In many large web sites, it is desireable to recognize an authenticated user the first time that he or she tries to access a protected area in any web application, and then recognize that authenticated user across other web applications in the same environment without requiring the user to log in again. Tomcat supports that capability if it is configured as described in this document.
To successfully configure Tomcat for "single sign on" support, the following requirements must be taken into account:
The system administrator must configure the
$CATALINA_HOME/conf/server.xml file as follows to enable
"single sign on" support:
<Engine> or <Host> level,
configure a <Realm> element that defines the database
of valid users and their corresponding roles. In the default configuration
shipped with Tomcat, this is done at the Engine level.<Realm>
element inside one of the <Context> elements describing
the web applications associated with this virtual host.<Host> element, you must include the
following element:
<Valve class="org.apache.catalina.authenticator.SingleSignOn"/>
<security-constraint> and
<login-config> elements. The former elements are used
to identify portions of the application's URI space that are to require
user authentication, and the latter element is used if this application
is the first one accessed by the user that requires the user to log in.
Because the "single signon support" implementation utilizes cookies to
maintain use identity across applications, the same risks of information
exposure apply here as when cookies are used to maintain session identity
within a single web application. If you are concerned that attackers may
try to impersonate an ongoing session, you should run across a secure
network connection (such as an SSL connection using the https
protocol).