Authentication Across Multiple Web Applications (Revisited)

Similar Messages

• Sharing portlets across multiple portal applications

  Hello all,
  I have a single enterprise application that consists of several portal web applications. Most of these portal web applications have common portlets within their codebase. Is it possible to share portlet code across multiple web applications?
  Thanks

  No, not possible, in the same way that sharing JSPs and Pageflows wouldn't be possible across multiple webapps. You can, however, have multiple portals within one Portal webapp, and then you could share portlets and portlet resources amongst those portals.
  George

• Authentication across multiple applications

  Hi,
  I'm having trouble with authentication across multiple applications.
  Ideally I would like to log in to one application and have my credentials survive across the session for the other applications when they run.
  What is the best approach to do this?
  Thanks,
  Mark

  Thanks for your reply Frank.
  We've decided to switch to JAVA SSO but I'm having trouble getting to the configuration page in the 11g OC4J.
  I've posted a new thread with these questions:
  Configuring JAVA SSO with 11g OC4J
  Thanks,
  Mark

• Multiple Web Applications WLS 7.0

  Hi,
  I am trying to configure multiple web applications on the same WL 7.0 server and
  am having trouble doing the following.
  I would like to be able to use the following URLS:
  Application #1:
  http://myserver/st/aems - where st/aems maps to the path X:\SimpleTrade2\AEMS\ui\source\htdocs
  Application #2:
  http://myserver/st/acms - where st/aems maps to the path X:\SimpleTrade2\ACMS\ui\source\htdocs
  Root - Default web application - This would be left empty with the idea that our
  company could sell our web applications and we would deploy them on someone elses
  WLS and we would not conflict in any way.
  The problem with the above is that when I look at the DTD and try and configure
  config.xml in the following way:
  <Application Deployed="true" Name="AEMS"
  Path="X:\SimpleTrade2\AEMS\ui\source\htdocs" TwoPhase="true">
  <WebAppComponent DeploymentOrder="2000" Name="aems"
  Targets="simpletradeserver" URI="st/aems"/>
  WLS blows up on startup because it tries to POST-Pend the URI to the path... If
  I change it to:
  <Application Deployed="true" Name="AEMS"
  Path="X:\SimpleTrade2\AEMS\ui\source" TwoPhase="true">
  <WebAppComponent DeploymentOrder="2000" Name="aems"
  Targets="simpletradeserver" URI="htdocs"/>
  This will work but then my URL is not what I want it becomes http://myserver/htdocs
  Is there anyway around this or a way to get what I want?
  Another piece of information, I am developing in Exploded directory format when
  we deploy it will be as an ear.
  Thanks in advance for any ideas!!!
  -Jerry Rodgers

  Thanks for the info Christian.
  I thought I would pass along a bit more inforation for others who might be trying
  to do something similar. In case they run across this message.
  I did determine that if you are using a .WAR file the name attribute of the xml
  node WebAppComponent will allow you to create a different context path than the
  URI. I did not test to see if it allowed you to use a name like "st/aems" I am
  sure "st.aems" would work or any name that may be different than the URI. The
  weird thinhg is that when using the EXPLODED DIRECTORY format the URI is the name
  of the folder under the path and the name property appears to be ignored no matter
  what you change it to you can only get to your web app using the URI.
  Hope this helps someone who comes after me and is looking for the same thing,
  maybe they won't spend 6 hours on it like I did ;>
  -Jerry
  "Christian Plenagl" <[email protected]> wrote:
  >
  Hi,
  this is not possible.
  The URI field contains the directory name of the WebApplication, which
  normally
  is the same name as the directory where you put the webapplication in.
  Christian Plenagl
  Developer Relations Engineer
  BEA Support
  "Jerry Rodgers" <[email protected]> wrote:
  Hi,
  I am trying to configure multiple web applications on the same WL 7.0
  server and
  am having trouble doing the following.
  I would like to be able to use the following URLS:
  Application #1:
  http://myserver/st/aems - where st/aems maps to the path X:\SimpleTrade2\AEMS\ui\source\htdocs
  Application #2:
  http://myserver/st/acms - where st/aems maps to the path X:\SimpleTrade2\ACMS\ui\source\htdocs
  Root - Default web application - This would be left empty with the idea
  that our
  company could sell our web applications and we would deploy them onsomeone
  elses
  WLS and we would not conflict in any way.
  The problem with the above is that when I look at the DTD and try and
  configure
  config.xml in the following way:
  <Application Deployed="true" Name="AEMS"
  Path="X:\SimpleTrade2\AEMS\ui\source\htdocs" TwoPhase="true">
  <WebAppComponent DeploymentOrder="2000" Name="aems"
  Targets="simpletradeserver" URI="st/aems"/>
  WLS blows up on startup because it tries to POST-Pend the URI to the
  path... If
  I change it to:
  <Application Deployed="true" Name="AEMS"
  Path="X:\SimpleTrade2\AEMS\ui\source" TwoPhase="true">
  <WebAppComponent DeploymentOrder="2000" Name="aems"
  Targets="simpletradeserver" URI="htdocs"/>
  This will work but then my URL is not what I want it becomes http://myserver/htdocs
  Is there anyway around this or a way to get what I want?
  Another piece of information, I am developing in Exploded directoryformat
  when
  we deploy it will be as an ear.
  Thanks in advance for any ideas!!!
  -Jerry Rodgers

