NonStop Servlets for JavaServer Pages (NSJSP) 5.0 System Administrator's Guide
Configuring NSJSP
NonStop Servlets for JavaServer Pages (NSJSP) System Administrator’s Guide—525644-003
3-46
Configuring Single Sign-On Support
3. For each web application that you need to operate under the single sign-on
support environment, define appropriate <security-constraint> and
<login-config> elements in the web application’s web.xml. The <security-
constraint> elements identify portions of the application's URI space that are
required for user authentication, and the <login-config> element is used if this
application is the first one accessed by the user that requires the user to log in.
There are no restrictions on different web applications utilizing different
authentication methods.
The single sign-on facility operates according to these rules:
•
All web applications configured for this virtual host must share the same Realm. In
practice, that means you can nest the <Realm> element inside this <Host>
element (or the surrounding <Engine> element), but not inside a <Context>
element for one of the involved web applications.
•
As long as you access only unprotected resources in any of the web applications
on this virtual host, you will not be challenged to authenticate yourself.
•
As soon as you access a protected resource in any web application associated
with this virtual host, you will be challenged to authenticate yourself, using the login
method defined for the web application currently being accessed.
•
Once authenticated, the roles associated with you will be used for access control
decisions across all of the associated web applications, without challenging you to
authenticate yourself to each application individually.
•
As soon as you log out of one web application (for example, by invalidating or
timing out the corresponding session if FORM-based login is used), your sessions
in all web applications are invalidated. Any subsequent attempt to access a
protected resource in any application requires you to authenticate yourself again.
•
The single sign-on feature uses HTTP cookies to transmit a token that associates
each request with the saved user identity, so it can only be utilized in client
environments that support cookies.
•
The single sign-on feature uses HTTP sessions so it also depends on the session
timeout value (default is 30 minutes).
Example 3-31. Configuring Single Sign-On Support
<Host name="localhost" ...>
...
<Valve className="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
...
</Host>