I have the following setup: - Apache webserver in front of Tomcat 5.5.9 - three 3rd-level domains www.mydomain.xa, search.mydomain.xa, my.mydomain.xa - Single Sign-On valve in Tomcat is activated - Login is handled by my.mydomain.xa and it's corresponding webapp under context /My The problem with the SSO cookie created by Tomcat after successful login is that the domain name stored with the cookie is my.mydomain.xa. Therefore the SSO cookie is not sent by the user agent if a request goes to www.mydomain.xa or search.mydomain.xa and single-sign on is not working for these subdomains. So I need a way to tell tomcat to set '.mydomain.xa' as the domain of the SSO cookie so it will the sent by the user agent for all subdomains. Therefore I introduced the system property 'tomcat.sso.cookie.domain' and added a few lines to AuthenticatorBase.java where the value of named system property is used - if available - to set the SSO cookie's domain (see attached patch). The system property can be set in the startup script for example.
Created attachment 14918 [details] SSO cookie domain patch
It's a good use case, but it's not the right way to do it. You should add an optional attribute on the SSO valve instead.
Created attachment 14971 [details] AuthenticatorBase.java patch
Created attachment 14972 [details] SingleSignOn.java patch
Created attachment 14973 [details] mbeans-descriptors.xml patch
I aggree that an optional attribute on the SingleSingOn valve is the more elegant way to specify a domain name for the sso cookie. I modified the implementation in the suggested way (see the three new patches attachted) so the cookie domain can be set on the valve like <Valve className="org.apache.catalina.authenticator.SingleSignOn" cookieDomain=".mydomain.xa"/>
I've committed the patch into HEAD, it'll be in 5.5.13. Thank you for contributing it!