We have a grails app that uses two domain names and Tomcat was configured to use Virtual hosts and Aliases. Here's the server.xml snippet:
<Host name="domain1.com" appBase="myApp"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Alias>domain2.com</Alias>
</Host>
We also wanted to restrict access to the web app (different from the logins to use the site), so we made use of Tomcat security.
Here's what the security constraint snippet in the app's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Realm</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role>
<error-page>
<error-code>401</error-code>
<location>/401.jsp</location>
</error-page>
So here's the scenario: When user browses to domain1.com, the basic authentication popup will be displayed. User then enters the username and password combination to enter the site. User then wishes to Sign In to the web app (to be able to use more features). The login mechanism (using acegi) also needs to log in to domain2.com. Now, before user can be logged in to domain2.com, he/she needs to enter the same credentials for the basic auth popup. So basically, the user needs to use the tomcat web security twice, which we need to avoid.
Question also is that since its the same web app, why does it need the user to login twice? Is it because tomcat web security is domain based? So even if the other domain is just an alias of the original domain?
Thanks!