JBoss/Tomcat Single Sign-On: glory and goofs

Dabbling in the unknown can be an interesting excursion into highs and lows, and my experiments with JBoss/Tomcat’s Single Sign-On facility have been no exception. Hopefully, these quick tips can help.

Configuration of SSO under JBoss 3.2.2 (Tomcat 4.1.27) was fairly simple – just add the following line to your server/<instance>/deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml inside the <Host> element:

<Valve className=”org.apache.catalina.authenticator.SingleSignOn”/>

Then, I made sure each webapp I wanted under SSO had a jboss-web.xml configured for the same security realm (defined in login-config.xml). The jboss-web entry looks something like this:


I also have the realm-name of the login-config in the web.xml set to be the same for all apps. Not sure if it’s all necessary, but it works, so I won’t question it.

The interesting glitch in this version is that while it supports single sign-ON, it does not support single sign-OFF. So you can use SSO to log into one app, link happily to another webapp running on the same JBoss instance, and when you invalidate your session for one app, the other sessions are still alive. Since this isn’t really acceptable behavior, I thought that perhaps a newer version of JBoss/Tomcat might do the trick, so I grabbed JBoss 3.2.3 (Tomcat 4.1.29). And all SSO capabilities completely disappeared, even after modifying the jboss-service.xml.

I found the answer to this problem buried in the JBoss 3.2.3 release notes. Those notes say “The tomcat4.1.x single sign-on behavior has been updated to allow for propagation of the web app security context to the ejb container and other secured resources.
* Configuration: In the jbossweb-tomcat41.sar/META-INF/jboss-service.xml file, inside the element of any virtual hosts for which you want single sign-on support, add a element: <blank space>”

Viewing the source of this page tells me that I’m actually supposed to add:

<Valve className=”org.jboss.web.tomcat.tc4.authenticator.SingleSignOn” debug=”0″/>

A google search on “org.jboss.web.tomcat.tc4.authenticator.SingleSignOn” yields exactly one result – that page of release notes. Well, I’m letting the cat out of the bag (no pun intended) – here’s result #2. Restarting JBoss/Tomcat with this configuration yielded the desired results – Single Sign-On across multiple webapps using only J2EE Container Managed Security and JBoss/Tomcat, with single sign-off as well – one session.invalidate() now kills the session for all apps.

Since I see this as a REALLY cool feature – minimal intrusion on applications and high standards compliance (CMS), I hope this little ditty can help you get it running as well.


4 thoughts on “JBoss/Tomcat Single Sign-On: glory and goofs

  1. “..inside the element of any virtual hosts for which you want single sign-on support, add a element:

    Viewing the source of this page tells me that I’m actually supposed to add: …”

    Funny things happen when tags are pasted into html document. Actually, the same problem happened in your post:

    ” just add the following line to your ..jboss-service.xml inside the element:

    Again, view source did the trick! 😉

  2. Could anyone tell me how to do SSO across multiple virtual hosts ?
    This is all cool and I implemented it that way as well.
    Now I have a project were we need to put each app on a virtual host and SSO still needs to work !!

    Thnx in advance

Comments are closed.