[gatein-commits] gatein SVN: r1408 - in portal/trunk: component/web/src/main/java/org/exoplatform/web/login and 3 other directories.
do-not-reply at jboss.org
do-not-reply at jboss.org
Thu Jan 21 13:40:10 EST 2010
Author: bdaw
Date: 2010-01-21 13:40:09 -0500 (Thu, 21 Jan 2010)
New Revision: 1408
Added:
portal/trunk/component/web/src/main/java/org/exoplatform/web/login/ClusteredSSOFilter.java
Modified:
portal/trunk/component/web/pom.xml
portal/trunk/component/web/src/main/java/org/exoplatform/web/security/Credentials.java
portal/trunk/component/web/src/main/java/org/exoplatform/web/security/PortalLoginModule.java
portal/trunk/server/jboss/patch-ear/src/main/jboss/server/default/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml
portal/trunk/web/portal/src/main/webapp/WEB-INF/web.xml
Log:
- Workaround for identity propagation problems in clustered configuration
Modified: portal/trunk/component/web/pom.xml
===================================================================
--- portal/trunk/component/web/pom.xml 2010-01-21 18:39:28 UTC (rev 1407)
+++ portal/trunk/component/web/pom.xml 2010-01-21 18:40:09 UTC (rev 1408)
@@ -97,5 +97,18 @@
<artifactId>json</artifactId>
<type>jar</type>
</dependency>
+
+ <dependency>
+ <groupId>javax.security</groupId>
+ <artifactId>jacc</artifactId>
+ <version>1.0</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.jboss.jbossas</groupId>
+ <artifactId>jboss-as-tomcat</artifactId>
+ <version>5.1.0.GA</version>
+ <scope>provided</scope>
+ </dependency>
</dependencies>
</project>
Added: portal/trunk/component/web/src/main/java/org/exoplatform/web/login/ClusteredSSOFilter.java
===================================================================
--- portal/trunk/component/web/src/main/java/org/exoplatform/web/login/ClusteredSSOFilter.java (rev 0)
+++ portal/trunk/component/web/src/main/java/org/exoplatform/web/login/ClusteredSSOFilter.java 2010-01-21 18:40:09 UTC (rev 1408)
@@ -0,0 +1,73 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2010, Red Hat Middleware, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
+
+
+package org.exoplatform.web.login;
+
+import org.exoplatform.container.web.AbstractFilter;
+import org.exoplatform.services.security.IdentityRegistry;
+import org.exoplatform.web.security.Credentials;
+import org.exoplatform.web.security.PortalLoginModule;
+
+import org.jboss.web.tomcat.security.login.WebAuthentication;
+
+import javax.security.auth.login.LoginException;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+public class ClusteredSSOFilter extends AbstractFilter
+{
+
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
+ {
+
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+
+ Credentials credentials = (Credentials)httpRequest.getSession().getAttribute(PortalLoginModule.AUTHENTICATED_CREDENTIALS);
+
+ // Make programatic login if authenticated credentials are present in session - they were set in another cluster node
+ if (credentials != null && httpRequest.getRemoteUser() == null)
+ {
+ WebAuthentication pwl = new WebAuthentication();
+ pwl.login(credentials.getUsername(), credentials.getPassword());
+
+ }
+
+ chain.doFilter(request, response);
+
+ // TODO:
+ // This is a workaround... without this code this attr will vanish from session after first request - don't ask...
+ if (credentials != null && httpRequest.getSession(false) != null)
+ {
+ httpRequest.getSession(false).setAttribute(PortalLoginModule.AUTHENTICATED_CREDENTIALS, credentials);
+ }
+ }
+
+ public void destroy()
+ {
+ //To change body of implemented methods use File | Settings | File Templates.
+ }
+}
Modified: portal/trunk/component/web/src/main/java/org/exoplatform/web/security/Credentials.java
===================================================================
--- portal/trunk/component/web/src/main/java/org/exoplatform/web/security/Credentials.java 2010-01-21 18:39:28 UTC (rev 1407)
+++ portal/trunk/component/web/src/main/java/org/exoplatform/web/security/Credentials.java 2010-01-21 18:40:09 UTC (rev 1408)
@@ -19,13 +19,15 @@
package org.exoplatform.web.security;
+import java.io.Serializable;
+
/**
* An immutable object that contains a username and a password.
