Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentNETSCAPE ENTERPRISE SERVER 6.1 - NSAPI PROGRAMMER GUIDE
71727374757677787980
applications will be invalidated.
A session timeout does not invalidate the SSO if other sessions are still valid.
19.3. Limitations
There are a number of known limitations to this Tomcat valve-based SSO implementation:
Only useful within a cluster of JBoss servers; SSO does not propagate to other resources.
Requires use of container managed authentication (via login-config element in web.xml)
Requires cookies. SSO is maintained via a cookie and URL rewriting is not supported.
Unless requireReauthentication is set to true, all web applications configured for the same
SSO valve must share the same JBoss Web Realm and JBoss Security security-domain. T his
means:
In server.xml you can nest the Realm element inside the Host element (or the surrounding
Engine element), but not inside a context.xml packaged with one of the involved web
applications.
The security-domain configured in jboss-web.xml or jboss-app.xml must be consistent for
all of the web applications.
Even if you set requireReauthentication to true and use a different security-domain (or,
less likely, a different Realm) for different webapps, the varying security integrations must all
accept the same credentials (for example,. username and password).
19.4. Configuring the cookie domain
The SSO valve supports a cookieDomain configuration attribute. This attribute allows configuration of
the SSO cookie's domain (the set of hosts to which the browser will present the cookie). By default the
domain is "/", meaning the browser will only present the cookie to the host that issued it. T he
cookieDomain attribute allows the cookie to be scoped to a wider domain.
For example, suppose we have a case where two apps, with URLs http://app1.xyz.com and
http://app2.xyz.com, that wish to share an SSO context. These apps could be running on different
servers in a cluster or the virtual host with which they are associated could have multiple aliases. This
can be supported with the following configuration:
Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn"
cookieDomain="xyz.com" /
JBoss Enterprise Application Platform 5 HTTP Connectors Load Balancing Guide 77