• Pros & Cons of having multiple web applications under one EAR project

  Could anybody let me know what are the advantages and disadvantages of having multiple web applications under one single EAR project?

  Either this is homework, in which case, do it yourself, or you already think you have some pros for doing this. Share with us

• Session state variables across multiple ApEx applications

  We have a suite of loosely integrate ApEx applications that all share a common authentication scheme. When you first log in we attempt to load a series of session state variables with temporary data to streamline various logging and authentication related activities for the life of the session.
  However, these session variables seem to disappear when you move from one application to another, so they are not truly tied to just the "session" which carries over across all applications, but the application from which the session state is set.
  What is the suggested way, keeping in mind that the data being held may have security related context, to preserve values during a session, but regardless of which ApEx application you are in.
  The method we are using to share the authentication is using a common "Cookie Name" from a common subscribed authentication scheme as suggested elsewhere on this site and seems to work very well outside of this specific issue.
  Thanks in advance,
  Barney

  Apologies for the delay getting back on this.
  My use of the word "disappear" was probably misleading. They were not visible from the second application. When setting "Session State" I was under the impression that it was setting it for the authenticated session, not for the specific application. (I am referring to the: apex_util.set/get_session_state).
  Your solution will work fine, as long as I know which application the user last authenticated against. However, it could be one of over 30 (and growing) different applications which would require me writing a program to go through every "p_flow" to try and find a valid value every time I need to reference the field.
  It would be really beneficial if you could store true Session variables which stay alive for the life of the authenticated session and is available to anything authenticated against that session id. This would streamline alot of cross-application program development.
  The "get/set_session_state" is a misleading as it is not a Session value, but an Application value. The Session exists across multiple applications, while this procedure does not.
  Thanks,
  Barney

• One IDP and multiple web applications

  Continuing to look at the configuration necessary to enable SAML on my 2013 farm, I have two web apps which i would like to have SAML running on, both leveraging the same 3rd party IDP for authentication. As I dug into the various stages of configuration
  there is a part that establishes the SharePoint site realm identifier...researching what this is for, i found an article by Steve Peschka (http://blogs.technet.com/b/speschka/archive/2010/04/27/how-to-create-multiple-claims-auth-web-apps-in-a-single-sharepoint-2010-farm.aspx)
  in it he talks about if you have one IDP but multiple web apps that must use that IDP.
  Am i correct in understanding that when steve mentioned "You can only associate a token-signing certificate from an STS with one SPTrustedIdentityTokenIssuer." That the TS cert I import from my IDP is unique and is only able to be linked to one
  Web Application...unless i create a URI that makes Sharepoint aware of the additional web app?
  Going further...I can't just import another copy of the TS cert and set it to another name unique from the first one?, once this is done i could then create a new unique realm for that additional web app with that other cert. Then when configuring the web
  apps it would list two IDP's for me to choose from and i would assign them individually to on or the other.
  His article covered 2010 not sure how 2013 works with this stuff...new territory for me here so forgive my lack of knowledge on how this all comes together.
  Also, is there some sort of configuration necessary for Office web apps farm to work with SAML or is that handled through S2S communication and is beyond SAML?

