When a user needs to access multiple applications in your environment, you should not require authentication for each application. If the user has already been authenticated for one of the applications, he or she should should not be asked for credentials when he accesses one of the other applications during the same browser session. This concept is called Single Sign-on where the authentication credentials are ‘shared’ in the environment and can be used by any application in that environment.
The Single Sign-on principle became more important in the last few years as the idea of microservices is also applied to the front end – and thus your big application is now a set of smaller, connected apps. When you are using Micro Frontends or Self-Contained Systems, you should consider implementing a Single Sign-on strategy.
In this blog, I describe how you can implement a single sign-on strategy based on the Payara Realm concept which is useful when all the applications are running on the same Payara Server Domain. It doesn’t need a third-party product to handle the Single Sign-on data.
What is a realm? The term is confusing since it is used in different ways by different products. A realm determines the Authentication and Authorization info for the users of the applications deployed on the Payara Server. When accessing a protected resource, the realm asks for the credentials of the user, (through a Form entry for example), and compares it to the stored data. If successfully authenticated, the system can determine if the user is allowed to see the page or execute the action based on the roles it is assigned.
Within Payara Server, there are many realms available by default, including a File-based realm, LDAP-based, PAM and Solaris integrated. There are also custom realms that can be created and used by Payara Server.
In this blog, I use the File Realm in the single sign-on example, but any realm can be used. The following Asadmin CLI commands create a specific Group and a user. The password for the user is requested interactively.
./asadmin set configs.config.server-config.security-service.auth-realm.file.property.assign-groups=Users ./asadmin create-file-user --groups=Users --target=server-config --authrealmname=file rudy
The bulk of the application configuration is done within the web.xml file. There we define a security constraint for a web resource, and how the credentials are retrieved and validated.
This is the snippet required for our demo application:
The <security-constraint> defines that all pages in the /secured path need an authenticated user that has the role User.
The <login-config> determines how the credentials are retrieved. In our application, we use a Form-based mechanism using the HTML page loginform.html and the submitted credentials are matched using the file realm.
And the last tag defines that our application uses a role called User.
This is an example of a loginform page in HTML. The main aspects are the j_security_check action and the names for the input fields (j_username and j_password):
<formaction="j_security_check"method=post> <p><strong>Please Enter Your User Name: </strong> <inputtype="text"name="j_username"size="25"> <p><p><strong>Please Enter Your Password: </strong> <inputtype="password"size="15"name="j_password"> <p><p> <inputtype="submit"value="Submit"> <inputtype="reset"value="Reset"></form>
The second bit of the configuration is done through the payara-web.xml file, also located in the WEB-INF folder. Here we define the mapping of the user Groups defined in the realm and the roles used in the application. You can also opt for an automatic one-to-one mapping but in that case, the roles used in the application must match the assigned Groups to the user.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE payara-web-app PUBLIC "-//Payara.fish//DTD Payara Server 4 Servlet 3.0//EN" "https://raw.githubusercontent.com/payara/Payara-Server-Documentation/master/schemas/payara-web-app_4.dtd"><payara-web-app> <security-role-mapping> <role-name>User</role-name> <group-name>Users</group-name> </security-role-mapping></payara-web-app>
Payara Server will now redirect to the loginform.html page when the user tries to access a secured page and authentication is not yet performed for the application. When the credentials match and the user has the correct role (mapped from the group) the requested page is returned to the user.
However, when deploying another application, using the same file realm, Payara Server still requests the authentication even if the user is already authenticated in the first application.
Single Sign-on
To set up the Single Sign-on, we need to configure the Server. This can be done very easily using the following Asadmin CLI command.
./asadmin set configs.config.server-config.http-service.sso-enabled=true
This activates the Single Sign-on for the entire Server, for all applications running on it. If that is not desired, it is possible to activate the Single Sign-on option for a newly created Virtual Server and assign the applications that participate in the Single Sign-on to that Virtual Server.
The feature works by putting the required information in a cookie so that it can be retrieved and inspected by other applications. No sensitive information, like the password, is stored in the cookie. The cookie stores a reference to the internal data so that a user can be authenticated automatically in the other applications.
When you logout in one application, the information is removed so that a logout is also performed in the other applications. This functionality is called Single Logout and is always active using this option.
Conclusion
When you require a Single Sign-on solution for applications deployed on a single Payara Domain, a simple setting can be activated to achieve this. This works will all Realms available on Payara Server, including the custom-defined ones.
your blog came in very handy. I am currently testing the possibilities of using SSO on Payara for my applications. While trying this, I came across the following behavior:
I have 2 web applications
I have SSO enabled on the Payara server
I launch the first application, the login form is displayed, I enter the login details and log in
I run the second application, I’m automatically logged in, that’s fine
I log out from second application but I’m still logged in
Until the second log out the session is valid
If I log out from the first application first, session is invalidate immediately for all my applications.
