We've got a SSO-Proxy for most of our web applications. I'd like to make use of the SSO-Proxy instead of requiring the user to login with his Windows credentials.

I've figured out how I can read the HTTP header containing the user-id. Now I'd like to authenticate as this user, but all provided methods require a password. Is there anyway I can authenticate a user only by his user-id?

This is what I've got to get the user-id:

package ch.company.ivy.security;

import java.util.Map;

import javax.faces.context.FacesContext;

public class Auth {
    Map<String, String> headers;
    String userId;

    public Auth() {
        headers = FacesContext.getCurrentInstance().getExternalContext().getRequestHeaderMap();
        userId = headers.get("UID").toString();

    public String getUserId() {
        return this.userId;

asked 25.01.2014 at 15:28

ahatius's gravatar image

accept rate: 0%

edited 27.01.2014 at 11:42

Reto%20Weiss's gravatar image

Reto Weiss ♦♦

Xpert.ivy uses internally an embedded Tomcat web server. Maybe your SSO-Proxy delivers support for Tomcat (e.g. a Tomcat valve or realm or filter) so that Tomcat can use the user information from your SSO Proxy and provides them to the deployed web applications. Xpert.ivy is such a deployed web application and will read the user information provided by Tomcat. If there is an Xpert.ivy user that has the same name as the one provided by Tomcat it will automatically authenticated the user without any further configuration or logic necessary.

Overview how this works:

Client -> SSO-Proxy -> Tomcat -> SSO-Proxy-Valve -> Xpert.ivy

SSO-Proxy: Delivers user name in UID http parameter

SSO-Proxy-Value: Reads UID parameter and sets user principal on the tomcat request

Xpert.ivy: Reads the user principal from the tomcat request and lookup a Xpert.ivy user with the same name. If it founds one it will be authenticate on the session automatically.

This works similar to SSO with IIS described in the Server Guide. The main difference is that you have to install and configure the SSO-Proxy specific Tomcat value, realm or filter. The corresponding tomcat configuration files are located at:

  • /webapps/ivy/WEB-INF/web.xml
  • /webapps/ivy/META-INF/context.xml

However, there is also an API to do something similar in your process:

import ch.ivyteam.ivy.security.IUser;

String userName = ivy.request.getParameter("UID").toString();
IUser user = ivy.session.getSecurityContext().findUser(userName);
ivy.session.authenticateSessionUser(user, "SSO-Proxy");

answered 27.01.2014 at 11:33

Reto%20Weiss's gravatar image

Reto Weiss ♦♦
accept rate: 74%

edited 27.01.2014 at 11:42

I'll check this with our SSO guys, there seems to be a tomcat-sso integration :)

(28.01.2014 at 10:10) ahatius ahatius's gravatar image

Hi Reto, After I retrieved the IUser by using:

IUser user = ivy.session.getSecurityContext().findUser(userName);

then set some basic information for this user likes


It seem override the information of User in database also. I wonder if there is any API to working with IUser without affect to the database?

(25.04 at 07:06) thienqh thienqh's gravatar image

No, there is no such API. IUser is always backed in the database. What is the use case? Setting the fullname from a SSO Proxy seems to be weird?

(26.04 at 02:44) Reto Weiss ♦♦ Reto%20Weiss's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 25.01.2014 at 15:28

Seen: 2,003 times

Last updated: 26.04 at 06:18