Tomcat SSO with Domino

Hello. Kind of exploring potential SSO stuff between Domino app and Tomcat app. Notes app is the UI and the notes app makes (https) calls to the Tomcat servlet. Both Domino and Tomcat instances on same machine.

I was reading about Tomcat Realms which, among the options, looks like it can either connect to a relational db or ldap directory.  I started down that road as I think the Domino Directory has an LDAP/LDAPS interface, but I think 389/638 ports on the server vm are being used by Windows LDAP services. So then started looking at token/SAML type thing. Was thinking the Domino Directory could serve as a SAML IdP but it's not configured for that.

Domino achieves SSO among it's own servers via Ltpa token, but I think that's a proprietary token.

Are there any potential alternatives? I'm thinking of looking into OpenID Connect, it's open source, but have to see if either side can use it, uh, and it's JWT tokens efficiently. I also think it runs into the same problem as SAML, Domino cant serve as the IdP. Ty so much.

Tomcat's Realms are simple plug-in components and if you can't find a plug-in you like, you can always create your own.

Normally, I think the CAS SSO is the popular solution for Tomcat, but have you looked at this?
https://openntf.org/main.nsf/project.xsp?r=project/DominoTomcatSSO

Hello, Tim. Yeah, I looked at that Domino/Tomcat SSO thinhg and was able yo get it to dispay the Domino login but for any app pages which typically returns xml, stream? it keeps displaying the login after submitting good credential. Nothing 8n Tomcat err logs. I also bink it requires some cumbersome settings in Domino which would be buried. The quick guide doesnt have these but the derailed guide does. I k8nda dpnt want tp go down yhat road. Ill mess with it more.

Tim, regarding SAML, its too big for this but does Tomcat as a SP support it? I cant find that it does.  Is this something which cpuld be realized maybe via tbird party (IdP) jar and config settings for the container or would servlet code have to be written, modified to deal with it (requesting  accepting token)? thank you

I'm pretty rusty on what I know of SAML, but as I recall, SAML isn't so much a mechanism as it is a protocol. I'd be less worried about Tomcat supporting it and more concerned about what your Tomcat clients would be able to do with it.

Tomcat itself supports JEE standard security via 4 primary components: First, you have the Realm itself, which deals with authentication and authorization. Then you have the UserPrincipal, which hangs off the HTTPServletRequest object. Then you have the HttpSession, which anchors the security components between request/response cycles. And finally, you have the jsessionid, which is the key into Tomcat's HttpSession map used to find which HttpSession corresponds to which client. The jsessionid is simply a short hash code, with no inherent meaning, and in fact, it cannot be cached on the client, because it can be and is changed by the JEE server on any given request - the HttpSession is simply assigned a new key in the server's session map.

So in the non-SSO security environment, every Http(s) request that comes into Tomcat is mapped to an application, and that application's web.xml generates a security pattern map (when annotations are used, they just get added to the actual web.xml in-memory component).

When a URL matches a security pattern, Tomcat checks to see if there was an accompanying jsessionid, either as an appendage to the URL itself (";jsessionid=xxxx") or in a cookie named jsessionid. If so, that jsessionid is used to find the user's HttpSession, which in turn finds the security conntext, allowing the user's assigned security roles to be checked to see if they allow access to that URL.

If there is no jsessionid, the user isn't yet signed on and Tomcat will "park" the request and send back a login screen (FORM-based login) or signal the need for a client login dialog popup (BASIC login). The user provides credentials and they are passed as arguments to the Realm's "authenticate()" method. It returns a go/no go response. For "no go", you get loginfail action until the user provides valid credentials or gives up. For a "go", the authentication mechanism ensures that an object implementing the UserPrincipal interface is constructed and supplied to Tomcat, which will then create an HTTPSession if one did not already exist and attach the UserPrincipal to the HttpSession.

