gatein SVN: r8996 - in epp/docs/branches/6.0/Reference_Guide/en-US: modules and 1 other directory.
by do-not-reply@jboss.org
Author: aakanksha_writer
Date: 2012-12-12 09:59:10 -0500 (Wed, 12 Dec 2012)
New Revision: 8996
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml
Log:
bug 856432 resolved
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-12 06:55:47 UTC (rev 8995)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-12 14:59:10 UTC (rev 8996)
@@ -8,6 +8,21 @@
<simpara>
<revhistory>
<revision>
+ <revnumber>6.0.0-19</revnumber>
+ <date>Mon Dec 12 2012</date>
+ <author>
+ <firstname>Aakanksha</firstname>
+ <surname>Singh</surname>
+ <email/>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>BZ#856432 - Added WSRP content related to CXF and WS-Security from https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP</member>
+ </simplelist>
+ </revdescription>
+ </revision>
+
+ <revision>
<revnumber>6.0.0-18</revnumber>
<date>Mon Dec 11 2012</date>
<author>
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml 2012-12-12 06:55:47 UTC (rev 8995)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml 2012-12-12 14:59:10 UTC (rev 8996)
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- This document was created with Syntext Serna Free. --><!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "../Reference_Guide.ent">
%BOOK_ENTITIES;
]>
@@ -159,15 +159,11 @@
<para>
Of course, if you have modified the host name and port on which your server runs, you will
need to
- update the configuration for the consumer used to consume JBoss Portal Platform's 'self' producer. Please refer to
- the
- <xref linkend="consumer_configuration"/>
- to learn how to do so.
- </para>
+ update the configuration for the consumer used to consume JBoss Portal Platform's 'self' producer. </para>
</section>
</section>
<section>
- <title>Securing WSRP</title>
+ <title><remark>BZ#856432</remark>Securing WSRP</title>
<section>
<title>Considerations to use WSRP with SSL</title>
<para>
@@ -213,36 +209,91 @@
<section id="wss_configuration">
<title><remark>BZ#839355</remark>WS-Security Configuration</title>
<para>
-JBoss Portal Platform uses JBossWS Native to handle ws-security (refer to the <citetitle>Web Services</citetitle> section of the
-<citetitle>JBoss Enterprise Application Platform 5 Administration and Configuration Guide</citetitle>. Note that since the consumer passes its credentials to the producer, the consumer acts as the wss client and the producer acts as the wss server.
+JBoss Portal Platform uses JBossWS CXF instead of the JBossWS Native to handle ws-security. Due to these changes, the configuration for WS-Security with JBoss Portal Platform on JBoss Enterprise Application Platform is changed. </para>
+ <note>
+ <para>We only support one ws-security configuration option for the producer. All consumers accessing the producer will have to conform to this security constraint. This means if the producer requires encryption, all consumers will be required to encrypt their messages when accessing the producer.
+</para>
+ <para>
+We only support one ws-security configuration option to be used by all the consumers. A consumer has the option to enable or disable ws-security, which allows for one or more consumers to use ws-security while the others do not.</para>
+ </note>
+ <para>Note that since the consumer passes its credentials to the producer, the consumer acts as the wss client and the producer acts as the wss server.
</para>
- <para> The following are the JBossWS Native configuration files which need to be configure for WSRP:
- </para>
+ <para>CXF uses interceptors to extend and configure its behaviour. There are two main types of interceptors: inInterceptors and outInterceptors. </para>
+ <para>InInterceptors are invoked for communication coming into the client or server, while outInterceptors are invoked when the client or server sends a message.
+
+So for the WSRP, the communication from the consumer to the producer is governed by the consumer's OutInterceptor and the producer's InIntereceptor. </para>
+ <para>The communication from the producer to the consumer is governed by the producer's OutInterceptor and the consumer's InInterceptor. This means having to configure four Interceptors.</para>
+ <para>Important points to be considered while dealing with WS-Security</para>
<itemizedlist>
<listitem>
- <para>JBossWS
- configuration file for the consumer.
