Encryption key is unique for each new user and is unforgeable.
High Level confidentiality.
Provide authentication, integrity, and anti-replay.
Nominate for the 2009 Community Choice Awards
"Smart SSO ever! I'd be lost without your tinySSO.
I would recommend your great services to anyone. I appreciate all your help and your passion."
- bibbo
This is where you can put some services text fillers.
The more you put the better
Overview
tinySSO is a light Single Sign-On written in Java.
tinySSO is based on a Secure Cookie Protocol. Many web applications (such as electronic commerce) demand a secure cookie protocol. Such a protocol needs to provide the following four services: athentication, confidentiality, integrity and anti-replay.
Authentication
A typical session between a client and a server consists of two phases: login and subsequent-requests. In login phase, the client send username and password and the server authenticates the client and sends a secure cookie (which is also called an "authentication token" ) to the client. During the subsequent requests the client sends the secure cookie along with every request to the server; the server verifies whether the cookie is valid, and if it is, services the request.
Confidentiality
The contents of a secure cookie is intended only for the server to read. The secure cookie protocol with high-level confidentiality prevents any parties except the server from reading the sensitive information within a cookie that the server does not want to reveal to the client. For example, the cookie's contents may contain some client information such as their name, surname or email, which the server may not want the client to be aware of.
Integrity
The secure cookie protocol allow a server to detect whether a cookie has been modified.
Anti-replay
In the case that an attacker replays a stolen cookie, a secure cookie protocol should be able to detect that the cookie is invalid.
Efficiency & Deployability
tinySSO take care of the above security requirements, and it's implemented considering the efficiency and deployability. As for efficiency concerns, tinySSO avoid requiring a server to do database lookups in verifying a cookie, and avoid public key cryptography. As for deployability concerns, tinySSO avoid requiring a client to possess a public key and a private key, which is currently impractical to assume.
Installation
Before to deploy tinySSO web application, you have to setup the database and few configuration files.
Database
tinySSO require only two tables: USER_DATA, USER_ATTRIBUTES
NOTE: you have to put the appropriate jdbc driver in your classpath (es: in $CATALINA_HOME/common/lib)
Configuration
tinySSO has four configuration files: db.properties, sql.properties, log4j.properties, webapp.properties.
db.properties contains the datasource name wich is used during the JNDI lookup; you have to put the same name defined in your servlet engine (tag: res-ref-name in Tomcat).
sql.properties contains all the SQL parametrized queries used by web application.
log4j.properties configure the Log4J logger.
webapp.properties contains tinySSO setup parameter.
You can put those files anywhere BUT you must specify the path in the web.xml file :
Do you need customizations ?
Do you need a J2Me or Android tinySSO client ?
Smart ideas for your enterprise business.