendor has started to create it's own SSO solution. In essence it often consists of a dedicated application for authentication which has multiple plugins for authentication schemas and allows you to create sessions and has a slick UI for managing rules and users.

Pro: if you are familiar with filters and deploying war files most things should come out of the box.
Cons: vendor lock in; well not really but you are installing agents and become dependent on the API provide. So choose wise.