- </para>
- <para>
- <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE/</replaceable>conf/gatein/gatein-wsse-consumer.xml</filename></para>
+ <para>In case of user propagation, only the consumer sends the user credentials to the producer. So Username Tokens only need to be configured for the consumer's OutInterceptor and the producer's InInterceptor.</para>
+ <para>For encryption, you will most likely want to encrypt the message from the consumer to the producer and also the message from the producer to the consumer. This means that encryption properties must be configured for all four interceptors.</para>
</listitem>
- <listitem>
- <para>JBossWS configuration file for the producer.
- </para>
- <para>
- <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/conf/gatein/gatein-wsse-producer.xml </filename></para>
- </listitem>
</itemizedlist>
+ <para>For more details on types of interceptors refer</para>
+ <para><ulink url="http://cxf.apache.org/docs/interceptors.html"/></para>
+ <para>To support ws-security, JBoss Portal Platform uses CXF's WSS4J Interceptors which handle all ws-security related tasks, for more details on CXF documentation refer</para>
+ <para><ulink url="http://cxf.apache.org/docs/ws-security.html"/></para>
</section>
<section>
- <title>WS-Security Producer Configuration</title>
- <para>
- Other than the JBossWS configuration file mention above, no other configuration changes should be necessary
- for the producer.
- </para>
+ <title>WSS4J Interceptors and WSRP</title>
+ <para>The WSS4J Interceptors are configured using using simple property files.
+
+WSRP looks for specific property files to know whether or not in/out interceptors must be added and configured for either consumers or producer. </para>
+ <para>Theses files are located in the standalone/configuration/jpp/wsrp/cxf/ws-security directory of your the JBoss Enterprise Application Server 6 home directory. </para>
+ <para>Consumer-specific files are in the consumer subdirectory while producer-specific files should be located in the producer subdirectory. To add and configure a WSS4J interceptor, you just need to add the proper configuration file in the proper directory. If no configuration file is found for a specific interceptor type, then no such interceptor will be added. </para>
+ <para>"In" interceptors are configured using WSS4JInInterceptor.properties files while "out" interceptors are configured using WSS4JOutInterceptor.properties files.
+</para>
+ <table frame="all">
+ <title>Files needed to configure interceptor for WSRP</title>
+ <tgroup cols="3" align="justify">
+ <colspec colnum="1" colname="c1" colwidth="100"/>
+ <colspec colnum="2" colname="c2" colwidth="150"/>
+ <colspec colnum="3" colname="c3" colwidth="400"/>
+ <thead>
+ <row>
+ <entry>Side</entry>
+ <entry>Interceptor Type</entry>
+ <entry>Configuration File</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Consumer</entry>
+ <entry>IN</entry>
+ <entry>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JInInterceptor.properties</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>OUT</entry>
+ <entry>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JOutInterceptor.properties </entry>
+ </row>
+ <row>
+ <entry>Producer</entry>
+ <entry>IN</entry>
+ <entry>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JInInterceptor.properties </entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>OUT</entry>
+ <entry>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JOutInterceptor.properties </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <para>Please refer to the CXF or WSS4J documentation for instructions and options available for each type of interceptors.</para>
+ <section>
+ <title>User Propagation</title>
+ <para>User propagation can be configured to be used over WSRP with ws-security. What this means is that a user logged into a consumer can have their credentials propagated over to the producer. This allows the producer to authenticate the user and any portlet on the producer (a remote portlet from the consumer's perspective) will view the user as being properly authenticated. This allows for remote portlets to access things like user information.</para>
+ <para><note>
+ <para>This only works if the user's credentials on the producer and consumer are the same. This may require using a common authentication mechanism, such as LDAP.</para>
+ <para>This requires some special options when configuring the producer and server.</para>
+ </note></para>
+ </section>
</section>
<section>
<title><remark>BZ#839355</remark>WS-Security Consumer Configuration</title>
+ <para>To configure ws-security on the consumer side, configure the WSS4JInInterceptor and/or WSS4JOutInterceptor.</para>
<para>In the WSRP Configuration portlet <guilabel>Consumers Configuration</guilabel> options, check the 'Enable WS Security' checkbox if you want credentials to be sent to the producer.
