[gatein-commits] gatein SVN: r8154 - in epp/docs/branches/5.2/Reference_Guide/en-US: modules/AuthenticationAndIdentity and 1 other directory.
do-not-reply at jboss.org
do-not-reply at jboss.org
Mon Nov 28 18:46:41 EST 2011
Author: smumford
Date: 2011-11-28 18:46:40 -0500 (Mon, 28 Nov 2011)
New Revision: 8154
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default124.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default125.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default126.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default127.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default128.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default129.java
epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
JBEPP-1406: Corrected SSO issues due to referring to outdated GateIn docs
Modified: epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default124.xml
===================================================================
--- epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default124.xml 2011-11-28 22:40:37 UTC (rev 8153)
+++ epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default124.xml 2011-11-28 23:46:40 UTC (rev 8154)
@@ -1,13 +1,13 @@
<!-- SPNEGO domain -->
- <application-policy name="host">
- <authentication>
- <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
- <module-option name="storeKey">true</module-option>
- <module-option name="useKeyTab">true</module-option>
- <module-option name="principal">HTTP/server.local.network at LOCAL.NETWORK</module-option>
- <module-option name="keyTab">/home/user/krb5keytabs/jboss.keytab</module-option>
- <module-option name="doNotPrompt">true</module-option>
- <module-option name="debug">true</module-option>
- </login-module>
- </authentication>
+<application-policy name="host">
+ <authentication>
+ <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
+ <module-option name="storeKey">true</module-option>
+ <module-option name="useKeyTab">true</module-option>
+ <module-option name="principal">HTTP/server.local.network at LOCAL.NETWORK</module-option>
+ <module-option name="keyTab">/etc/krb5.keytab</module-option>
+ <module-option name="doNotPrompt">true</module-option>
+ <module-option name="debug">true</module-option>
+ </login-module>
+ </authentication>
</application-policy>
\ No newline at end of file
Modified: epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default125.xml
===================================================================
--- epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default125.xml 2011-11-28 22:40:37 UTC (rev 8153)
+++ epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default125.xml 2011-11-28 23:46:40 UTC (rev 8154)
@@ -1,30 +1,31 @@
- <property name="authenticators">
- <map keyClass="java.lang.String" valueClass="java.lang.String">
- <entry>
- <key>BASIC</key>
- <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
- </entry>
- <entry>
- <key>CLIENT-CERT</key>
- <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
- </entry>
- <entry>
- <key>DIGEST</key>
- <value>org.apache.catalina.authenticator.DigestAuthenticator</value>
- </entry>
- <entry>
- <key>FORM</key>
- <value>org.apache.catalina.authenticator.FormAuthenticator</value>
- </entry>
- <entry>
- <key>NONE</key>
- <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
- </entry>
+<deployment xmlns="urn:jboss:bean-deployer:2.0">
+<property name="authenticators">
+ <map class="java.util.Properties" keyClass="java.lang.String" valueClass="java.lang.String">
+ <entry>
+ <key>BASIC</key>
+ <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
+ </entry>
+ <entry>
+ <key>CLIENT-CERT</key>
+ <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
+ </entry>
+ <entry>
+ <key>DIGEST</key>
+ <value>org.apache.catalina.authenticator.DigestAuthenticator</value>
+ </entry>
+ <entry>
+ <key>FORM</key>
+ <value>org.apache.catalina.authenticator.FormAuthenticator</value>
+ </entry>
+ <entry>
+ <key>NONE</key>
+ <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
+ </entry>
- <!-- Add this entry -->
- <entry>
- <key>SPNEGO</key>
- <value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
- </entry>
- </map>
- </property>
\ No newline at end of file
+ <!-- Add this entry -->
+ <entry>
+ <key>SPNEGO</key>
+ <value>org.gatein.sso.spnego.GateInNegotiationAuthenticator</value>
+ </entry>
+ </map>
+</property>
Modified: epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default126.xml
===================================================================
--- epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default126.xml 2011-11-28 22:40:37 UTC (rev 8153)
+++ epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default126.xml 2011-11-28 23:46:40 UTC (rev 8154)
@@ -1,20 +1,54 @@
<deployment xmlns="urn:jboss:bean-deployer:2.0">
+
+ <application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-form-auth-domain">
+ <authentication>
+ <login-module code="org.gatein.wci.security.WCILoginModule" flag="optional">
+ <module-option name="portalContainerName">portal</module-option>
+ <module-option name="realmName">gatein-domain</module-option>
+ </login-module>
+ <login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required">
+ <module-option name="portalContainerName">portal</module-option>
+ <module-option name="realmName">gatein-domain</module-option>
+ </login-module>
+
+ <!-- Uncomment this part to check on each login if user is member of "/platform/users" group and if not
+ create such membership -->
+ <!--
+ <login-module code="org.exoplatform.services.organization.idm.CustomMembershipLoginModule" flag="required">
+ <module-option name="portalContainerName">portal</module-option>
+ <module-option name="realmName">gatein-domain</module-option>
+ <module-option name="membershipType">member</module-option>
+ <module-option name="groupId">/platform/users</module-option>
+ </login-module>
+ -->
+
+ <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
+ <module-option name="portalContainerName">portal</module-option>
+<!-- logout needs to be performed from 'gatein-domain' as it is used for JaasSecurityManager. -->
+ <module-option name="realmName">gatein-domain</module-option>
+ </login-module>
+ </authentication>
+ </application-policy>
+
+
<application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">
- <!-- Uncomment this for Kerberos based SSO integration -->
<authentication>
- <login-module
+ <login-module
code="org.gatein.sso.spnego.SPNEGOLoginModule"
flag="requisite">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
- </login-module>
+ <module-option name="removeRealmFromPrincipal">true</module-option>
+ <module-option name="usernamePasswordDomain">gatein-form-auth-domain</module-option>
+ </login-module>
<login-module
code="org.gatein.sso.agent.login.SPNEGORolesModule"
flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
- </login-module>
+ </login-module>
</authentication>
</application-policy>
+
</deployment>
\ No newline at end of file
Modified: epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default127.xml
===================================================================
--- epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default127.xml 2011-11-28 22:40:37 UTC (rev 8153)
+++ epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default127.xml 2011-11-28 23:46:40 UTC (rev 8154)
@@ -1,14 +1,17 @@
- <!--
- <login-config>
- <auth-method>FORM</auth-method>
- <realm-name>gatein-domain</realm-name>
+<!-- <login-config>
+ <auth-method>FORM</auth-method>
+ <realm-name>gatein-domain</realm-name>
<form-login-config>
- <form-login-page>/initiatelogin</form-login-page>
+ <form-login-page>/initiatelogin</form-login-page>
<form-error-page>/errorlogin</form-error-page>
</form-login-config>
</login-config>
- -->
+-->
<login-config>
<auth-method>SPNEGO</auth-method>
- <realm-name>SPNEGO</realm-name>
+ <realm-name>SPNEGO</realm-name>
+ <form-login-config>
+ <form-login-page>/initiatelogin</form-login-page>
+ <form-error-page>/errorlogin</form-error-page>
+ </form-login-config>
</login-config>
\ No newline at end of file
Modified: epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default128.xml
===================================================================
--- epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default128.xml 2011-11-28 22:40:37 UTC (rev 8153)
+++ epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default128.xml 2011-11-28 23:46:40 UTC (rev 8154)
@@ -1,22 +1,24 @@
<filter>
<filter-name>LoginRedirectFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
- <init-param>
- <!-- This should point to your SSO authentication server -->
- <param-name>LOGIN_URL</param-name>
- <param-value>/portal/private/classic</param-value>
+ <init-param>
+ <!-- This should point to your SSO authentication server -->
+ <param-name>LOGIN_URL</param-name>
+ <param-value>/portal/private/classic</param-value>
