Bug 49670

Summary: org.apache.catalina.authenticator.SingleSignOn valve does not function
Product: Tomcat 7 Reporter: chornsey
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: regression    
Priority: P2    
Version: 7.0.0   
Target Milestone: ---   
Hardware: PC   
OS: All   
Attachments: First participating war file.
Second participating web appliaction.
The tomcat jaas configuration file used on the test server.
server.xml with sso valve enabled.
eclipse jaas implementation project zipped.

Description chornsey 2010-07-29 10:43:35 UTC
I have two web applications; neither declare a realm in the context.xml and both are configured for authentication in the web.xml using standard tomcat authentication methods.  I have enabled the tomcat valve in the host and have added a realm to the host as well.

      <Host name="localhost"  appBase="webapps" unpackWARs="true" autoDeploy="true">
      	<Realm className="org.apache.catalina.realm.JAASRealm" appName="SSO" userClassNames="a.b.c" roleClassNames="a.b.c" useContextClassLoader="false"/>
        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>

I have added a jaas configuration for the SSO app in the jaas.conf file for the server.  I am certain that the realm, jaas.conf are all configured properly as the web applications do require a user to authenticate before accessing the application, but if I have authenticated to one application I still am required to authenticate before accessing the other application.

I have this exact same configuration working on a tomcat 6 environment, but an identical configuration will not operate on a tomcat 7 server.
Comment 1 Pid 2010-08-03 05:47:07 UTC
Can you provide a simple test case which demonstrates the problem?
Comment 2 chornsey 2010-08-11 23:14:16 UTC
Created attachment 25879 [details]
First participating war file.

Please add the jaas.jar file from this project o you tomcat/lib folder as i contains the jaas principal and login module implementation.
Comment 3 chornsey 2010-08-11 23:14:56 UTC
Created attachment 25880 [details]
Second participating web appliaction.
Comment 4 chornsey 2010-08-11 23:16:18 UTC
Created attachment 25881 [details]
The tomcat jaas configuration file used on the test server.
Comment 5 chornsey 2010-08-11 23:17:43 UTC
Created attachment 25882 [details]
server.xml with sso valve enabled.
Comment 6 chornsey 2010-08-11 23:21:31 UTC
Created attachment 25883 [details]
eclipse jaas implementation project zipped.

This is the zipped eclipse project for all of the jaas files.  Includes the source for the login module and principals.
Comment 7 chornsey 2010-08-11 23:23:54 UTC
I have added two war files, he server configuration, jaas configuration and the source code for the jaas implementation I used in this test case.

Accessing the first web app requires a log in.  Accessing the second app does not require a login.  Using this test case in 6.x requires a login when accessing app 1, but not on the subsequent request for app2.
Comment 8 Mark Thomas 2010-08-23 16:16:42 UTC
Sorry about that. I broke SSO when I did the Lifecycle refactoring for 7.0.x

I have fixed this in trunk and it will be included in 7.0.3 onwards.