</para>
<note>
@@ -253,7 +304,465 @@
<imagedata align="center" valign="middle" scalefit="1" fileref="images/WSRP/config_wss_selected.png" format="PNG"/>
</imageobject>
</mediaobject>
+ <section>
+ <title>Special JBoss Portal Platform Configuration Options for User Propagation</title>
+ <para>In order to handle user propagation in GateIn Portal across ws-security, a couple of special configuration options have been created which should be applied to the consumer's WSS4JOutInterceptor.</para>
+ <section>
+ <title>Custom 'user' option</title>
+ <para><informalexample>
+ <programlisting>user=gtn.current.user</programlisting>
+ <para>This option sets the 'user' property to the currently authenticated user on the consumer.</para>
+ </informalexample></para>
+ </section>
+ <section>
+ <title>Custom 'action' option</title>
+ <para><informalexample>
+ <programlisting>action=gtn.UsernameToken.ifCurrentUserAuthenticated</programlisting>
+ <para>If a user is currently authenticated, it will replace the 'gtn.UsernameToken.ifCurrentUserAuthenticated' with 'UsernameToken'. If the current user is an unauthenticated user, 'gtn.UsernameToken.ifCurrentUserAuthenticated' will be removed from the action list. If no other actions are specified, then the WSS4J interceptor will not be added to the consumer. This allows you to only use ws-security when dealing with authenticated users, and not for anonymous users.</para>
+ </informalexample><note>
+ <para>This requires that the user option is set to 'gtn.current.user'</para>
+ </note></para>
+ </section>
+ <section>
+ <title>Custom PasswordCallbackClass</title>
+ <para>To set the password for the username token, we need to specify the password in a callback class. See the cxf ws-security documentation for more details <ulink url="http://cxf.apache.org/docs/ws-security.html"/></para>
+ <para>A special callback class has already been created which handles this for you: CurrentUserPasswordCallback. This class will retrieve the currently authenticated user's password and set this as the password in the callback object.</para>
+ <para><informalexample>
+ <programlisting>passwordCallbackClass=org.gatein.wsrp.wss.cxf.consumer.CurrentUserPasswordCallback</programlisting>
+ </informalexample></para>
+ </section>
+ </section>
</section>
+ <section>
+ <title>WS-Security Producer Configuration</title>
+ <para>
+The configuration of the producer is similar to that of the consumer. It also requires having to configure the WSS4JInInterceptor and/or WSS4JOutInterceptor.
+ </para>
+ <section>
+ <title>Special GateIn Portal Configuration Options for User Propagation</title>
+ <para>
+ To properly propagate user information on the producer-side, you will need to use GTNSubjectCreatingInterceptor instead of a regular WSS4JInInterceptor. This GateIn Portal specific "in" interceptor is an extension of the traditional WSS4JInInterceptor and therefore can be configured similarly and accept the same configuration properties. To specify that you want to use the GTNSubjectCreatingInterceptor, please create a property file at
+ <code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/GTNSubjectCreatingInterceptor.properties</code>
+ instead of the regular WSS4JInInterceptor.properties file.
+ </para>
+ <para>This Interceptor will handle the ws-security headers and retrieve the users credentials. It will then use these credentials to perform a login on the producer site, thus authenticating the user on the producer and makes the user available to remote portlets.</para>
+ <note>
+ <para>This class also extends org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor and can accept the same properties this class normally accepts. See the JBossWS documentation for options and more information.</para>
+ </note>
+ </section>
+ <section>
+ <title>Custom 'action' option</title>
+ <informalexample>
+ <programlisting>action=gtn.UsernameToken.ifAvailable</programlisting>
+ </informalexample>
+ <para>When this option is activated, the interceptor will set the action to 'UsernameToken' when the received SOAP message contains ws-security headers. If no ws-security header is included in the message, then no action is taken and the interceptor is not run. This is useful for dealing with authenticated and unauthentcated users trying to access the producer.</para>
+ </section>
+ </section>
+ <section>
+ <title>Sample Configuration using the UsernameToken and User Propagation</title>
+ <warning>
+ <para>This example configuration does not encrypt the message. This means the username and password will be sent between the producer and consumer in plain text. This is a security concern and is only being shown as a simple example. It is up to administrators to properly configure the WSS4J Interceptors to encrypt messages or to only use https communication between the producer and consumer.</para>
+ </warning>
+ <section>
+ <title>Producer Setup</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ create the following file:
+ <code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/GTNSubjectCreatingInterceptor.properties</code>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ set the content of
+ <code>GTNSubjectCreatingInterceptor.properties</code>
+ created in step 1 to:
+ </para>
+ <informalexample>
+ <programlisting>action=gtn.UsernameToken.ifAvailable</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>start the producer server</para>
+ </listitem>
+ </orderedlist>
+ <section>
+ <title>Sample Configuration Securing the Endpoints using Encryption and Signing</title>
+ <para>The following steps outline how to configure the producer and consumer to encrypt and sign SOAP messages passed between the producer and consumer. This example only deals with SOAP messages being sent between the producer and consumer, and not with user propagation.</para>
+ <note>
+ <para>
+ Some of the configuration options specified here are based on the content at
+ <ulink url="http://cxf.apache.org/docs/ws-security.html"/>
+ and
+ <ulink url="http://www.jroller.com/gmazza/entry/cxf_x509_profile"/>
+ More information may be available at these sites.
