https://issues.apache.org/bugzilla/show_bug.cgi?id=53633
Priority: P2
Bug ID: 53633
Assignee: [email protected]
Summary: Scope of Realm expanded when using SSO
Severity: normal
Classification: Unclassified
OS: Linux
Reporter: [email protected]
Hardware: PC
Status: NEW
Version: 6.0.33
Component: Catalina
Product: Tomcat 6
A Realm defined within a Host should be shared with all webapps within that
Host when using SSO, EXCEPT for webapps that define their own Realm. This kinda
works, but the specific Realm defined within a nested Context seems to be
shared also. (No new challenge for authentication is presented.)
Example (server.xml):
<Host>
<Realm className="...JDBCRealm" />
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
<Context path="/manager" privileged="true">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Context>
</Host>
In this scenario the webapps that use the shared JDBCRealm use
FormAuthentication.The manager webapp uses BasicAuthentication of course. Now
once a user has logged in with the manager webapp the user is also
authenticated for all other webapps. The reverse scenario does seem to work
somewhat better. Once a user has logged in with any other webapp than manager,
accessing the manager webapp yields a http 403 status. As if there was no user
database defined for the manager app. Are Principals cached in a central
location perhaps?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
