Skip to content

feat: Make SSO re-authentication configurable for SSLAuthenticator #890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Make SSO re-authentication configurable for SSLAuthenticator #890

wants to merge 3 commits into from
+40 −6

Conversation

kairosci
Copy link

@kairosci kairosci commented Sep 6, 2025

This pull request introduces a new boolean attribute, allowSsoReauthentication, to provide control over the SSO re-authentication behavior in the SSLAuthenticator.

Description

The changes include:

  • Adding the allowSsoReauthentication attribute to AuthenticatorBase, along with its corresponding getter and setter methods.
  • Updating SSLAuthenticator to use the value of allowSsoReauthentication when checking for a cached authentication, allowing it to proceed with re-authentication if enabled.
  • Exposing the allowSsoReauthentication attribute in the MBean descriptor for AuthenticatorBase and SSLAuthenticator, making it configurable at runtime.

By defaulting to false, the existing secure behavior is maintained, while providing administrators the option to enable it when their security requirements permit.

Motivation

The SSLAuthenticator is designed to enforce a higher level of security by requiring client certificate authentication. As part of this, it currently prevents re-authentication from an existing Single
Sign-On (SSO) session that may have been established using a weaker authentication method (e.g., FORM or BASIC).

While this is a secure default, it is not currently configurable. There are use cases where an administrator may want to allow re-authentication from an SSO session, even if the original authentication
was weaker, to provide a more seamless user experience. This change introduces the necessary flexibility to support such scenarios.

@michael-o
Copy link
Member

How is this expected to work when you can configure client cert auth per virtual host only and not per resource? The flexibility from HTTPd does not exist here...

@kairosci
Copy link
Author

kairosci commented Sep 6, 2025
edited
Loading

Client certificate authentication is currently enforced by Tomcat at the virtual host level rather than per resource.
Because of this restriction, the SSLAuthenticator usually applies consistently to every request made by the host.

Administrators may, however, set up several authenticators (such as FORM and SSLAuthenticator) on various virtual hosts or during transitional stages in certain deployments.
The allowSsoReauthentication flag provides flexibility in such hybrid setups, allowing re-authentication from an existing SSO session when appropriate.

This modification foresees future extensibility or custom implementations where finer control may be introduced, even though the current architecture does not support per-resource granularity.

Additionally, it makes the behavior more transparent and configurable by helping to isolate and clarify the logic surrounding SSO re-authentication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kairosci @michael-o