Embodiments of the present invention are generally directed to Web single sign-on applications, and more particularly, to methods of managing Web single sign-on applications using a common set of URLs for authentication.
Web single sign-on (SSO) solutions (e.g., Tivoli® Access Manager WebSeal) act as web proxies by receiving HTTP/HTTPS requests from a web browser and delivering content from junctioned back-end web application servers. If a request first enters a Web SSO application, URL pattern-matching is used to determine whether the requested resource is protected or not. If a resource is protected, authentication must occur before the request is dispatched to the Web application server. Unprotected resources are dispatched without authentication. This works well for web applications that have distinct URLS for an authenticated flow versus an unauthenticated flow. However, many web applications (including WebSphere® COMMERCE) actually use the same servlets (and thus the same URLS) in both authenticated and unauthenticated flows depending upon user action, where the user is in a particular flow, or system configuration. The SSO application, serving many different web applications, cannot contain the logic to determine that a particular URL, from a particular web application, should be protected in one scenario but not in another. This makes it impossible to SSO enable web applications using the same set of URLS for authenticated and unauthenticated users.