[jboss-jira] [JBoss JIRA] Commented: (JBAS-4424) WebAuthentication:Generate a SSOID

Stefan Guilhen (JIRA) jira-events at lists.jboss.org
Wed Oct 31 15:50:45 EDT 2007 

    [ http://jira.jboss.com/jira/browse/JBAS-4424?page=comments#action_12385404 ] 
            
Stefan Guilhen commented on JBAS-4424:
--------------------------------------

The SSO cookie is now generated by the WebAuthentication class as part of the login process when a SSO valve has been set in the jboss-web.deployer/server.xml. On Branch_4_2, the org.jboss.web.tomcat.security.ExtendedSingleSignOn valve has to be used instead of the standard SingleSignOn valve, because the ExtendedSSO valve exposes some of the SSO methods as public, allowing the WebAuthentication to delegate sso behaviour to the proper valve. As no upgrade of the jbossweb is planned for Branch_4_2, we had to come up with this workaround. The SSO behaviour of the WebAuthentication has been tested on Branch_4_2, and the code has already been commited.

This new valve is not necessary on Trunk, as Remy is setting the necessary methods to public on SingleSignOn valve. Version 2.1.0.CR7 of jbossweb already sets some of the methods to public but one of them (update) still needs to be changed. As soon as we have the changes we need, I'll test this implementation on Trunk using the standard SSO valve, commit, and resolve the issue.

> WebAuthentication:Generate a SSOID
> ----------------------------------
>
>                 Key: JBAS-4424
>                 URL: http://jira.jboss.com/jira/browse/JBAS-4424
>             Project: JBoss Application Server
>          Issue Type: Task
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service, Security
>    Affects Versions: JBossAS-4.2.0.GA
>            Reporter: Anil Saldhana
>         Assigned To: Stefan Guilhen
>
> http://wiki.jboss.org/wiki/Wiki.jsp?page=WebAuthentication
> The feature needs to implement the sso stuff if it is desired by the user.  At the least, ssoid needs to be generated and set on the session.
> The ssoid generation logic exists in AuthenticatorBase.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list