问题
I have three jsf web application deployed on tomcat web server with SSL/TLS enabled. Now I want to build some kind of SSO authentication with particular roles. In tomcat conf/server.xml there is line:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
so I got idea that tomcat maybe have his own SSO implementation. Does anyone know where to find more information about this or some code examples?
Thanks in advance
回答1:
After many hours of research I found solution, so I will post it here in case someone need SSO authentication in tomcat. First of all open conf/server.xml file in tomcat installation directory and add following line:
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
</Host>
By doing this, you have opened SSO valve. Next, you need to set up roles in tomcat. That is done by editing conf/tomcat-users.xml. Scroll to the bottom and add roles, something like this:
<role rolename="CUSTOMER"/>
<role rolename="ADMIN"/>
Now, if you want plain text authentication you can add users also by adding :
<user username="admin" password="admin" roles="ADMIN"/>
<user username="customer" password="customer" roles="CUSTOMER"/>
or, if you have database you can set up connection with database server in conf/server.xml, I'm using MySQL:
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.cj.jdbc.Driver"
connectionURL="jdbc:mysql://localhost:3306/databaseName?user=serverUsername&password=serverPassword"
userTable="usersTable" userNameCol="usernameColumnName" userCredCol="passwordColumnName"
userRoleTable="roleTable" roleNameCol="roleColumnName"/>
Note: You need to provide connection driver in tomcat lib directory. More info on: https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JDBCRealm
Finally in your web app or apps, find web.xml and add security constrains:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
Note: if you have custom Login page you can edit <login-config> tag and change to following:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
Cheers.
回答2:
Apache 9 Single Sign On Valve documentation is here: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html.
Since you mentioned JSF (I'm not sure if you are using PrimeFaces & OmniFaces), maybe you are struggling also with log out/session time out. Specially if end user has open multiple windows/tabs and multiple applications (you mentioned you have three JSF apps), then
- OmniFaces FacesExceptionFilter and
- OmniFaces FullAjaxExceptionHandler
would be helpful for you. I can also recommend the best JSF book I've ever read
- The Definitive Guide to JSF in Java EE 8 written by BalusC (JSF expert, author of OmniFaces, etc.).
来源:https://stackoverflow.com/questions/60873769/single-sign-on-implementation-in-tomcat