19.3. Limitations

There are a number of known limitations to this Tomcat valve-based SSO implementation:
  • Only useful within a cluster of EAP instances; SSO does not propagate to other resources.
  • Requires use of container-managed authentication (via login-config element in web.xml).
  • Requires cookies. SSO is maintained via a cookie and URL rewriting is not supported.
  • Unless requireReauthentication is set to true, all web applications configured for the same SSO valve must share the same JBoss Web Realm and JBoss Security security-domain. This means:
    • In server.xml you can nest the Realm element inside the Host element (or the surrounding Engine element), but not inside a context.xml packaged with one of the involved web applications.
    • The security-domain configured in jboss-web.xml or jboss-app.xml must be consistent for all of the web applications.
    • Even if you set requireReauthentication to true and use a different security-domain (or, less likely, a different Realm) for different webapps, the varying security integrations must all accept the same credentials (for example,. username and password).