Does SingleSignOn valve works for web apps deployed inside an .ear file?

Discussion:

Luis Rodríguez Fernández

2018-10-03 16:37:21 UTC

Hello there,

OS Version: CentOS Linux release 7.5.1804
(Core) 3.10.0-862.11.6.el7.x86_64
Server version: Apache Tomcat/8.5.32 (TomEE 7.0.5)

I am deploying a (huge, sigh...) .ear file with multiple .war applications
on it. I was wondering if the good and
old "org.apache.catalina.authenticator.SingleSignOn" valve would work with
them.

For the deployment I am copying the .ear file in an "apps" folder inside my
$CATALINA_BASE. My conf/tomee.xml looks like:

<tomee>

<Deployments dir="apps" autoDeploy="true"/>
</tomee>

Any thoughts on this?

Thanks in advance,

Luis

--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Romain Manni-Bucau

2018-10-03 16:38:43 UTC

Permalink

Hi Luis,

yes, it relies on "local" storage accross webapps so it works.

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>

Post by Luis RodrÃguez FernÃ¡ndez
Hello there,
OS Version: CentOS Linux release 7.5.1804
(Core) 3.10.0-862.11.6.el7.x86_64
Server version: Apache Tomcat/8.5.32 (TomEE 7.0.5)
I am deploying a (huge, sigh...) .ear file with multiple .war applications
on it. I was wondering if the good and
old "org.apache.catalina.authenticator.SingleSignOn" valve would work with
them.
For the deployment I am copying the .ear file in an "apps" folder inside my
<tomee>

<Deployments dir="apps" autoDeploy="true"/>
</tomee>
Any thoughts on this?
Thanks in advance,
Luis
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett

Luis Rodríguez Fernández

2018-10-03 16:55:35 UTC

Permalink

Hi Romain,

Wow, that was fast, thanks!

Well, probably I am taking it too far away. I am testing it together with
another SSO valve, org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve
[1]. My idea would that once the user is authenticated by our SSO and
his/her java.security.Principal object are created, the next requests for
protected resources will not trigger the SSO authentication.

Just for the record: that keycloak valve works, but my problem is that one
of the modules declares <context-root>/</context-root> and has some
resources (/res, /Info, /search, etc..) that are shared with the rest of
the modules. Short-long-story: a good mess :)

Thanks for your prompt reaction!

Cheers,

Luis

[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter

Post by Romain Manni-Bucau
Hi Luis,
yes, it relies on "local" storage accross webapps so it works.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<
https://www.packtpub.com/application-development/java-ee-8-high-performance

applications

Post by Luis RodrÃguez FernÃ¡ndez
on it. I was wondering if the good and
old "org.apache.catalina.authenticator.SingleSignOn" valve would work

with

Post by Luis RodrÃguez FernÃ¡ndez
them.
For the deployment I am copying the .ear file in an "apps" folder inside

Post by Luis RodrÃguez FernÃ¡ndez
<tomee>

<Deployments dir="apps" autoDeploy="true"/>
</tomee>
Any thoughts on this?
Thanks in advance,
Luis
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett

--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Luis Rodríguez Fernández

2018-10-09 13:29:32 UTC

Permalink

Hi Romain,

Just for the completeness of the exercise I did test the SSO valve with two
web modules in an .ear file using <auth-method>FORM</auth-method> and it
works, great!

Thanks again.

Cheers,

Luis

El miÃ©., 3 oct. 2018 a las 18:55, Luis RodrÃguez FernÃ¡ndez (<

Post by Luis RodrÃguez FernÃ¡ndez
Hi Romain,
Wow, that was fast, thanks!
Well, probably I am taking it too far away. I am testing it together with
another SSO valve, org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve
[1]. My idea would that once the user is authenticated by our SSO and
his/her java.security.Principal object are created, the next requests for
protected resources will not trigger the SSO authentication.
Just for the record: that keycloak valve works, but my problem is that one
of the modules declares <context-root>/</context-root> and has some
resources (/res, /Info, /search, etc..) that are shared with the rest of
the modules. Short-long-story: a good mess :)
Thanks for your prompt reaction!
Cheers,
Luis
[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter
El miÃ©., 3 oct. 2018 a las 18:39, Romain Manni-Bucau (<

applications

Post by Luis RodrÃguez FernÃ¡ndez
on it. I was wondering if the good and
old "org.apache.catalina.authenticator.SingleSignOn" valve would work

with

Post by Luis RodrÃguez FernÃ¡ndez
them.
For the deployment I am copying the .ear file in an "apps" folder

inside my

better."

Post by Luis RodrÃguez FernÃ¡ndez
- Samuel Beckett

--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett

--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett