Securing multiple war files

[arunvijay]

Hi,

I am trying to use Acegi framework to secure a number of web applications (war files).
Basically, I would have a localhost configuraiton on Tomcat, which would contain a login page and WEB-INF with all the
acegi configurations. Inside this localhost folder, I would have the various war files.

Assume I have applications AppA and AppB.
If I try to access AppA, without authenticating into the main localhost, I shouldn't be able to do it.
But, as of now it allows me to do it.
Could you please help me out with this.

Thanks
Arun

[Ben Alex]

I am a little confused by your question.

Generally if you have more than one WAR involved, and you want automatic login between different WARs, your options are:

* Forget Acegi Security and use container single sign on support
* Use Acegi Security with Basic authentication (same realm names across all WARs)
* Use Acegi Security with CAS (definitely the recommended approach)

[arunvijay]

Thanks.

Your second suggestion is to use Acegi with Basic Authentication, so does that mean that I cannot have form authentication? The reference doc says that form authentication is fully contained within a web application

(I apologize if I am asking dumb questions. I am completely new to the world of security as such).

[Ben Alex]

Yes, BASIC authentication is implemented by the user agent (generally a browser like Internet Explorer will present its own dialogue box).

If you need a scalable, form-based single sign on solution, CAS is your best bet. Also, JOSSO is another choice in the open source SSO space, although Acegi Security doesn't have an integration option at present. You can easily write one, though, basing it on our CAS integration. If you just want something that works today, CAS is your best bet.