Anil Saldhana is the Lead Identity Management Architect at JBoss. He blogs at Anil has posted 16 posts at DZone. You can read more from them at their website. View Full User Profile

Choosing SSO for your JBoss Application Server Installation

  • submit to reddit


JBoss Application Server runs Java EE applications which can be web applications, EJB applications, Web Services etc.  Single Sign On (SSO) or seamless security context/identity propagation is a requirement of these applications.  In this article, we will look at some use cases and guidelines to choosing the right type of SSO solution for that use case, when running on JBoss Application Server.

As you know, JBoss Application Server has integrated Apache Tomcat (JBossWeb is the official name, which is a variant of Tomcat) as the web container.


Use Cases


Use Case 1 :    Need Kerberos based Desktop SSO

Suppose your user logs into a Kerberos/SPNego driven desktop, such as the one on Microsoft Windows desktop or Linux desktops, after which they log into web applications hosted on JBoss Application Server.  In this case, you would like to utilize the integrated authentication mechanism in browsers such that the user is logged in, based on the Kerberos principal.

You should look at JBoss Negotiation component, that is part of the JBoss Application Server.



Use Case 2:  Need SSO for web applications running in one instance of JBoss AS  or inside a virtual host (Non-Clustered Scenarios)

 Use the Apache Tomcat Single Sign On Valve.

In JBoss AS7.x and beyond, the valve configuration is done in jboss-web.xml of your web application.  An example is shown in:

In JBoss AS 5/6, the valve configuration is done in WEB-INF/context.xml


Use Case 3:  Need SSO for web applications running in a JBoss AS cluster

You should use the ClusteredSingleSignOnValve as described in

Additional reference is at

Remember, in JBoss AS7.x, the valve configuration is done in WEB-INF/jboss-web.xml  whereas in AS5/6, it is done in WEB-INF/context.xml


Use Case 4: Need SSO for web applications deployed in different servers

In this use case, you have deployed web applications in different servers and you want to authenticate the users centrally and then use the login result in each of your applications.  SAML Web Browser based SSO profile fits your needs.  In this profile, you have a central Identity Provider (IDP) that holds all the authentication logic.  Each of the web applications will redirect user to this central IDP to do the authentication. On successful authentication, the user is logged into the web applications.

Look for project PicketLink that is available from JBoss community ( and part of JBoss Application Server.

This is architecture type 1 described in

 Look for cheatsheets for your version of JBoss AS here:



Use Case 5: Need SSO for EJB applications and Web Services deployed on JBoss Application Servers

In this use case, you want to avail seamless security/identity propagation across ejb/ws applications.  You will need to use the PicketLink Security Token Server (STS).

Cheatsheet for AS 7.1.1 is available at

For additional articles, please refer to  and



Project PicketLink

PicketLink User Forums

PicketLink User Email List is (picketlink  AT  subscribe at:


Published at DZone with permission of its author, Anil Saldhana.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)