Is there an explanation for this or did I make a mistake somewhere?
I cannot reproduce the issue you describe, these are the steps I took
– Access secure page from application1
– login form requests credentials
– I can access all secure pages of application1
– Access secure page from application2
– I can access all secure pages of application2 without the login form.
– Logout on application2 (HttpServletRequest.getSession().invalidate();)
– I get the login form when I want to access a secured page of application1.
Hi Rudy,
I cloned your demo and found testcase where previosly described SSO issue is presented.
Please try perform exactly all steps an give mi feedback :
* if the testcase was successfully repreduced
* if this behaviour is OK.
Start TestCase:
1. open an internet browser and write a link to launch the “form-secured” application in the search bar in the first TAB
– the login page is displayed.
!!! NOT enter your credentials now !!!
2. write a link to launch the “application2” in the search bar on the second TAB
– the login page is displayed.
!!! NOT enter your credentials now !!!
3. switch back to first browser TAB , enter your credentials and click submit
– the secured page of application “form-secured” is displayed
4. click on the second browser TAB and refresh page
– you are automatically logged in to the secure part of “application2”
5. click on Logout link in “application2”
– page with message “Application 2 – Logout performed” is displayed
6. switch to the first browser TAB and click on link “Other servlet”
– the secure page “Other servlet” is displayed .
!!! I expect to be logged out but I am not !!!
7. click on the second browser TAB and write link to launch the “application2”
– the secured page of application “application2” is displayed
!!! I expect to be logged out but I am not !!!
Hi Rudy- We are having this issue in a more serious and problematic way. We see Peter’s behavior in a “normal” use case where the user properly logs in and uses two apps. Please see issue #5551: https://github.com/payara/Payara/issues/5551. Because of this bug, SSO seems effectively unusable.
Jim
5 minutes
Hi Rudy,
your blog came in very handy. I am currently testing the possibilities of using SSO on Payara for my applications. While trying this, I came across the following behavior:
I have 2 web applications
I have SSO enabled on the Payara server
I launch the first application, the login form is displayed, I enter the login details and log in
I run the second application, I’m automatically logged in, that’s fine
I log out from second application but I’m still logged in
Until the second log out the session is valid
If I log out from the first application first, session is invalidate immediately for all my applications.
Is there an explanation for this or did I make a mistake somewhere?
Thanks
Peter
Hi Peter,
I cannot reproduce the issue you describe, these are the steps I took
– Access secure page from application1
– login form requests credentials
– I can access all secure pages of application1
– Access secure page from application2
– I can access all secure pages of application2 without the login form.
– Logout on application2 (HttpServletRequest.getSession().invalidate();)
– I get the login form when I want to access a secured page of application1.
Hi Rudy,
Thanks for the reply.
Can you send me your demo application for testing and comparison?
Peter
Hi Peter,
I have placed the demo code on Github; https://github.com/rdebusscher/payara-sso
Best Regards
Rudy
Hi Rudy,
I cloned your demo and found testcase where previosly described SSO issue is presented.
Please try perform exactly all steps an give mi feedback :
* if the testcase was successfully repreduced
* if this behaviour is OK.
Start TestCase:
1. open an internet browser and write a link to launch the “form-secured” application in the search bar in the first TAB
– the login page is displayed.
!!! NOT enter your credentials now !!!
2. write a link to launch the “application2” in the search bar on the second TAB
– the login page is displayed.
!!! NOT enter your credentials now !!!
3. switch back to first browser TAB , enter your credentials and click submit
– the secured page of application “form-secured” is displayed
4. click on the second browser TAB and refresh page
– you are automatically logged in to the secure part of “application2”
5. click on Logout link in “application2”
– page with message “Application 2 – Logout performed” is displayed
6. switch to the first browser TAB and click on link “Other servlet”
– the secure page “Other servlet” is displayed .
!!! I expect to be logged out but I am not !!!
7. click on the second browser TAB and write link to launch the “application2”
– the secured page of application “application2” is displayed
!!! I expect to be logged out but I am not !!!
Best Regards
Peter
Hi Peter,
You describe an unusual use case (opening the login form but not using it immediately) but you can you open a GitHub issue for this bug request.
Thanks
Rudy
Hi Rudy- We are having this issue in a more serious and problematic way. We see Peter’s behavior in a “normal” use case where the user properly logs in and uses two apps. Please see issue #5551: https://github.com/payara/Payara/issues/5551. Because of this bug, SSO seems effectively unusable.
Jim