[jboss-user] [JBoss Portal] - Re: Single Signon - Where do I start

bmcgovern do-not-reply at jboss.com
Fri Nov 17 09:16:18 EST 2006 

Thanvi -- Im happy to help.  Everythign I used came with the portal and is part of the jaas spec so you dont need to download anything  
Im using jboss bundled portal and app server.  App server v 4.0.4GA and portal 2.4.

Before you start you need to figure out how you are going to authenticate.  Your choices are defined in $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/META-INF/jboss-service.xml
You want to uncomment the following portion to allow each type of auth you are gonna use.


  | <attribute name="Authenticators" serialDataType="jbxb">
  | 			<java:properties xmlns:java="urn:jboss:java-properties"
  | 				xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
  | 				xs:schemaLocation="urn:jboss:java-properties resource:java-properties_1_0.xsd">
  | 				<java:property>
  | 					<java:key>BASIC</java:key>
  | 					<java:value>org.apache.catalina.authenticator.BasicAuthenticator</java:value>
  | 				</java:property>
  | 				<java:property>
  | 					<java:key>CLIENT-CERT</java:key>
  | 					<java:value>org.apache.catalina.authenticator.SSLAuthenticator</java:value>
  | 				</java:property>
  | 				<java:property>
  | 					<java:key>DIGEST</java:key>
  | 					<java:value>org.apache.catalina.authenticator.DigestAuthenticator</java:value>
  | 				</java:property>
  | 				<java:property>
  | 					<java:key>FORM</java:key>
  | 					<java:value>org.apache.catalina.authenticator.FormAuthenticator</java:value>
  | 				</java:property> 
  | 				<java:property>
  | 					<java:key>NONE</java:key>
  | 					<java:value>org.apache.catalina.authenticator.NonLoginAuthenticator</java:value>
  | 				</java:property> 
  | 			</java:properties> 
  | 	   </attribute> 
  | 

Next you want to set up the webapp to use one of the types of authentication.  Im using FORMS auth.  Which means i have to set up a jsp myself.

/yourwebapp/WEB-INF/web.xml

  | <login-config>
  |         <!-- use forms auth -->
  | 	<auth-method>FORM</auth-method>
  | 	<form-login-config>
  |          <!-- These pages are used for good/bad logins-->
  | 	<form-login-page>/WEB-INF/app/login.jsp</form-login-page>
  | 	<form-error-page>/WEB-INF/app/login.jsp</form-error-page>
  | 	</form-login-config>
  |         <!-- This is the name of the login configuration that we'll define in the next portion -->
  | 	<realm-name>teenfitauth</realm-name>
  | </login-config>
  | <security-role>
  | 	<description>The role required to access restricted content</description>
  |          <!-- The name of the role that is granted access to this webapp.  this role is defined in the data store you use  -- Im using DB -->
  | 	<role-name>User</role-name>
  | </security-role>
  | <security-constraint>
  | 	<web-resource-collection>
  |         <!-- This is the name of the login configuration that we'll define in the next portion -->
  | 	<web-resource-name>myauth</web-resource-name>
  | 		<url-pattern>/public/*</url-pattern>
  | 	</web-resource-collection>
  | 	<auth-constraint>
  |         <!-- The name of the role that is granted access to this webapp.  this role is defined in the data store you use  -- Im using DB -->
  | 	<role-name>User</role-name>
  | 	</auth-constraint>
  | </security-constraint>
  | 

The login form /WEB-INF/app/login.jsp.  This is simple.

  | <form action="j_security_check" method="post">
  | <b>ID Number:</b> <input type="text" name="j_username" value="" size="9" />
  | <BR>
  | <b>Pass Code:</b> <input type="password" name="j_password" value="" size="25" />
  | <p><input type="submit" value="Login"/>
  | </form>
  | 

Now the webapp knows to map the /public/* uri to my security contstraint defined by the realm "myauth" and only allow users who belong to the User role.  Next steps set up the "myauth" realm and point it to the portals DB for authentication.  Other documentation says this is done by setting up a login-config.xml file in your webapps/WEB-INF dir, but that did not work for me.  I had to put it in the containers login-config.xml

$JBOSS_HOME/server/default/conf/login-config.xml 
I Added this.



  | <!-- ADDED BY BJM FOR SSO --> 
  |     <!-- the name of the policy / realm has to match what you defined above -->
  |    <application-policy name="myauth">
  |   <authentication>
  |         <!-- use the db for auth.  there are other choices like UserLoginModule, and some others -->
  |        <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
  |        <module-option name = "unauthenticatedIdentity">guest</module-option>
  |            <!-- this is the default data source -->
  | 	   <module-option name="dsJndiName">java:/PortalDS</module-option>
  | <!-- this part tripped me up alot.  I had to look at the actual source of DatabaseServerLoginModule to see what columns it was reading and how it needed the sql to be written.  All the docs i saw had very basic sql that was tied 2 tables constructed exactly as the jaas spec states.  But thats not a real world example because for instance the portal's db isnt set up EXACTLy that way, so you can use a join to come up with the same structure -->
  | 	   <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option>
  | 	   <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM  jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option>
  |     </login-module>
  |   </authentication>
  | </application-policy>
  | 

Now set up the servlet container to allow SSO.
$JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml
Uncomment the following line.


  | <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
  | 

Now create a directory in your webapp called /public  because thats what was defined as the protected URI.  By this point SSO should work for the webapp.   To get it to work for the portal as well do this.

The portal is protected by default through jaas.  It uses a realm named "portal"  So I replaced its definition with my realm definition so it uses my database the same way I defined for my webapp.

$JBOSS_HOME/server/default/deploy/jboss-portal.sar/conf/login-config.xml

replace current def with 






  |    <application-policy name="portal">
  | 	  <authentication>
  |        <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
  | 	   <module-option name="dsJndiName">java:/PortalDS</module-option>
  | 	   <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option>
  | 	   <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM  jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option>
  |        </login-module>
  |   </authentication>
  |    </application-policy>
  | 

Now the portal should use the same SSO and when youlogin to either portal or webapp you'll be logged into the other.

Turn on logging by setting $JBOSS_HOME/server/default/conf/log4j.xml 
Change the CONSOLE appender Threshold from INFO to DEBUG.

 

Good luck!

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3986832#3986832

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3986832

More information about the jboss-user mailing list