Using JAAS for SSO on a Tomcat server sans Apache. The SSO controls access to several related applications and works great. Recently I started migrating to Maven from Ant and in order to use the Tomcat plugin for Maven I needed to setup the Tomcat Manager application which I had no need to previously. I was able to get it up and running both with BASIC authentication, or CLIENT-CERT authentication, alongside the other webapps on the server.
The problem that I am having is when the user authenticates in manager, the session gets dropped for the other webapps - IE login to webapp, login to Manager, refresh webapp, redirected to login page.
I was able to mitigate this overlap by defining the SSO valve at the context level and the realm at the host level. This still allows the SSO to work when navigating between the webapps via the browser. However, cross context AJAX requests and whatnot return a "User Not Logged In" error, until I access the other webapp in question. Using this approach authentication for Manager was effectively isolated from the other webapps.
In short, I'm looking for the best way to have SSO via SSL/Database Authentication available for my webapps using a JAAS authentication module, but force Tomcat to exclude Manager from the SSO. IE SSO via SSL for Webapps 1,2,3 but UN/PW authentication independent of the SSO for Manager, with authentication independent between the two.
Is there a way to do this?
Current config:
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false"
xmlValidation="false" xmlNamespaceAware="false">
<Realm className="org.apache.catalina.realm.JAASRealm" appName="CustomLogin"
userClassNames="com.foo.bar.User" roleClassNames="com.foo.bar.Role"
useContextClassLoader="true" debug="false"/>
<Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
<Context path="/Webapp1" docBase="webapp1">
<ResourceLink name="jdbc/WEBAPP" global="jdbc/WEBAPP" type="java.sql.DataSource"/>
</Context>
<Context path="/Webapp2" docBase="webapp2">
<ResourceLink name="jdbc/WEBAPP" global="jdbc/WEBAPP" type="java.sql.DataSource"/>
</Context>
<Context path="/Webapp3" docBase="Webapp3">
<ResourceLink name="jdbc/WEBAPP" global="jdbc/WEBAPP" type="java.sql.DataSource"/>
</Context>
<Context path="/manager" docBase="manager" AntiJARLocking="false" antiResourceLocking="false" privileged="true" reloadable="false">
<Realm className="org.apache.catalina.realm.MemoryRealm"></Realm>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="manager_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
</Context>
</Host>
</Engine>
Using this config, all webapps and the Manager fall under the control of the SSO and the overlap outlined above occurs - IE login to webapp1 via SSL, then Manager via UN/PW, then refresh webapp1, redirected to login page.
Moving the SSO valve to the contexts for the webapps resolves this issue but causes the "User not logged in" response for cross context AJAX requests.