[jboss-user] [Security & JAAS/JBoss] - Re: federated SSO framework and http cookies

"sohil.shah(a)jboss.com" wrote : I have gotten community feedback that besides the username, and password parameters, there needs to be provision for sending in more information as criteria to perform a successful login. This will be addressed so that the LoginProvider interface can be made more generic | Thanks for the reply, Sohil. As part of the LoginProvider framework, if we could have some generic interface that lets us tuck away name/value bits of info, I think it'd be useful (we can then save off info like Windows Domains, securID tokens, etc.). It'd also be useful if we could get/set http cookies via that interface (e.g., "set cookie for your SSO domain"). The use case for the latter case would be: multiple web server types in same domain. You login to one web server, which injects a cookie into your web browser. You then hit another web server in your domain, and that web server can use that cookie for validation. It's a somewhat crude way to do an SSO-like or remember-me-like login. If I understand correctly, the SAML token does this in a similar way, but I don't know if you can map from a SAML token to valid authentication information on each web server easily so that your web app on the second server is logged in properly (your LoginProvider seems to depend on a username/password). I guess it'd really help if there's an example that shows how SSO works in a "remember me" type of application... View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3985038#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...