  Right, so your IDP will have a single certificate which will be single-instanced on the SharePoint farm. Steve's article is accurate for SharePoint 2013 and I've used this method with ADFS. It should be no different, on the SharePoint side, with other IDPs.
  WAC is beyond SAML. The S2S/JWTs take care of it.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Implementing single sign on across multiple web apps

  Hi
  I was wondering if somebody could help me. I need to implement single sign on
  for multiple web apps deployed in separate WARs in a single EAR file. I need
  to authenticate against an LDAP server and ensure that the user only has to sign
  on once per user session even if the user navigates between web apps. The weblogic
  docs only seem to go so far, i.e. "Single sign on works if each web app uses the
  same cookie" etc. So I see that, apart from buying WebLogic Enterprise Security
  there are only two ways of doing this:
  1. Implement single sign on.
  2. Create my own security realm with my own authenticator implementations.
  So my questions are:
  1. We don't want to effect the normal weblogic user/passwords used to access the
  WLS console but need to have single sign on. Should we implement single sign on
  (option 1,above) or create our own realm?
  2. Can somebody point me to somewhere on the web/in the the WLS documentation
  that shows me how to implement single sign on using session cookies?
  TIA
  Mik

  "Mik Quinlan" <[email protected]> wrote in message
  news:[email protected]..
  >
  Hi
  I was wondering if somebody could help me. I need to implement singlesign on
  for multiple web apps deployed in separate WARs in a single EAR file. Ineed
  to authenticate against an LDAP server and ensure that the user only hasto sign
  on once per user session even if the user navigates between web apps. Theweblogic
  docs only seem to go so far, i.e. "Single sign on works if each web appuses the
  same cookie" etc. So I see that, apart from buying WebLogic EnterpriseSecurity
  there are only two ways of doing this:
  1. Implement single sign on.
  2. Create my own security realm with my own authenticator implementations.
  So my questions are:
  1. We don't want to effect the normal weblogic user/passwords used toaccess the
  WLS console but need to have single sign on. Should we implement singlesign on
  (option 1,above) or create our own realm?
  2. Can somebody point me to somewhere on the web/in the the WLSdocumentation
  that shows me how to implement single sign on using session cookies?
  http://e-docs.bea.com/wls/docs81/security/thin_client.html#1039551
  That also has a pointer to:
  For more information, see session-descriptor in Assembling and Configuring
  Web Applications.

• Storing SessionManager or Server for multiple web applications

  We currently have one enterprise application with 2 web applications installed. These 2 web applications must share the same session cache.
  Toplink is installed as a shared library for both of these web applications.
  What I am wondering is how Server and SessionManager should be utilized.
  In our servlet initialization of web application one we get an instance of the SessionManager and assign the SessionManager to a static instance variable.
  static SessionManager sessionManager;
  sessionManager = SessionManager.getManager();
  Now whenever we want to get a client session from either web application we make the call
  Server serverSession = (Server) sessionManager.getSession("XXX");
  From looking at the code for the sessionManager.getSession("XXX") I see that this
  results in a synchronized method invocation which is in turn bottlenecking our database access code.
  My question is should we not just be storing the Server in a static instance variable to distribute client sessions to both web applications and not the SessionManager.

  Hi,
  One SSA is ok, but you should think about access rights. If the access is clear cut between all the web apps you should be ok with one SSA. Multiple result sources limiting on content source also works, but could easily be bypassed.
  Multiple SSA's will eat up RAM/CPU like a mother :)
  As for popular etc.. it could be due to how those sources are set up, but haven't investigated or tested this much.
  Thanks,
  Mikael
  Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
  http://techmikael.blogspot.com/
  Author of Working with FAST Search Server 2010 for SharePoint

• One Search service application for multiple web applications in a single server

    We are planning to host 17 Web applications in a single Server. Do I need to create search service application for each web application or I need to create one  Search service application , create a Content source for each web
  application and create a Result source for filtering. Which is the best approach. And which approach takes more RAM memory.
     In my application I am using Search web part, "Recently Changed Items", "Popular Items" web parts. when I created only one one  Search Service application for all web applications and using Result sources ,
  I am not getting the results. What could be the problem.

