I am trying to implement single sign-on between 2 J2EE applications. Both these applications share the same registry - LDAP. I would like to navigate from one application to another with only one authentication.
I use WAS 6/RAD 7 and i have configured my server to enable SSO. What changes do i have to do in my application(s)? How do i test out the working of this ?
How do your applications make use of the LDAP? Do you have a application-specific authentication mechanism implemented?
If you make use of authentication mechanism of your J2EE appserver (the WAS), you do not need to have SSO enabled on your WAS for your users to be able to sign on to both applications at a time.
In your WAR/EAR descriptors, define J2EE roles and authentication methods, restrict access to your applications to members to these roles, configure your WAS to authenticate against your LDAP and during deployment of your applications bind the roles defined in your apps to LDAP users / groups (e.g. all users that authenticate against the LDAP, or some more specific group).
Changes of WAR/EAR descriptors and deployment options can be all specified in RAD 7 using WAR/EAR editors, setup of LDAP has to be done using WAS administration console.
EDIT:
OK, long time, no see (such config in WAS). Had to try it myself and it seems the SSO has to be turned on.
Here's my setup: I had two simple apps, one with form-based auth, other with http authentication, each defined a security role and a security constraint for its web resources. Both roles were bound in EAR application.xml editor to "All authenticated users" (WAS-specific deployment info, is stored in ibm-application-bnd.xmi). With SSO turned off, I've observed the same behavoior as you did.
However, after turning SSO on, it well, started to work...
How did I turn SSO on: There are for sure multiple options, this is how to enable LTPA-based SSO with basic settings (WAS 6): Go to admin console -> Security -> global security -> select LTPA as authentication mechanism -> Apply, then Security -> Global Security -> Authentication mechanisms -> LTPA -> Single sign on -> Enabled -> apply, then Save all and restart).
Further settings... likely there is a need to regenerate the LTPA keys for prod deployment. To have other WAS servers join the SSO, synchronize the LTPA keys.
Sorry for the confusion in my initial response.
Appreciate your response.
To answer your question - YES, currently, we have application specific authentication - each app contacts LDAP and authenticates the users.
Your statement "If you make use of authentication mechanism of your J2EE appserver (the WAS)" - does it mean that i should get rid of the authentication code within the application and use WAS authentication instead ? Please correct me if otherwise.
The question i have is this - when i configure/define J2EE roles and authentication methods (using element in web.xml with FORM based authentication), how does authenticated entry into one application ensure that i would access the secured resources of the other application as well ? I tried to simulate this - however,when i tried navigating from a secure page of one application to the secure page of another application - i am presented with the FORM based authentication page again ? I thought SSO would ensure that i get a direct access to a protected resource in the second application as well.
Thanks a lot David. I was able to implement this in RAD 7. I tried replicating the same in WAS - and the two applications worked fine as you said. The two applications in this case were in the same JVM.
I am just trying to take this across JVMs (in the same cell) - guess it must be some configuration change that i need to make on WAS.
Once again, thanks for your response.
I have been able to navigate across applications in WebSphere. However, for each navigation, there is a new session being created is that correct ?
Have the following question
In a SSO application 1) does he carry the same session....? 2) is it one session per application ? 3) a new session during each navigation ? (this is what i currently experience in my implementation in RAD 7 and WAS)
An implementation of CAS will work for you, it is well documented and the changes needed to "CASify" your app are very easy