[gatein-commits] gatein SVN: r2377 - portal/trunk/docs/reference-guide/en/modules.
do-not-reply at jboss.org
do-not-reply at jboss.org
Sun Mar 28 18:07:55 EDT 2010
Author: mstruk
Date: 2010-03-28 18:07:55 -0400 (Sun, 28 Mar 2010)
New Revision: 2377
Modified:
portal/trunk/docs/reference-guide/en/modules/SSO.xml
Log:
Reference guide edits - Chapter 3 - SSO
Modified: portal/trunk/docs/reference-guide/en/modules/SSO.xml
===================================================================
--- portal/trunk/docs/reference-guide/en/modules/SSO.xml 2010-03-28 16:47:47 UTC (rev 2376)
+++ portal/trunk/docs/reference-guide/en/modules/SSO.xml 2010-03-28 22:07:55 UTC (rev 2377)
@@ -8,7 +8,7 @@
<section id="sect-Reference_Guide-Single_Sign_On-Overview">
<title>Overview</title>
<para>
- &PRODUCT;, provides some form of Single Sign On (<literal>SSO</literal>) as an integration and aggregation platform.
+ &PRODUCT; provides some form of Single Sign On (<literal>SSO</literal>) as an integration and aggregation platform.
</para>
<para>
When logging into the portal users gain access to many systems through portlets using a single identity. In many cases, however, the portal infrastructure must be integrated with other SSO enabled systems. There are many different Identity Management solutions available. In most cases each SSO framework provides a unique way to plug into a Java EE application.
@@ -19,7 +19,7 @@
In this tutorial, the SSO server is installed in a Tomcat installation. Tomcat can be obtained from <ulink type="http" url="http://tomcat.apache.org">http://tomcat.apache.org</ulink>.
</para>
<para>
- All the packages required for setup can be found in a zip file located at: <filename>http://repository.jboss.org/maven2/org/gatein/sso/sso-packaging</filename>. In this document we will call $SSO_HOME the directory where the file is extracted.
+ All the packages required for setup can be found in a zip file located at: <ulink type="http" url="http://repository.jboss.org/maven2/org/gatein/sso/sso-packaging">http://repository.jboss.org/maven2/org/gatein/sso/sso-packaging</ulink>. In this document we will call the directory where the file is extracted $GATEIN_SSO_HOME.
</para>
<para>
Users are advised to not run any portal extensions that could override the data when manipulating the <filename>gatein.ear</filename> file directly.
@@ -57,10 +57,16 @@
<section id="sect-Reference_Guide-CAS_server-Modifying_CAS_server">
<title>Modifying CAS server</title>
<para>
- To configure the web archive as desired, it is simpler to directly modify the sources.
+ To configure the web archive as desired, the simplest way is to make the necessary changes directly in CAS codebase.
</para>
+ <note>
+ <para>
+ To complete these instructions, and perform the final build step, you will need the Apache Maven 2.
+ You can get it <ulink type="http" url="http://maven.apache.org/download.html">here</ulink>.
+ </para>
+ </note>
<para>
- To change the authentication handler to use the portal authentication handler:
+ First, we need to change the default authentication handler with the one provided by &PRODUCT;.
</para>
<para>
The CAS Server Plugin makes secure authentication callbacks to a RESTful service installed on the remote GateIn server in order to authenticate a user.
@@ -107,7 +113,7 @@
</step>
<step>
<para>
- With the following (Make sure to set the host, port and context with the values corresponding to your portal). Also available in <filename>GATEIN_SSO/cas/plugin/WEB-INF/deployerConfigContext.xml</filename>.
+ With the following (Make sure to set the host, port and context with the values corresponding to your portal). Also available in <filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/deployerConfigContext.xml</filename>.
</para>
<para>
@@ -149,7 +155,7 @@
</step>
<step>
<para>
- Copy <filename>GATEIN_SSO/cas/plugin/WEB-INF/lib/sso-cas-plugin-<VERSION>.jar</filename> and <filename>GATEIN_SSO/cas/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename> into the <filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/lib</filename> created directory.
