[jboss-user] [Security & JAAS/JBoss] - Re: Jboss SSO Web Application
sohil.shah@jboss.com
do-not-reply at jboss.com
Thu Nov 2 11:03:00 EST 2006
Nipun-
I think there is some confusion with your JAAS configuration. You don't need to write your own LoginModule. You should just be able to integrate the LoginProvider that you created and use the built-in UserNameAndPasswordLoginModule from the IDM component.
Just follow these steps more or less:
In your web application ear file create the following files jboss-service.xml, jboss-app.xml, and security-config.xml
jboss-service.xml
| <?xml version="1.0" encoding="UTF-8"?>
| <server>
| <!-- hooking in a login module for the standalone version of JSF Forums -->
| <!-- The custom JAAS login configuration that installs
| a Configuration capable of dynamically updating the
| config settings
| -->
| <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
| name="jboss.security.tests:service=LoginConfig">
| <attribute name="AuthConfig">META-INF/security-config.xml</attribute>
| <depends optional-attribute-name="LoginConfigService">
| jboss.security:service=XMLLoginConfig
| </depends>
| <depends optional-attribute-name="SecurityManagerService">
| jboss.security:service=JaasSecurityManager
| </depends>
| </mbean>
| </server>
|
jboss-app.xml
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss-app>
| <module>
| <service>jboss-service.xml</service>
| </module>
| </jboss-app>
|
security-config.xml
| <?xml version='1.0'?>
| <!DOCTYPE policy PUBLIC
| "-//JBoss//DTD JBOSS Security Config 3.0//EN"
| "http://www.jboss.org/j2ee/dtd/security_config.dtd">
|
| <!-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth
| security domain used by the security-spec test case
| -->
| <policy>
| <application-policy name="mywebapp">
| <authentication>
| <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="required">
| <module-option name="unauthenticatedIdentity">guest</module-option>
| <module-option name="password-stacking">useFirstPass</module-option>
| <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
| </login-module>
| </authentication>
| </application-policy>
| </policy>
|
This will setup your JAAS configuration.
Now inside your war file where the web application is:
look at the following files: context.xml, jboss-web.xml and web.xml
context.xml
| <?xml version="1.0"?>
| <Context>
|
| <!--
| logoutURL - URL for performing logout/signout function in your application
| -->
| <Valve className="org.jboss.security.valve.SSOAutoLogout"
| logoutURL="/test/logout.jsp"/>
|
| <!--
| assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
| -->
| <Valve className="org.jboss.security.valve.SSOTokenManager"
| assertingParty="jboss_sso_tester"/>
|
| <!--
| tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
| -->
| <Valve className="org.jboss.security.valve.SSOAutoLogin"
| authType="FORM"/>
| </Context>
|
jboss-web.xml
| <?xml version="1.0"?>
| <jboss-web>
| <security-domain>java:jaas/mywebapp</security-domain>
| </jboss-web>
|
Notice the mywebapp specified in jboss-web.xml must be same as the application-ploicy name specified in security-config.xml specified earlier.
then in your web.xml specify the following security configuration
| <!-- setting up the security constraint -->
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>Authenticated</web-resource-name>
| <description></description>
| <url-pattern>/secure/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>Authenticated</role-name>
| </auth-constraint>
| </security-constraint>
|
| <!-- setup the Authentication method -->
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>My WebApps Login Mechanism</realm-name>
| <form-login-config>
| <form-login-page>/login.jsp</form-login-page>
| <form-error-page>/loginError.jsp</form-error-page>
| </form-login-config>
| </login-config>
|
| <security-role>
| <role-name>Authenticated</role-name>
| </security-role>
|
Also, JAAS logins are handled by the tomcat container and should not be called by application level components like Servlets, Filters, EJB etc...The JAAS login lifecycle is managed by the tomcat container. This is where the SSO token managenement functionality is integrated.
This is probably why you dont see a request.getUserPrincipal() since tomcat didnot update your environment since you called the login module from within your servlet.
Now how will your login screen be displayed....for that use a url like /mywebapp/secure/resource....any resource preceded by the /secure will make tomcat invoke the login usecase if you are not logged in.
/secure is from the web.xml configuration...
| <url-pattern>/secure/*</url-pattern>
|
you can call it /auth or whatever else you prefer.
Also one more thing, for your SSO domain cookie to be placed on your browser, you will need to make sure two things:
1) Login happens properly thorugh the JAAS lifecycle in tomcat
2) When you call your web app...call it with a proper domain url like http://xyz.myapp.com etc....dont use http://localhost since localhost does not equate to any domain, hence the SSO SAML token is not placed
Hope this helps move it along....Its more configuration related issues at this point. Maybe the Wiki docs need to have these details
Thanks
Sohil
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3982698#3982698
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3982698
More information about the jboss-user
mailing list