Bug 34724 - Domain for single sign-on cookie
Summary: Domain for single sign-on cookie
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.9
Hardware: Other other
: P2 enhancement with 2 votes (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2005-05-03 13:39 UTC by Oliver Rossmueller
Modified: 2005-10-16 16:21 UTC (History)
0 users

SSO cookie domain patch (941 bytes, patch)
2005-05-03 13:40 UTC, Oliver Rossmueller
Details | Diff
AuthenticatorBase.java patch (1.05 KB, patch)
2005-05-09 16:19 UTC, Oliver Rossmueller
Details | Diff
SingleSignOn.java patch (1.34 KB, patch)
2005-05-09 16:19 UTC, Oliver Rossmueller
Details | Diff
mbeans-descriptors.xml patch (784 bytes, patch)
2005-05-09 16:20 UTC, Oliver Rossmueller
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Rossmueller 2005-05-03 13:39:17 UTC
I have the following setup:

- Apache webserver in front of Tomcat 5.5.9
- three 3rd-level domains www.mydomain.xa, search.mydomain.xa, my.mydomain.xa
- Single Sign-On valve in Tomcat is activated
- Login is handled by my.mydomain.xa and it's corresponding webapp under context /My

The problem with the SSO cookie created by Tomcat after successful login is that
the domain name stored with the cookie is my.mydomain.xa. Therefore the SSO
cookie is not sent by the user agent if a request goes to www.mydomain.xa or
search.mydomain.xa and single-sign on is not working for these subdomains.

So I need a way to tell tomcat to set '.mydomain.xa' as the domain of the SSO
cookie so it will the sent by the user agent for all subdomains. Therefore I
introduced the system property 'tomcat.sso.cookie.domain' and added a few lines
to AuthenticatorBase.java where the value of named system property is used - if
available - to set the SSO cookie's domain (see attached patch). The system
property can be set in the startup script for example.
Comment 1 Oliver Rossmueller 2005-05-03 13:40:28 UTC
Created attachment 14918 [details]
SSO cookie domain patch
Comment 2 Remy Maucherat 2005-05-03 14:12:08 UTC
It's a good use case, but it's not the right way to do it. You should add an
optional attribute on the SSO valve instead.
Comment 3 Oliver Rossmueller 2005-05-09 16:19:31 UTC
Created attachment 14971 [details]
AuthenticatorBase.java patch
Comment 4 Oliver Rossmueller 2005-05-09 16:19:56 UTC
Created attachment 14972 [details]
SingleSignOn.java patch
Comment 5 Oliver Rossmueller 2005-05-09 16:20:28 UTC
Created attachment 14973 [details]
mbeans-descriptors.xml patch
Comment 6 Oliver Rossmueller 2005-05-09 16:24:16 UTC
I aggree that an optional attribute on the SingleSingOn valve is the more
elegant way to specify a domain name for the sso cookie. I modified the
implementation in the suggested way (see the three new patches attachted) so the
cookie domain can be set on the valve like

<Valve className="org.apache.catalina.authenticator.SingleSignOn"
Comment 7 Yoav Shapira 2005-10-17 00:21:28 UTC
I've committed the patch into HEAD, it'll be in 5.5.13.  Thank you for
contributing it!