  Hi,
  One SSA is ok, but you should think about access rights. If the access is clear cut between all the web apps you should be ok with one SSA. Multiple result sources limiting on content source also works, but could easily be bypassed.
  Multiple SSA's will eat up RAM/CPU like a mother :)
  As for popular etc.. it could be due to how those sources are set up, but haven't investigated or tested this much.
  Thanks,
  Mikael
  Search Enthusiast - SharePoint MVP/MCT/MCPD - If you find an answer useful, please up-vote it.
  http://techmikael.blogspot.com/
  Author of Working with FAST Search Server 2010 for SharePoint

• Problem in synching multiple web applications

  I have a domain called myDomain. In this domain I have 2 enterprise applications
  say
  ent1App with ent1App-project and ent2App with its ent2App-project. Each enterpsrise
  application has one web application
  (webApp1 and webApp2 respectively). I have the same set of webflow files (.wf
  files) in both
  ent1App-project/application-sync/web-apps/webApp1 and ent2App-project/application-sync/web-apps/webApp2
  directories.
  Now suppose I synchronize my webflows (using EBCC) for say ent1App. The synchronization
  is accomplished without any problems
  and this is confirmed when the entries get updated in the Master Data Repository
  where all the webflows for ent1App get
  stored. This is as viewd using the datasyncservlet.
  If I now do a synchronization on the other enterprise application called ent2App,
  the synchronization takes place
  successfully but when viewed in the datasyncservlet, it shows up the entries for
  the webflows of ent2App. i.e. the entries
  for all the weblows of ent1App which were shown in the Master Data repository
  are not shown.
  We looked up the Cloudscape database to ensure that the entries for both the enterprise
  applications are present and it does
  contain the records for both the applications. This however does not show up in
  the datasync servlet. Due to this we get a
  namespace not found error whenever we try to access the application whose entries
  are missing in the master data repository.
  I have separate names for my datasync folder for each of the applications in my
  config.xml as shown below
  ent1App
  <Application Deployed="true" Name="ent1App"
  Path=".\config\myDomain\applications\ent1App" StagedTargets="iden_staging">
       <WebAppComponent DeploymentOrder="1002" Name="datasync" Targets="iden_staging"
  URI="datasync"/>
  ent2App
  <Application Deployed="true" Name="ent2App"
  Path=".\config\myDomain\applications\ent2App" StagedTargets="iden_staging">
  <WebAppComponent DeploymentOrder="1002" Name="datasyncDev"
  Targets="iden_staging" URI="datasyncDev"/>
  I am using WLS6.1 SP4 and WLP 4.0 SP3
  Can someone please tell me what could be the problem?
  Thanks
  Shah Jimmy

  When you peform a data sync you are updating the data_sync_item table
  with the EBCC xml files. For those files that are not present in the
  EBCC project they will be deleted from the table.
  You can not use multiple enterprise applications that contain Portals.
  Try using using multiple domains that contain separate databases for
  datasyncs.
  Here is a snippet I recently sent out in a support case:
  Unfortunately there is not a documented best practice for maintaining
  multiple projects and enterprise applications. In my opinion if you
  plan to create multiple enterprise applications they will need to
  maintain separate application components and web applications. The
  enterprise applications will need to use the same portal resources
  (pools) and therefore same tables. The synchronization modes documented
  at http://e-docs.bea.com/wlp/docs40/deploygd/appdata.htm explain the
  limitations in data sync -- either all files are deleted and updated or
  only modified files are updated. Either mode will delete files from the
  data_sync_item table that do not exist in the current project.
  Therefore one project will need to be used per domain.
  -- Jim
  Jimmy Shah wrote:
  I have a domain called myDomain. In this domain I have 2 enterprise applications
  say
  ent1App with ent1App-project and ent2App with its ent2App-project. Each enterpsrise
  application has one web application
  (webApp1 and webApp2 respectively). I have the same set of webflow files (.wf
  files) in both
  ent1App-project/application-sync/web-apps/webApp1 and ent2App-project/application-sync/web-apps/webApp2
  directories.
  Now suppose I synchronize my webflows (using EBCC) for say ent1App. The synchronization
  is accomplished without any problems
  and this is confirmed when the entries get updated in the Master Data Repository
  where all the webflows for ent1App get
  stored. This is as viewd using the datasyncservlet.
  If I now do a synchronization on the other enterprise application called ent2App,
  the synchronization takes place
  successfully but when viewed in the datasyncservlet, it shows up the entries for
  the webflows of ent2App. i.e. the entries
  for all the weblows of ent1App which were shown in the Master Data repository
  are not shown.
  We looked up the Cloudscape database to ensure that the entries for both the enterprise
  applications are present and it does
  contain the records for both the applications. This however does not show up in
  the datasync servlet. Due to this we get a
  namespace not found error whenever we try to access the application whose entries
  are missing in the master data repository.
  I have separate names for my datasync folder for each of the applications in my
  config.xml as shown below
  ent1App
  <Application Deployed="true" Name="ent1App"
  Path=".\config\myDomain\applications\ent1App" StagedTargets="iden_staging">
       <WebAppComponent DeploymentOrder="1002" Name="datasync" Targets="iden_staging"
  URI="datasync"/>
  ent2App
  <Application Deployed="true" Name="ent2App"
  Path=".\config\myDomain\applications\ent2App" StagedTargets="iden_staging">
  <WebAppComponent DeploymentOrder="1002" Name="datasyncDev"
  Targets="iden_staging" URI="datasyncDev"/>
  I am using WLS6.1 SP4 and WLP 4.0 SP3
  Can someone please tell me what could be the problem?
  Thanks
  Shah Jimmy

