Its a very vague question because there are so many techniques and so many technologies here, but I can understand what you're asking: I assume you don't want to add user/password but instead the user should be somehow magically identified.
As a possible solution consider to use Kerberos. If you're using Active Directory servers in your organisation you can be interested in this approach. Basically what you need is to issue some identification information to your server, you windows machines in domain also have some information. Now browsers (I understand you have a web based system) can support this kind of authentication. It works like this:
- Client issues the first request in the session (no user/password/whatsoever)
- Server reads this and says 'I don't know who you are, bring me some identification information' (technically it sends some header)
- Browser once got such a response issues a connection to the AD server (it includes Kerberos server implementation) and obtains some identification information
- Browser issues a request to your web server a ticket (identification information in security jargon) to the web server.
- Web server reads and parses this ticket, talks by itself to the kerberos server and ensures that the ticket is valid and correct.
- Web Server allows the client to connect, the username is accessible from the request, you can store it on HttpSession if you want.
That's a theory. usually the web-server part is application specific and as such it is implemented with the help of java web filter + some configurations may be required on the application server side
Now, although you can implement this stuff by yourself (look here), you'll probably prefer to use some thirdparties.
The things become complicated when you're using a lot of web servers for your application, trying to set up cross domain authentication and so forth.
I would recommend you to take a look on CAS
Its basic idea is to delegate the authentication related stuff (that involves working with kerberos or whatsoever) to the dedicated server, so instead of talking directly to the kerberos server your web server redirects the user to the cas server and it manages the authentication by itself.
Technically you drop a couple of jars with web filter implementation, define your filter, deploy and set up the CAS server with the details of the available kerberos server and it should work :)
Of course I've described only one possible solution.
We are implementing Single Sign On [SSO] across multiple applications, which are hosted on different domains and different servers.
Now as shown in the picture, We are introducing a Authenticate Server which actually interacts with LDAP and authenticate the users. The applications, which will be used/talk to Authenticate Server are hosted across different Servers and domains.
for SSO, I can't use session variables, as there are different servers and different applications, different domains, a domain level cookie/session variable is not helpful.
I am looking a better solution which can be used for SSO across them. Any demonstrated implementation is existing? If so, please post it or point me in the right direction for this.