+ </para>
+ </note>
+ </section>
+ </section>
+ <section>
+ <title>Consumer Setup</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ create the following file:
+ <code>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JOutInterceptor.properties</code>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ set the content of the
+ <code>WSS4JOutInterceptor.properties</code>
+ created in step 1 to:
+ </para>
+ <informalexample>
+ <programlisting>passwordType=PasswordText
+user=gtn.current.user
+action=gtn.UsernameToken.ifCurrentUserAuthenticated
+passwordCallbackClass=org.gatein.wsrp.wss.cxf.consumer.CurrentUserPasswordCallback</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>start the consumer server</para>
+ </listitem>
+ <listitem>
+ <para>in the WSRP admin portlet, click the 'enable ws-security' checkbox</para>
+ </listitem>
+ <listitem>
+ <para>access a remote portlet (for example, the user identity portlet included as an example portlet in GateIn Portal) and verify that the authenticated user is the same as the one on the consumer</para>
+ </listitem>
+ </orderedlist>
+ </section>
+ </section>
+ <section>
+ <title>Sample Configuration Securing the Endpoints using Encryption and Signing</title>
+ <para>The following steps outline how to configure the producer and consumer to encrypt and sign SOAP messages passed between the producer and consumer. This example only deals with SOAP messages being sent between the producer and consumer, and not with user propagation.</para>
+ <note>
+ <para>
+ Some of the configuration options specified here are based on the content at
+ <ulink url="http://cxf.apache.org/docs/ws-security.html"/>
+ and
+ <ulink url="http://www.jroller.com/gmazza/entry/cxf_x509_profile"/>
+ More information may be available at these sites.
+ </para>
+ </note>
+ <section>
+ <title>Password Callback Class</title>
+ <para>WSS4J uses a Java class to specify the password when performing any security related actions. For the purpose of these encryption and signing examples, we will use the same password for the producer's and consumer's keystore (wsrpAliasPassword). This simplifies things a bit as it means we can use just one password callback class for both the producer and consumer.</para>
+ <para>
+ Example
+ <code>test.TestCallbackHandler</code>
+ class:
+ </para>
+ <informalexample>
+ <programlisting>package test;
+ 
+import java.io.IOException;
+ 
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+ 
+import org.apache.ws.security.WSPasswordCallback;
+import org.gatein.wsrp.wss.cxf.consumer.CurrentUserPasswordCallback;
+ 
+public class TestCallbackHandler implements CallbackHandler
+{
+ 
+    @Override
+    public void handle(Callback[] callbacks) throws IOException,
+            UnsupportedCallbackException
+    {
+ 
+        //First check if we have any user name token call backs to add.