• Authentication in clustered web application without sticky session

  I have built JSP/Servlet/Struts application in the past on a cluster of app servers. Each app server has its own JVM running the Servlel Container. All of the HTTP requests come into a hardware load balancer, which directs the requests to one of the app servers in the cluster.
  I have wanted to use the Java HttpSession management without any kind of distributed session provided by the app server. We have used "sticky" sessions. The application writes a cookie to the client on the first request. The load balancer looks for that cookie on subsequent requests and directs the request to the server that originally wrote the cookie. This ensures that all requests within the same session are handled by the same application server. This also means that if I do request.getSession().setAttribute("authenticated",true) on one request, when I do request.getSession().getAttribute(authenticated) on subsequent requests in the same session, I can be sure the value will not be null. This allows me to create a filter that checks for that session attribute on each request, and if it is false or null, redirect the request to some sort of login page. Otherwise I can be sure the user has logged in.
  I want to build a stateless/non-session based application that can still handle authentication. What I mean by that is that I don't want the load balancer to have to send requests for the same session all to the same server. I would like the load balancer to send each request where ever it wants. That means the simple authentication example I explained in the last paragraph would not work. The user could login on server A, but then on a subsequent request during the same "session", the user's request could be handled by server B. In that case, the session attribute would be null, and the app would think that the user has not logged in.
  My application can require that users have cookies enabled, so therefore I can assume the user is accepting cookies (I would have something to check that and redirect the user to an error page saying "turn cookies on" if cookies weren't on). I think one thing that I could do is use encrpytion with a key that is shared between all the servers in the cluster. For example, user logins in on server A, server A writes a cookie with the contents "username,1109272102009". The first part being the username that the user successfully authenticated as and the second part being a timestamp for when the cookie was created. The contents of the actual cookie would be encrypted and I would send the ciphertext as the value of the cookie. When server B gets the cookie, it can decrypt the ciphertext (using the same key as was used to encrypt the data on server A), and check that the username is valid and that the timestamp does not exceed some timeout. The timestamp in the cookie would then have to be updated for the next request.
  So my question is (thanks for sticking with me and reading this really long post), has anyone done anything like this before? Is what I have described totally ridiculous or insecure? Are there any books or articles that describe a pattern similar to this that has been know to work well?

  I have worked on a web site that did exactly that.
  The cookie contained a little bit more information - there was a small amount of user data that were needed on heavily accessed pages.
  You'll have a problem if your web application uses attributes. We solved this by keeping most stuff in hidden inputs (backed up by hidden input cryptographic checksums in places where forgery was a concern.) HttpSession attributes have some problems and gotchas.
  A few possible fine tunings:
  Add a random number to the cookie. Should make known plaintext attacks harder.
  Add some extra stuff to the cookie, so that any random hex string that happens to decode to "xZoiyqw,15" isn't accepted. It's easy to try a million cookies until you get "<something>,<integer>" but getting "<something>,<integer>,HelloHowAreYou" is a lot harder.
  Be paranoid in checking the format of the cookie. If you add a random number, check that it is all digits etc. Belt and suspenders: also check that the time stamp isn't in the future (allow e.g. 15 seconds future time, in case different servers' clocks are a bit off.)
  Don't update the cookie at every hit, only if the time stamp is older than a couple of minutes. Saves encryption CPU power.
  After encrypting, prepend a short version number to the cookie. E.g. if the hex cookie is ABCDEF, make it 1ABCDEF. If you later e.g. change the encryption algorithm, change version to 2 and you can easily skip any obviously non-decipherable cookies. A second version number within the cookie might or might not be useful.
  Even though you can make random load balancing, consider not doing that. E.g. a server might pull the user's name from the database into memory cache. You get less database traffic and smaller caches if the user still goes to the same server. If a server goes down, only then switch him elsewhere. Downside though: if one server is "half alive" (doesn't respond to requests but alive enough so the load balancer doesn't notice the malfunction), all users bound to that server see a 100% failure.
  Benchmark cookie decryption time when selecting the crypto algorithm. How many hits per second you can get and how many you need.
  Guard your crypto keys like the crown jewels. Change them periodically and whenever someone in your company (especially IT department) gets the pink slip.

