views:

72

answers:

1

I have an existing j2ee application running on Oracle App Server. It is targeted towards paying customers so the content is secured and a SSO module properly intercepts all requests for secured content.

Now the company is adding a unbranded public-facing module with a number of unsecured pages. At one point the user is expected to register for a free account and log in to proceed further. Think doctors adding a public-facing site with information for potential patients, or lawyers adding a public-facing site with information for potential clients. There's some information on the session and the usual approach would be to authenticate the user, persist the session information using the now-known user id, invalidate the existing session (to prevent certain types of attacks), the reload the session information before returning to the user. I can't just persist it under the session id since that's about to change.

The glitch is that the existing application already has an SSO module and I get a 404 error every time I try to direct to j_security_check. I've tried that, /sso/j_security_check, even http://localhost/sso/j_security_check, all without success.

I noticed that an earlier question said that tomcat requires access to a secured page before j_security_check is even visible. I don't know if that's the case with Oracle AS.

Ideas? Or is the best approach to continue arguing that we have a different user base so it would be better to handle authentication in our own module anyway?

A: 

I had a bit of a brain freeze when asking the question - the app doesn't call the SSO, the SSO intercepts calls to secured pages. There's no way to trigger it manually other than calling a secured page. I found myself in the weeds since we've been discussing the flow between web pages as through there was an explicit call to a login page as we transition from public to secured pages.

That said it looks like the answer involves setting up a non-default realm in j2ee/home/config/system-jazn-data and my per-application orion-application.xml jazn stanza. I still haven't found a way to get a different jsp login page though.

bgiles