Single Sign On (SSO) for Tomcat
Solution 0: Do It Yourself
Security is dangers and only done right by good people . Just kidding....
You SHOULD NOT DO THIS ;-) You will not keep up with new authentication schemes, bugs ...
Solution 1: Non-Clustered SSO:
Deploy all applications within the same Tomcat/ Virtual host
- Tomcat 4.x:
- Tomcat 5.x
Pro: You can use the Tomcat internal mechanism that allows SSO for all applications within it's container
Cons: This might not work if these applications share different domains (http://www.one.com, http://www.two.com)
Solution 2: Clustered SSO:
This would allow you to do clustering over different domains or different Tomcats. But it seems that Tomcat itself did not implement it, but Jboss extended it .
<Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn"<br /> treeCacheName="jboss.cache:service=TomcatClusteringCache" debug="0 >Related you might want to have a look at session replication, or how to direct the traffic to the correct server:
- Tomcat 6: http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html
- Tomcat 5: http://www.onjava.com/pub/a/onjava/2004/12/15/replication2.html
- http://tomcat.apache.org/connectors-doc/ -> mod_jk -> Sticky Ness ( session replication)
It seems work is still going on: "org.apache.catalina.ha.authenticator.ClusterSingleSignOn"
- google of summer code (2006): http://fabien.carrion.free.fr/TomcatCluster.html
Cons: complex not really supported in Tomcat itself,not well documented, Clustering is not easy for tomcats in different locations/ISP's.
Solution 3: Tomcat behind a webproxy
In this case a web proxy f.i. apache) will handle the authentication and passes remote_user environment variable to the servlet so that it can check the username once authenticated.
Pro: Removes the need for clustering of doing your own authentication
Cons: users are managed elsewhere, a new critical component (if proxy is down, no site is available), routing traffic over the internet is not adviced: A proxy will be at one location and needs to fetch data from another application
Solution 4: Tomcat with agents of a dedicated SSO solution
Every large vendor has started to create it's own SSO solution. In essence it often consists of a dedicated application for authentication which has multiple plugins for authentication schemas and allows you to create sessions and has a slick UI for managing rules and users.
Pro: if you are familiar with filters and deploying war files most things should come out of the box.
Cons: vendor lock in; well not really but you are installing agents and become dependent on the API provide. So choose wise.
- Josso: http://www.josso.org/confluence/display/JOSSO1/JOSSO+-+Java+Open+Single+Sign-On+Project+Home
- Open SSO: http://blogs.sun.com/superpat/entry/opensso_on_tomcat_in_ubuntu
- Novel, JBoss, Oracle, Atlassia, ...