• User Account Authentication across multiple Solaris servers - Best Practice

  Hi,
  I am new to Solaris admin and would like to know the best practice/setup for authenticating user accounts across multiple solaris servers.
  Currently we have 20 - 30 Solaris 8 & 10 servers which each have their own user accounts setup. I am planning to replace these with a similar number of Solaris 10 servers and would like to centralise the user accounts and their authentication.
  I would be grateful for any suggestions on the best setup and any links to tutorials.
  Thanks
  Jools

  i would suggest LDAP + kerberos, LDAP for name lookups and krb5 for auth. provides secure auth + extensable directory for users and other apps if needed. plus, it provides a decent spring board to add other unix plats into the mix since this will support any unix/linux/bsd plat. you could integrate this design with a windows AD env if you want as well.
  [http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp] sol + ldap+ AD
  [http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server] sol + ldap (openldap)
  [http://aput.net/~jheiss/krbldap/howto.html] sol + ldap + krb5
  now these links are all using some diff means, however they should give you some ideas as to whats out there. sol 10 comes with suns ldap server and you can use the krb5 server which comes with it as well. many many diff ways to do this. many many more links out there as welll. these are just a few.

• Sharing jar files across multiple web sites

  Dear all,
  We have an applet as part of an embedded device. I wish to share the jar files across multiple devices. i.e. Accessing 192.168.0.1 shouldn't download the jar files again if the same jar files exist in the cache as a result of download from 192.168.0.2. We are having very large applet jar files, hence reducing download times is a top priority. Is there some way to do that ? Will java web start help in this ?
  regards,
  Jay

  generally for avoiding applet downloading again the best solution is to use applet cahing, just add cache_archive in your html code (for full reference please go to the jdk javadoc ). Of course the problem are diffrent ips 192.168.0.1 and 192.168.0.2, applet caching will work ONLY for one ip, when you serv second sever name/diffrent ip client jvm will treat this applet as something new and will download it . The best solution i think is to sever everything on one server page/ip etc, but as you mentioned it is not good solution.
  Well you can make it if you want to serve your big jar file on diffrent ips/severs, How? You should ctreate small certified applet jar , inside it should be code that will download your huge jar file from any location you want and store IT on CLIENT machine, becouse that jar will be certified so applet with file functions will not ask user to accept dialogs etc, so that applet will create locall on client machine little cache were all files that were downloaded will be stored. And again when user will acess your page that small certfied jar file will check if cache folder exist and if inside it is your huge file.
  cheers

• How to use a tag library in multiple web applications?

  Morning all,
  Environment: Tomcat 5 on Apache2 using Mod_JK connector on Windows XP
  I have developed a custom tag library and tested it out and its working great.
  Now, How do I use in my other web applications? Do I need to copy the JAR file to webapps\app1\WEB-INF\lib, webapps\app2\WEB-INF\lib etc directories?
  The problem with this approach is, if I happen to change the tag library code, I will have to make sure that I remember to copy the new JAR file to the above mentioned directories. Ofcourse I can write a simple ant script that would do it for me, but I was wondering if there was an efficient and yet simple way of achieving the same.
  Thanks in advance,
  Joe

  Thanks Vidyut! You've answered my question.
  I placed the jar file in the $CATALINA_HOME/shared/lib directory. But where should I place the taglib TLD file? And how should I reference it in web.xml?
  Currently, my web.xml is as follows and it doesn't work.
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <taglib>
  <taglib-uri>http://abc.com</taglib-uri>
  <taglib-location>c:\Tomcat\shared\lib\mytags-taglib.tld</taglib-location>
  </taglib>
  </web-app>
  Thanks again!
  Joe