users@glassfish.java.net

Cross Domain SSO issue with OpenSSO

From: <glassfish_at_javadesktop.org>
Date: Mon, 08 Jun 2009 11:51:43 PDT

Hi,
    I have the following setup where OpenSSO is working but Cross domain SSO is failing.

Entire setup below is done on single PC.

1. Opensso server (opensso.war) installed on Websphere 6.1 server. The URL used to access this application is
                  http://tel02260.tsys.tss.net:9087/opensso
I am able to use the console to configure agents etc.

2. J2EE Agent is installed on Tomcat 6.0.18. Url used for agent application is
                  http://tel02260.tsys.tss.net:8080/agentapp
   I deployed my to-be-protected application also on this container. The URL for that is
                  http://tel02260.tsys.tss.net:8080/MyTestWeb/StartupServlet

3. I have installed an apache web server to listen on port 80 and redirect to Tomcat so that I can access my application without specifying port number
                  http://tel02260.tsys.tss.net/MyTestWeb/StartupServlet

I did not install any OpenSSO related components on the web server. I do not really know if I have to..?

4. Everything is working fine if I did not enable CDSSO on the opensso console.

5. I have enabled CDSSO and accessed the application "via the web server" using the following URL
              http://tel02260.tsys.tss.net/MyTestWeb/StartupServlet
the Opensso Login page shows up. I enter credentials. But it takes me to a page where "Access to resouce is denied" message shows up.

6. If I tried accessing my application without the web server involvement using the following URL
              http://tel02260.tsys.tss.net:8080/MyTestWeb/StartupServlet
The application can be accessed as expected.

7. I tracked the difference between the redirects and cookies and headers in the scenarios 6 and 7.

8. Only difference I could see is, in the successful case the cookie named "amFilterCDSSORequest" is getting created while the request is being redirected to the
"/opensso/cdcservlet" URI on the server.

9. In the failure scenario the cookie is not getting created.

10. I am attaching two files containing header information in success case and failure case.

11. Is there anything wrong in my setup? Why is the cookie not getting set when I use the application through Web server?

Any help on this would be greatly appreciated.

Thanks in advance
Madhavi
[Message sent by forum member 'madhavip' (madhavip)]

http://forums.java.net/jive/thread.jspa?messageID=349829