Once authenticated, Tomcat can "un-park" the original URL request and vet it against the Realm Authentication. It does this by looking up the role(s) mapped to the URL in the webapp's web.xml security elements and invoking the Realm's "isUserInRole()" method, which again, returns a go/no-go response. Note that good security never volunteers information, You can't "fish" for roles, only determine if a role fits.

Now we know if we're passed the tests. If not, Tomcat will invoke the "403 - Forbidden" response for the webapp. Otherwise the URL gets parsed and passed to the servlet or JSP that web.xml/Tomcat has mapped to that URL. Tomcat has a default web.xml built into it for things like JSPs, page indexes and static context that it uses for stuff that the webapp's own web.xml doesn't handle. Normally you'll never touch this.

The net effect is that loging/authentication is completely transparent, functionally. The webapp cannot tell whether the user just logged in or not — there is no "login/logout" event to listen to. The only difference to a servlet/JSP of a logged-in user and a logged-out user is whether the getUserPrincincipal() and getRemoteUser() methods return data or null.

So what about SSO? This is one of the reasons that Tomcat has no login events. With SSO, you could have logged into the SSO system from some other app on some other server, a half-hour ago. In this case, Tomcat needs a Realm that can check with the SSO security server and construct its internal security objects accordingly. To be fully transparent, the Realm you use should itself be able to log in to the SSO security server in case SSO had not been done elsewhere.

For something that does SSO based on your Windows LAN signon, the Kerberos ticket that Windows creates when you log into Windows can be used to avoid a login prompt, as the Realm will use that. For other systems, you just need to have some sort of extra-Tomcat security environment that can be tapped into. In your case, that would be whatever Domino uses, and if memory serves, Domino uses web clients these days, unlike when I had to have a separate Lotus Notes desktop application. So see what it's using.

As a final note, another SSO options is OAUTH2, which Tomcat also supports. OAUTH2 can be a pain, since it's hard to automate something that really wants manual participation, but it's well-supported.

Also, I highly recommend reading this:

https://www.baeldung.com/apache-tomcat-sso

Unlike my own incoherent ramblings coming from an increasingly demented memory, they've actually checked the details.

thanks, Tim. I started a udemy course on OAuth  as a result and completed the SAML run through. It is complex.

I did deploy a SSO for Tomcat and Domino which uses DIIOP and the proprietary Domino Token. It uses a filter in Tomcat. I tweaked some of it and deployed to two apps (app1 and app2) on two instances, holding off on the primary prod instance for now. One thing I noticed is that for one of the apps (app1), and this happened on both instances, is that it threw a 404 error in the tomcat access log every time i tried calling the servlet. This happens just after adding the filter to the app1 web.xml.

Then i take the filter out of web.xml, try again, it works. Then add the filter back into web.xml and it works. So, there is an initial fail when first adding the filter to web.xml...bad 404 error....remove filter...call servlet...good again...re-add filter...call servlet...good.

...and it's been working ever since. I tried to restart Tomcat, redeploy web app1, mess with removing/adding filter in web.xml and I can't recreate the initial 404.

I noticed in the catalina-log, this entry...."org.apache.catalina.startup.HostConfig.reload Reloading context [/app1] at around the time I was doing this messing around. Then two minutes later, "...Reloading context [/app1] is completed" Is there some sort of correlation here? I didn't have this happen for app2, or at least I didn't notice it.

If you are getting a "404" error, then something may have been chewing on the incoming URL, because that's thrown when Tomcat cannot match a URL to s servlet, JSP, or static resource. One possibility is that the filter has hijacked the original URL and is trying to re-route to something like a "login" URL, but the login URL is incorrect. That's similar to what the Tomcat Realms do except that Realm logins also set up a special login context (which is why you cannot log in using form-based login via a direct URL request to the login form).

Tomcat scans all of its deployed webapps every few seconds. If it detects that an app has been modified (for example, a JSP or image resource was updated), then it will undeploy that app and redeploy it. So those messages are not abnormal; it's simply letting you know that a re-deployment is being/has been done.

~Nevermind~ thanks. I can't find how to delete my reply.