Single
Sign-on for Web Applications
The AS Java’s Web Container provides options for cross application login to Web application users. That is, if a user has successfully authenticated to a Web application, he or she can access other Web applications without reauthentication.
The Web Container’s Single Sign-On implementation leverages the strengths of the JAAS authentication model and the JSESSIONID mechanism. Namely, the Web application deployer defines a security policy domain and deploys the application within its boundaries. It is possible that several applications share such a domain. This means that Single Sign-On can be used across those applications. If the user crosses the security policy domain boundary (for example, by requesting a Web application that is deployed in a different domain), he or she is forced to reauthenticate.
In the context of Web applications and Single Sign-On on the AS Java, a security policy domain must be considered different from a security technology domain and a realm name domain. This enables applications that use different security technologies to share a single security policy domain, and therefore to enable Single Sign-On for their users.
Mechanisms Supporting Single Sign-On
By default, the standard JSESSIONID mechanism is used to exchange the information about the user’s identity between the Web applications when performing Single Sign-On. It is based on the associations between the HTTP sessions of the user established for the different applications, and the JSESSIONID that is established after the user logs on to an application. This information is sent with the HTTP request using a session cookie (or URL rewriting, if cookies are disabled).
For more information about the Single Sign-On mechanisms that AS Java applications can use, see Integration in Single Sign-On Environments.
Configuring Your Web Application for Single Sign-On
You configure your Web application for Single Sign-On using its web-j2ee-engine.xml deployment descriptor. All you have to do is to specify the security policy domain within which you want to deploy the application. For a detailed description of the procedure of setting the security policy domain, see Configuring Authentication.
The string that you specify in the security policy domain field in the application’s web-j2ee-engine.xml in the SAP NetWeaver Developer Studio can be perceived as definition of a security policy domain (that is, you do not need to configure anything in advance in the Security Provider Service on the AS Java).