NonStop Servlets for JavaServer Pages (NSJSP) 6.0 System Administrator's Guide
Configuring NSJSP
NonStop Servlets for JavaServer Pages (NSJSP) 6.0 System Administrator’s Guide—544548-004
3-41
Configuring Single Sign-On Support
3. For each web application you operate under the single sign-on support
environment, define the appropriate <security-constraint> and <login-
config> elements in the web.xml of the web application. The <security-
constraint> elements identify portions of the application's URI space that are
required for user authentication, and the <login-config> element is used if this
application is the first one accessed by the user that requires the user to log in.
There are no restrictions on different web applications using different
authentication methods.
The single sign-on facility operates according to these rules:
All web applications configured for this virtual host must share the same Realm.
You can nest the <Realm> element inside this <Host> element (or the
surrounding <Engine> element), but not within a <Context> element for one of
the involved web applications.
As long as you access unprotected resources in any of the web applications on
this virtual host, you will not be challenged to authenticate yourself.
As soon as you access a protected resource in any web application associated
with this virtual host, you will be challenged to authenticate yourself, using the login
method defined for the web application currently being accessed.
Once authenticated, the roles associated with you will be used for access control
decisions across all the associated web applications, without challenging you to
authenticate yourself to each application individually.
As soon as you log out of one web application (for example, by invalidating or
timing out the corresponding session if FORM-based login is used), your sessions
in all web applications are invalidated. Any subsequent attempt to access a
protected resource in any application requires you to authenticate yourself again.
The single sign-on feature uses HTTP cookies to transmit a token that associates
each request with the saved user identity, so it can only be used in client
environments that support cookies.
The single sign-on feature uses HTTP sessions and depends on the session
timeout value (the default duration is 30 minutes).
Security Considerations
Because the single sign-on support implementation uses cookies to maintain user
identity across applications, the same risks of information exposure apply here when
cookies are used to maintain session identity within a single web application. If you are
concerned that attackers may try to impersonate an ongoing session, you must run
your applications across a secure network connection (such as an SSL connection
using the HTTPS protocol).