Configuring Tomcat for Single Sign On Support


In many large web sites, it is desireable to recognize an authenticated user the first time that he or she tries to access a protected area in any web application, and then recognize that authenticated user across other web applications in the same environment without requiring the user to log in again. Tomcat supports that capability if it is configured as described in this document.

Configuration Requirements

To successfully configure Tomcat for "single sign on" support, the following requirements must be taken into account:

  • All clients that intend to utilize "single sign on" support must provide support for cookies, which are used to maintain the user identity across web applications.
  • As implemented in Tomcat, the scope of "single sign on" support is the entire set of web applications registered with a single virtual host.
The system administrator must configure the $CATALINA_HOME/conf/server.xml file as follows to enable "single sign on" support:
  • At the or level, configure a element that defines the database of valid users and their corresponding roles. In the default configuration shipped with Tomcat, this is done at the Engine level.
  • You MUST NOT configure a element inside one of the elements describing the web applications associated with this virtual host.
  • Nested inside the element, you must include the following element:
  • Each web application that wishes to operate under the "single signon support" environment should define appropriate and elements. The former elements are used to identify portions of the application's URI space that are to require user authentication, and the latter element is used if this application is the first one accessed by the user that requires the user to log in.
  • There are no restrictions on different web applications utilizing different authentication methods.

Security Considerations

Because the "single signon support" implementation utilizes cookies to maintain use identity across applications, the same risks of information exposure apply here as when cookies are used to maintain session identity within a single web application. If you are concerned that attackers may try to impersonate an ongoing session, you should run across a secure network connection (such as an SSL connection using the https protocol).

More Here