NonStop Servlets for JavaServer Pages (5.0) System Administrator's Guide
Configuring NSJSP
NonStop Servlets for JavaServer Pages (NSJSP) System Administrator’s Guide—525644-002
3-48
Configuring Single Sign-On Support
The single sign-on facility operates according to the following rules:
•
All web applications configured for this virtual host must share the same Realm. In
practice, that means you can nest the <Realm> element inside this <Host>
element (or the surrounding <Engine> element), but not inside a <Context>
element for one of the involved web applications.
•
As long as you access only unprotected resources in any of the web applications
on this virtual host, you will not be challenged to authenticate yourself.
•
As soon as you access a protected resource in any web application associated
with this virtual host, you will be challenged to authenticate yourself, using the login
method defined for the web application currently being accessed.
•
Once authenticated, the roles associated with you will be used for access control
decisions across all of the associated web applications, without challenging you to
authenticate yourself to each application individually.
•
As soon as you log out of one web application (for example, by invalidating or
timing out the corresponding session if FORM-based login is used), your sessions
in all web applications are invalidated. Any subsequent attempt to access a
protected resource in any application requires you to authenticate yourself again.
•
The single sign-on feature uses HTTP cookies to transmit a token that associates
each request with the saved user identity, so it can only be utilized in client
environments that support cookies.
•
The single sign-on feature uses HTTP sessions so it also depends on the session
timeout value (default is 30 minutes).
Security Considerations
Because the single sign-on support implementation uses cookies to maintain user
identity across applications, the same risks of information exposure apply here as
when cookies are used to maintain session identity within a single web application. If
you are concerned that attackers may try to impersonate an ongoing session, you
should run your applications across a secure network connection (such as an SSL
connection using the HTTPS protocol).