Chat now with support
Chat with Support

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools


The auth-constraint element is used to list those roles that are authorized to access resources specified in a security-constraint.

Table 8: Elements: auth-constraint






Description of the roles that are authorized



Roles that can access resources defined in the web-resource-collection of this security-constraint. If the idm.access.groupsAsRoles parameter is enabled, groups can be fully qualified with their realm/domain name. See the group element for more details.



Indicates which HTTP methods (for example, GET or POST) are subject to this security-constraint. If no method is indicated, then all methods are protected.

Security Issues

This section outlines the mechanisms in Single Sign-on for Java used to achieve secure operation, and outlines some areas that may need special attention. It assumes familiarity with basic security concepts, Kerberos, the HTTP protocol and Java EE application configuration.

Basic Recommendations

  • Limit the use of basic fallback where possible (disabled by default).
  • Limit the lifetime of sessions, and ensure that session IDs are “unguessable”.
  • Ensure that the authorization rules limit users to their least privilege.
  • If using basic fallback, configure Active Directory to lock out users after some specified number of failed logins.
  • Do not use basic fallback where there is a high risk of Denial of Service attacks, or provide other countermeasures to prevent them.
  • Enable logging to at least the WARN level.

Deployment risks

This section discusses some of the deployment risks associated with the implementation of a Single Sign-on for Java-based solution. These risks are not inherent to Single Sign-on for Java, but may impact on Single Sign-on for Java’s service availability or result in false positive/negative authentication.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating