[jboss-user] [Security & JAAS/JBoss] - Re: Jboss SSO Web Application

[sohil.shah@jboss.com]

anonymous wrote : 
  | 1) What I would like to know is why I have to setup the JAAS module
  | 
  | I have written my own LoginProvider and I am authenticating user, also the roles changes quite frequently. As The Loginprovider getRoles method solves my purpose and i can fetch roles from Database or LDAP. 
  | 

The LoginProvider is more of a data access component to get your authentication data and role information. This has to be integrated with a component that actually uses this data. The JAAS module is provided as a standard integration out-of-the-box. JAAS is the standard way to perform authentication in a J2EE environment so that the logged in Subject is then identified by other systems of the application server like EJB layer, Web layer etc. The tomcat valves provide this JAAS integration.

anonymous wrote : 
  | 2) In the context.xml of my web application
  | When I define the URL of my Logout page, Do I have to do anything specific in that page? 
  | 

This is the URL that performs the logout functionality of your application. This is used by the Federated Single Sign Out function of the framework. You don't have to do anything special on this page except make sure the user is logged out when this URL is called.

anonymous wrote : 
  | 3) In the context.xml when I define
  | assertingParty="{uniqueId to identify this web application in the federation}" 
  | 

Asserting Party identifies your node as a partner in the Federation. It is a free form value and is not processed by the application. It shows up in the SAML token that is propagated within the Federation. It identifies the node that actually authenticated the user and issued the SAML token


anonymous wrote : 
  | 4) Is there any agent code whcih I can use in my web application whcih tells me if user is logged in or not ? I maen how can I find out if this user has already logged on some other web application 
  | 

There are many ways depending on your environment. If you use JAAS based authentication you can tell by the presence of the Principal object.
In this framework, the presence of the SAML token as a cookie on the incoming http request also tells you if the user has been authenticated.

If would really recommend using JAAS as your authentication system.

anonymous wrote : 
  | 5) What exactly is this
  | application-policy name="{your web application identifier}"
  | 

This is part of JAAS module configuration. It identifies the web application that this module should be applied to. For details on JAAS configuration please look at : http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX

Also, for example of JAAS setup you can refer to the component/jboss_sso_test module for ideas

Thanks
Sohil

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3982505#3982505

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3982505