+        //NOTE: only needed if using username tokens, and you want the currently authenticated users password added
+        CurrentUserPasswordCallback currentUserPasswordCallback = new CurrentUserPasswordCallback();
+        currentUserPasswordCallback.handle(callbacks);
+ 
+        for (Callback callback: callbacks)
+        {
+            if (callback instanceof WSPasswordCallback)
+            {
+                WSPasswordCallback wsPWCallback = (WSPasswordCallback)callback;
+                // since the CurrentUserPasswordCallback already handles the USERNAME_TOKEN case, we don't want to set it in this case
+                if (wsPWCallback.getUsage() != WSPasswordCallback.USERNAME_TOKEN)
+                {
+                    wsPWCallback.setPassword("wsrpAliasPassword");
+                }
+            }
+        }
+    }
+}</programlisting>
+ </informalexample>
+ <note>
+ <para>
+ CallbackHandler implementations are provided to GateIn Portal using the standard Java
+ <ulink url="http://docs.oracle.com/javase/6/docs/api/java/util/ServiceLoader.html">ServiceLoader</ulink>
+ infrastructure. As such, CallbackHandler implementations need to be bundled in a jar containing a file
+ <code>META-INF/services/javax.security.auth.callback.CallbackHandler</code>
+ specifying the fully qualified name of the CallbackHandler implementation class. This jar then needs to be put in the
+ <code>gatein/extensions</code>
+ directory of your GateIn Portal installation.
+ </para>
+ </note>
+ <para>
+ You can see a working example of a CallbackHandler implentation at
+ <ulink url="https://github.com/gatein/gatein-wsrp/tree/master/examples/wss-callback"/>
+ </para>
+ </section>
+ <section>
+ <title>Configuring the Keystores</title>
+ <note>
+ <para>In this example we are making it a bit easier by specifying the same keystore password for both the producer and consumer, as they can use the same password callback class.</para>
+ </note>
+ <orderedlist>
+ <listitem>
+ <para>Generate the producer's private encryption keys</para>
+ <informalexample>
+ <programlisting>keytool -genkey -alias producerAlias -keypass wsrpAliasPassword -keystore producer.jks -storepass keyStorePassword -dname "cn=producerAlias" -keyalg RSA</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Export the producer's public key</para>
+ <informalexample>
+ <programlisting>keytool -export -alias producerAlias -file producerkey.rsa -keystore producer.jks -storepass keyStorePassword</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Generate the consumer's private encryption keys</para>
+ <informalexample>
+ <programlisting>keytool -genkey -alias consumerAlias -keypass wsrpAliasPassword -keystore consumer.jks -storepass keyStorePassword -dname "cn=consumerAlias" -keyalg RSA</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Export the consumer's public key</para>
+ <informalexample>
+ <programlisting>keytool -export -alias consumerAlias -file consumerkey.rsa -keystore consumer.jks -storepass keyStorePassword</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Import the consumer's public key into the producer's keystore</para>
+ <informalexample>
+ <programlisting>keytool -import -alias consumerAlias  -file consumerkey.rsa -keystore producer.jks -storepass keyStorePassword -noprompt</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Import the producer's public key into the consumer's keystore</para>
+ <informalexample>
+ <programlisting>keytool -import -alias producerAlias  -file producerkey.rsa -keystore consumer.jks -storepass keyStorePassword -noprompt</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ Copy the
+ <code>producer.jks</code>
+ file to the
+ <code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer</code>
+ directory on the producer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Copy the
+ <code>consumer.jks</code>
+ file to the
+ <code>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer</code>
+ directory on the consumer
+ </para>
+ </listitem>
+ </orderedlist>
+ </section>
+ <section>
+ <title>Configuring the Producer</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ Create
+ <code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JInInterceptor.properties</code>
+ with the following content. This will configure the incoming message between the producer and the consumer
+ </para>
+ <informalexample>
+ <programlisting>action=Signature Encrypt Timestamp
+signaturePropFile=producer-security.properties
+decryptionPropFile=producer-security.properties
+passwordCallbackClass=test.TestCallbackHandler</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ Create
+ <code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JOutInterceptor.properties</code>
+ with the following content. This will configure the outgoing message between the producer and the consumer
+ </para>
+ <informalexample>
+ <programlisting>action=Signature Encrypt Timestamp
+signaturePropFile=producer-security.properties
+encryptionPropFile=producer-security.properties
+passwordCallbackClass=test.TestCallbackHandler
+user=producerAlias
+encryptionUser=consumerAlias
+signatureUser=producerAlias</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ Create
+ <code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/producer-security.properties</code>
+ with the following content:
+ </para>
+ <informalexample>
+ <programlisting>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=keyStorePassword
+org.apache.ws.security.crypto.merlin.file=producer.jks</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ The
+ <code>passwordCallbackClass</code>
+ property in these configuration files needs to match the fully qualified name of your CallbackHandler implementation class. In our case, it is
+ <code>test.TestCallbackHandler</code>
+ .