</init-param>
</filter>
+
<filter>
- <filter-name>SPNEGOFilter</filter-name>
- <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
+ <filter-name>SPNEGOFilter</filter-name>
+ <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>LoginRedirectFilter</filter-name>
- <url-pattern>/*</url-pattern>
+ <url-pattern>/*</url-pattern>
</filter-mapping>
-<filter-mapping>
- <filter-name>SPNEGOFilter</filter-name>
- <url-pattern>/*</url-pattern>
+
+<filter-mapping>
+ <filter-name>SPNEGOFilter</filter-name>
+ <url-pattern>/login</url-pattern>
</filter-mapping>
\ No newline at end of file
Modified: epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default129.java
===================================================================
--- epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default129.java 2011-11-28 22:40:37 UTC (rev 8153)
+++ epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default129.java 2011-11-28 23:46:40 UTC (rev 8154)
@@ -1,4 +1,4 @@
<!--
-<a onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
+<a class="Login" onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-->
-<a href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
\ No newline at end of file
+<a class="Login" href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
\ No newline at end of file
Modified: epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
--- epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2011-11-28 22:40:37 UTC (rev 8153)
+++ epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2011-11-28 23:46:40 UTC (rev 8154)
@@ -1605,6 +1605,36 @@
</para>
<programlisting language="XML" role="XML"><xi:include href="../../extras/Authentication_Identity_SSO/default127.xml" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting>
+ <para>
+ This integrates SPNEGO support into the Portal web archive by switching the authentication mechanism from the default "FORM"-based to "SPNEGO"-based authentication.
+ </para>
+ <para>
+ You can see that the SPNEGO portion also contains the element <code>form-login-config</code>, which is required if you want to enable a fallback to FORM based authentication function.
+ </para>
+ <para>
+ In this case, the portal will attempt to authenticate the user with their Kerberos ticket through SPNEGO. If the user does not have a Kerberos ticket, they will be redirected to FORM authentication and via the login screen.
+ </para>
+ <para>
+ This configuration ensures the first authentication attempt is though SPNEGO and, if this attempt is unsuccessful, another attempt is made using the FORM method. This could occur if the user does not have a valid Kerberos ticket or if the web browser in use does not support SPNEGO authentication with the Kerberos server.
+ </para>
+ <para>
+ If the fallback to FORM function is not required, the <code>form-login-config</code> configuration can be disabled like so:
+ </para>
+<programlisting language="XML" role="XML"><![CDATA[<login-config>
+ <auth-method>SPNEGO</auth-method>
+ <realm-name>SPNEGO</realm-name>
+<!-- <form-login-config>
+ <form-login-page>/initiatelogin</form-login-page>
+ <form-error-page>/errorlogin</form-error-page>
+ </form-login-config>
+-->
+ </login-config>
+]]></programlisting>
+ <para>
+ In this case the user needs to authenticate through SPNEGO and if that fails, the user will receive an authentication error with HTTP code <literal>401</literal>. The FORM fallback will not be offered.
+ </para>
+ </step>
+ <step>
<para>
Integrate the request pre-processing needed for SPNEGO via filters by adding the following filters to the <filename><replaceable><JBOSS_HOME></replaceable>/server/<replaceable><PROFILE></replaceable>/deploy/gatein.ear/02portal.war/WEB-INF/web.xml</filename> at the top of the Filter chain.
</para>
@@ -1626,9 +1656,12 @@
</para>
<programlisting language="Java" role="Java"><xi:include href="../../extras/Authentication_Identity_SSO/default130.java" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting>
- <para>
- The <replaceable>PROFILE</replaceable> parameter in the above command should be replaced with the server profile modified with the above configuration.
- </para>
+ <note>
+ <title>Note</title>
+ <para>
+ The <replaceable>PROFILE</replaceable> parameter in the above command should be replaced with the server profile modified with the above configuration.
+ </para>
+ </note>
</step>
<step>
More information about the gatein-commits
mailing list