+ Copy <filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/sso-cas-plugin-<VERSION>.jar</filename> and <filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename> into the <filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/lib</filename> created directory.
</para>
</step>
<step>
@@ -160,7 +166,8 @@
Change the default port to avoid a conflict with the default &PRODUCT; (for testing purposes). Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and replace the 8080 port to 8888.
<note>
<para>
- If &PRODUCT; is running with Tomcat on the same machine the port 8005 should be changed to something else to avoid port conflicts.
+ If &PRODUCT; is running on the same machine as Tomcat, other ports need to be changed in addition to 8080 in order to avoid port conflicts.
+ They can be changed to any free port. For example, you can change admin port from 8005 to 8805, and AJP port from 8009 to 8809.
</para>
</note>
</para>
@@ -195,7 +202,7 @@
<procedure>
<step>
<para>
- Copy all libraries from <filename>GATEIN_SSO/cas/gatein.ear/lib</filename> into <filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename> (Or in Tomcat, into $<filename>GATEIN_HOME/lib</filename>)
+ Copy all libraries from <filename>GATEIN_SSO_HOME/cas/gatein.ear/lib</filename> into <filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename> (Or in Tomcat, into $<filename>GATEIN_HOME/lib</filename>)
</para>
</step>
<step>
@@ -234,7 +241,7 @@
<procedure>
<step>
<para>
- Access &PRODUCT; (if the CAS server using Tomcat is still running) by going to <ulink type="http" url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>.
+ Start (or restart) &PRODUCT;, and (assuming the CAS server on Tomcat is running) direct your browser to <ulink type="http" url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>.
</para>
</step>
<step>
@@ -308,10 +315,10 @@
<section id="sect-Reference_Guide-Single_Sign_On-JOSSO">
<title>JOSSO</title>
<para>
- This Single Sign On plugin enables seamless integration between &PRODUCT; and the JOSSO Single Sign On Framework. Details about OpenSSO can be found <ulink url="http://www.ja-sig.org/products/cas/">here</ulink>.
+ This Single Sign On plugin enables seamless integration between &PRODUCT; and the JOSSO Single Sign On Framework. Details about JOSSO can be found <ulink url="http://www.josso.org">here</ulink>.
</para>
<para>
- Setting up this integration happens in two distinct actions. The first part is installing or configuring a JOSSO server and the second involves setting up the portal to use the JOSSO server.
+ Setting up this integration involves two steps. The first step is to install or configure a JOSSO server, and the second is to set up the portal to use the JOSSO server.
</para>
<section id="sect-Reference_Guide-JOSSO-JOSSO_server">
<title>JOSSO server</title>
@@ -324,7 +331,7 @@
<section id="sect-Reference_Guide-JOSSO_server-Obtaining_JOSSO">
<title>Obtaining JOSSO</title>
<para>
- JOSSO can be downloaded from <ulink type="http" url="http://sourceforge.net/projects/josso/files/">http://sourceforge.net/projects/josso/files/</ulink>. Use the package that embeds Apache Tomcat.
+ JOSSO can be downloaded from <ulink type="http" url="http://sourceforge.net/projects/josso/files/">http://sourceforge.net/projects/josso/files/</ulink>. Use the package that embeds Apache Tomcat. The integration was tested with JOSSO-1.8.1.
</para>
<para>
Once downloaded, extract the package into what will be called <filename>JOSSO_HOME</filename> in this example.
@@ -336,7 +343,7 @@
<procedure>
<step>
<para>
- Copy the files from <filename>GATEIN_SSO/josso/plugin</filename> into the Tomcat directory (<filename>JOSSO_HOME</filename>).
+ Copy the files from <filename>GATEIN_SSO_HOME/josso/plugin</filename> into the Tomcat directory (<filename>JOSSO_HOME</filename>).
</para>
<para>
This action should replace or add the following files to the <filename>JOSSO_HOME/webapps/josso/WEB-INF/lib</filename> directory:
@@ -370,7 +377,8 @@
<note>
<title>Port Conflicts</title>
<para>
- If &PRODUCT; is being on a machine with Tomcat, other ports will need to be changed to avoid conflicts.