*
* @author <a href="mailto:julien.viet at exoplatform.com">Julien Viet</a>
* @version $Revision$
*/
-public class Credentials
+public class Credentials implements Serializable
{
Modified: portal/trunk/component/web/src/main/java/org/exoplatform/web/security/PortalLoginModule.java
===================================================================
--- portal/trunk/component/web/src/main/java/org/exoplatform/web/security/PortalLoginModule.java 2010-01-21 18:39:28 UTC (rev 1407)
+++ portal/trunk/component/web/src/main/java/org/exoplatform/web/security/PortalLoginModule.java 2010-01-21 18:40:09 UTC (rev 1408)
@@ -23,6 +23,7 @@
import org.exoplatform.services.log.ExoLogger;
import org.exoplatform.services.log.Log;
import org.exoplatform.services.security.jaas.AbstractLoginModule;
+import org.exoplatform.web.login.InitiateLoginServlet;
import org.exoplatform.web.security.security.CookieTokenService;
import org.exoplatform.web.security.security.TransientTokenService;
@@ -30,6 +31,8 @@
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
+import javax.security.jacc.PolicyContext;
+import javax.servlet.http.HttpServletRequest;
/**
* A login module implementation that relies on the token store to check the
@@ -52,6 +55,10 @@
*/
protected Log log = ExoLogger.getLogger(PortalLoginModule.class);
+ public static final String CLUSTERED_SSO = "clusteredSSO";
+
+ public static final String AUTHENTICATED_CREDENTIALS = "authenticatedCredentials";
+
/**
* @see javax.security.auth.spi.LoginModule#login()
*/
@@ -77,6 +84,28 @@
((CookieTokenService)container.getComponentInstanceOfType(CookieTokenService.class)).validateToken(
password, false);
//
+
+ // For clastered config check credentials stored and propagated in session. This won't work in tomcat because
+ // of lack of JACC PolicyContext so the code must be a bit defensive
+ if (o == null && isClusteredSSO() && password.startsWith(InitiateLoginServlet.COOKIE_NAME))
+ {
+ HttpServletRequest request = null;
+ try
+ {
+ request = (HttpServletRequest)PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
+
+ o = request.getSession().getAttribute(AUTHENTICATED_CREDENTIALS);
+
+ }
+ catch(Throwable e)
+ {
+ log.error(this,e);
+ log.error("LoginModule error. Turn off session credentials checking with proper configuration option of " +
+ "LoginModule set to false: " + CLUSTERED_SSO);
+ }
+
+ }
+
if (o instanceof Credentials)
{
Credentials wc = (Credentials)o;
@@ -100,6 +129,31 @@
*/
public boolean commit() throws LoginException
{
+
+ if (isClusteredSSO() &&
+ sharedState.containsKey("javax.security.auth.login.name") &&
+ sharedState.containsKey("javax.security.auth.login.password"))
+ {
+ String uid = (String)sharedState.get("javax.security.auth.login.name");
+ String pass = (String)sharedState.get("javax.security.auth.login.password");
+
+ Credentials wc = new Credentials(uid, pass);
+
+ HttpServletRequest request = null;
+ try
+ {
+ request = (HttpServletRequest)PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
+
+ request.getSession().setAttribute(AUTHENTICATED_CREDENTIALS, wc);
+
+ }
+ catch(Exception e)
+ {
+ log.error(this,e);
+ log.error("LoginModule error. Turn off session credentials checking with proper configuration option of " +
+ "LoginModule set to false: " + CLUSTERED_SSO);
+ }
+ }
return true;
}
@@ -124,4 +178,18 @@
{
return log;
}
+
+ protected boolean isClusteredSSO()
+ {
+ if (options != null)
+ {
+ String optionValue = (String)options.get(CLUSTERED_SSO);
+ if (optionValue != null && optionValue.length() > 0 && optionValue.equalsIgnoreCase("true"))
+ {
+ return true;
+ }
+ }
+ return false;
+ }
+
}
Modified: portal/trunk/server/jboss/patch-ear/src/main/jboss/server/default/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml
===================================================================
--- portal/trunk/server/jboss/patch-ear/src/main/jboss/server/default/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml 2010-01-21 18:39:28 UTC (rev 1407)
+++ portal/trunk/server/jboss/patch-ear/src/main/jboss/server/default/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml 2010-01-21 18:40:09 UTC (rev 1408)
@@ -5,6 +5,10 @@
<login-module code="org.exoplatform.web.security.PortalLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
+ <!--Uncomment in clustered setup-->
+ <!--
+ <module-option name="clusteredSSO">true</module-option>
+ -->
</login-module>
<login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
Modified: portal/trunk/web/portal/src/main/webapp/WEB-INF/web.xml
===================================================================
--- portal/trunk/web/portal/src/main/webapp/WEB-INF/web.xml 2010-01-21 18:39:28 UTC (rev 1407)
+++ portal/trunk/web/portal/src/main/webapp/WEB-INF/web.xml 2010-01-21 18:40:09 UTC (rev 1408)
@@ -24,8 +24,13 @@
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
- <display-name>portal</display-name>
-
+ <display-name>portal</display-name>
+
+ <!--Uncomment for clustered setup-->
+ <!--
+ <distributable/>
+ -->
+
<context-param>
<param-name>org.exoplatform.frameworks.jcr.command.web.fckeditor.digitalAssetsWorkspace</param-name>
<param-value>portal</param-value>
@@ -59,6 +64,8 @@
<filter-name>SetCurrentIdentityFilter</filter-name>
<filter-class>org.exoplatform.services.security.web.SetCurrentIdentityFilter</filter-class>
</filter>
+
+
<filter>
<filter-name>RestEncodingFilter</filter-name>
@@ -73,6 +80,19 @@
<filter-name>CacheUserProfileFilter</filter-name>
<filter-class>org.exoplatform.web.CacheUserProfileFilter</filter-class>
</filter>
+
+ <!--Uncomment for clustered setup-->
+ <!--
+ <filter>
+ <filter-name>ClusteredSSOFilter</filter-name>
+ <filter-class>org.exoplatform.web.login.ClusteredSSOFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>ClusteredSSOFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ -->
<filter-mapping>
<filter-name>GenericFilter</filter-name>
More information about the gatein-commits
mailing list