Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

22.4.3. Limitations

There are a number of known limitations to this Tomcat valve-based SSO implementation:
  • Only useful within a cluster of JBoss servers; SSO does not propagate to other resources.
  • Requires use of container managed authentication (via <login-config> element in web.xml)
  • Requires cookies. SSO is maintained via a cookie and URL rewriting is not supported.
  • Unless requireReauthentication is set to true, all web applications configured for the same SSO valve must share the same JBoss Web Realm and JBoss Security security-domain. This means:
    • In server.xml you can nest the Realm element inside the Host element (or the surrounding Engine element), but not inside a context.xml packaged with one of the involved web applications.
    • The security-domain configured in jboss-web.xml or jboss-app.xml must be consistent for all of the web applications.
    • Even if you set requireReauthentication to true and use a different security-domain (or, less likely, a different Realm) for different webapps, the varying security integrations must all accept the same credentials (e.g. username and password).