+ If &PRODUCT; is running on the same machine as Tomcat, other ports need to be changed in addition to 8080 in order to avoid port conflicts.
+ They can be changed to any free port. For example, you can change admin port from 8005 to 8805, and AJP port from 8009 to 8809.
</para>
</note>
</para>
@@ -395,9 +403,14 @@
<procedure>
<step>
<para>
- Copy the library files from <filename>GATEIN_SS)/josso/gatein.ear/lib</filename> into <filename>gatein.ear/lib</filename> (Or into <filename>GATEIN_HOME/lib</filename> if &PRODUCT; is running in Tomcat)
+ Copy the library files from <filename>GATEIN_SSO_HOME/josso/gatein.ear/lib</filename> into <filename>gatein.ear/lib</filename> (or into <filename>GATEIN_HOME/lib</filename> if &PRODUCT; is running in Tomcat)
</para>
</step>
+ <step>
+ <para>
+ Copy the file <filename>GATEIN_SSO_HOME/josso/gatein.ear/portal.war/WEB-INF/classes/josso-agent-config.xml</filename> into <filename>gatein.ear/02portal.war/WEB-INF/classes</filename> (or into <filename>GATEIN_HOME/webapps/portal.war/WEB-INF/classes</filename>, or <filename>GATEIN_HOME/conf</filename> if &PRODUCT; is running in Tomcat)
+ </para>
+ </step>
<step>
<itemizedlist>
<listitem>
@@ -433,7 +446,7 @@
<procedure>
<step>
<para>
- Start &PRODUCT; (assuming that the JOSSO server using Tomcat is running) by going to <ulink type="http" url="http://localhost:8888/josso/signon/login.do">http://localhost:8888/josso/signon/login.do</ulink>.
+ Start (or restart) &PRODUCT;, and (assuming the JOSSO server on Tomcat is running) direct your browser to <ulink type="http" url="http://localhost:8888/josso/signon/login.do">http://localhost:8888/josso/signon/login.do</ulink>.
</para>
</step>
<step>
@@ -489,7 +502,7 @@
<servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
<init-param>
<param-name>ssoServerUrl</param-name>
- <param-value>http://localhost:8888/cas</param-value>
+ <param-value>http://localhost:8888/josso/signon/login.do</param-value>
</init-param>
</servlet>
</programlisting>
@@ -514,15 +527,15 @@
This Single Sign On plugin enables seamless integration between &PRODUCT; and the OpenSSO Single Sign On Framework. Details about OpenSSO can be found <ulink url="https://opensso.dev.java.net/">here</ulink>.
</para>
<para>
- Setting up this integration happens in two distinct actions. The first part is installing or configuring an OpenSSO server and the second involves setting up the portal to use the OpenSSO server.
+ Setting up this integration involves two steps. The first step is to install or configure an OpenSSO server, and the second is to set up the portal to use the OpenSSO server.
</para>
<section id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-OpenSSO_server">
<title>OpenSSO server</title>
<para>
- This section details setting up the OpenSSO server to authenticate against the Enterprise Portal Platform login module.
+ This section details the setting up of OpenSSO server to authenticate against the &PRODUCT; login module.
</para>
<para>
- In this example the JOSSO server will be installed on Tomcat.
+ In this example the OpenSSO server will be installed on Tomcat.
</para>
<section id="sect-Reference_Guide-OpenSSO_server-Obtaining_OpenSSO">
<title>Obtaining OpenSSO</title>
@@ -559,7 +572,8 @@
Change the default port to avoid a conflict with the default &PRODUCT; port (for testing purposes). Do this by editing <filename>TOMCAT_HOME/conf/server.xml</filename> and replacing the 8080 port to 8888.
<note>
<para>
- If &PRODUCT; is running on the same machine as Tomcat, the port 8005 will also need to be changed to avoid port conflicts.
+ If &PRODUCT; is running on the same machine as Tomcat, other ports need to be changed in addition to 8080 in order to avoid port conflicts.
+ They can be changed to any free port. For example, you can change admin port from 8005 to 8805, and AJP port from 8009 to 8809.
</para>
</note>
</para>
@@ -593,14 +607,15 @@
</step>
<step>
<para>
- Copy <filename>GATEIN_SSO/opensso/plugin/WEB-INF/lib/sso-opensso-plugin-<VERSION>.jar</filename>, <filename>GATEIN_SSO/opensso/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>, and <filename>GATEIN_SSO/opensso/plugin/WEB-INF/lib/commons-logging-<VERSION>.jar</filename> into the Tomcat directory at <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/lib</filename>.
+ Copy <filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/sso-opensso-plugin-<VERSION>.jar</filename>, <filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>, and <filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-logging-<VERSION>.jar</filename> into the Tomcat directory at <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/lib</filename>.
</para>
</step>
<step>
<para>
- Copy <filename>GATEIN_SSO/opensso/plugin/WEB-INF/classes/gatein.properties</filename> into <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/classes</filename>
+ Copy <filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/classes/gatein.properties</filename> into <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/classes</filename>
</para>
</step>
+
<step>
<para>
Tomcat should start and be able to access <ulink type="http" url="http://localhost:8888/opensso/UI/Login?realm=gatein">http://localhost:8888/opensso/UI/Login?realm=gatein</ulink>. Login will not be available at this point.
@@ -611,9 +626,54 @@
</imageobject>
</mediaobject>
</step>
- </procedure>
- </section>
+ </procedure>
+ <para>Configure "gatein" realm:</para>
+ <procedure>
+ <step>
+ <para>Direct your browser to <ulink type="http" url="http://localhost:8888/opensso">http://localhost:8888/opensso</ulink></para>
+ </step>
+ <step>
+ <para>Create default configuration</para>
+ </step>
+ <step>
+ <para>Login as <literal>amadmin</literal> and then go to tab "Configuration" -> tab "Authentication" -> link "Core" ->
+ add new value and fill in the class name "org.gatein.sso.opensso.plugin.AuthenticationPlugin".
+ This step is really important. Without it AuthenticationPlugin is not available among other OpenSSO authentication modules.
+ </para>
+ </step>
+ <step>
+ <para>Go to tab "Access control" and create new realm called "gatein".</para>
+ </step>
+ <step>
+ <para>Go to "gatein" realm and click on "Authentication" tab. At the bottom in the section "Authentication chaining" click on "ldapService".
+ Here change the selection from "Datastore", which is the default module in the authentication chain, to "AuthenticationPlugin".
+ This enables authentication of "gatein" realm by using GateIn REST service instead of the OpenSSO LDAP server.</para>
+ </step>
+ <step>
+ <para>
+ Go to "Advanced properties" and change UserProfile from "Required" to "Dynamic". This step is needed
+ because &PRODUCT; users are not in OpenSSO Datastore (LDAP server), so their profiles can't be obtained
+ if "Required" is active. By using "Dynamic" all new users are automatically
+ created in OpenSSO datastore after successful authentication.
+ </para>
+ </step>
+ <step>
+ <para>
+ Increase the user privileges to allow REST access. Go to "Access control" ->
+ Top level realm -> "Privileges" tab -> All authenticated users, and check the last two checkboxes:
+ <itemizedlist>
+ <listitem><para>Read and write access only for policy properties</para></listitem>
+ <listitem><para>Read and write access to all realm and policy properties</para></listitem>
+ </itemizedlist>
+ </para>
+ </step>
+ <step>
+ <para>Do the same for "gatein" realm.</para>
+ </step>
+ </procedure>
+ <para>TODO: The above OpenSSO manual configuration could be replaced by configuration files prepared in advance</para>
+ </section>
</section>
<section id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-Setup_the_OpenSSO_client">
@@ -621,7 +681,7 @@
<procedure>
<step>
<para>
- Copy all libraries from <filename>GATEIN_SSO/opensso/gatein.ear/lib</filename> into <filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename> (Or, in Tomcat, into <filename>GATEIN_HOME/lib</filename>)
+ Copy all libraries from <filename>GATEIN_SSO_HOME/opensso/gatein.ear/lib</filename> into <filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename> (Or, in Tomcat, into <filename>GATEIN_HOME/lib</filename>)
</para>
</step>
<step>
More information about the gatein-commits
mailing list