+ </para>
+ </listitem>
+ </orderedlist>
+ </section>
+ <section>
+ <title>Configuring the Consumer</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ Create standalone/
+ <code>configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JOutInterceptor.properties</code>
+ with the following content. This will configure the outgoing message between the consumer and the producer
+ </para>
+ <informalexample>
+ <programlisting>action=Signature Encrypt Timestamp
+signaturePropFile=consumer-security.properties
+encryptionPropFile=consumer-security.properties
+passwordCallbackClass=test.TestCallbackHandler
+user=consumerAlias
+encryptionUser=producerAlias
+signatureUser=consumerAlias</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ Create standalone/
+ <code>configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JInInterceptor.properties</code>
+ with the following content. This will configure the incoming message between the consumer and the producer
+ </para>
+ <informalexample>
+ <programlisting>action=Signature Encrypt Timestamp
+signaturePropFile=consumer-security.properties
+decryptionPropFile=consumer-security.properties
+passwordCallbackClass=test.TestCallbackHandler</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Create standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/consumer-security.properties with the following content:</para>
+ <informalexample>
+ <programlisting>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=keyStorePassword
+org.apache.ws.security.crypto.merlin.file=consumer.jks</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ The
+ <code>passwordCallbackClass</code>
+ property in these configuration files needs to match the fully qualified name of your CallbackHandler implementation class. In our case, it is
+ <code>test.TestCallbackHandler</code>
+ .
+ </para>
+ </listitem>
+ </orderedlist>
+ </section>
+ </section>
+ <section>
+ <title>Sample Configuration using UsernameToken, Encryption and Signing with User Propagation</title>
+ <para>The following setps outline how to configure the producer and consumer to encrypt and sign the soap message as well as use user propagation between the producer and consumer.</para>
+ <section>
+ <title>Configure the Producer</title>
+ <para>
+ Follow the steps outlined in the
+ Sample Configuration Securing the Endpoints using Encryption and Signing
+ section but make the following changes:
+ </para>
+ <orderedlist>
+ <listitem>
+ <para>
+ rename the
+ <code>WSS4JInInterceptor.properties</code>
+ file to
+ <code>GTNSubjectCreatingInterceptor.properties</code>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ set the action property in
+ <code>GTNSubjectCreatingInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>action= gtn.UsernameToken.ifAvailable Signature Encrypt Timestamp</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ set the passwordType in
+ <code>GTNSubjectCreatingInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>passwordType=PasswordText</programlisting>
+ </informalexample>
+ </listitem>
+ </orderedlist>
+ </section>
+ <section id="sid-54264620_SecuringWSRP-ConfiguretheConsumer">
+ <title>Configure the Consumer</title>
+ <para>
+ Follow the steps outlined in the
+ Sample Configuration Securing the Endpoints using Encryption and Signing
+ section but make the following changes:
+ </para>
+ <orderedlist>
+ <listitem>
+ <para>
+ set the action property in
+ <code>WSS4JOutInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>action=gtn.UsernameToken.ifCurrentUserAuthenticated Signature Encrypt Timestamp</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ set the user in the
+ <code>WSS4JOutInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>user=gtn.current.user</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ set the passwordType in the
+ <code>WSS4JOutInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>passwordType=PasswordText</programlisting>
+ </informalexample>
+ </listitem>
+ </orderedlist>
+ </section>
+ </section>
</section>
</section>
<section>
@@ -372,7 +881,7 @@
<para>WSRP Producers vary a lot as far as how they are configured. Most of them require that you specify
the URL for the Producer's WSDL definition. Please refer to the remote producer's documentation for specific
instructions. For instructions on how to do so in JBoss Portal Platform, please refer to
- <xref linkend="consumer_configuration"/>.
+ Consumer Configuration.
</para>
<para>
JBoss Portal Platform's Producer is automatically set up when you deploy a portal instance with the WSRP service.
@@ -385,7 +894,7 @@
and the default port is 8080.
</para>
</section>
- <section id="consumer_configuration">
+ <section>
<title>Consuming remote WSRP portlets in JBoss Portal Platform</title>
<section>
<title>Overview</title>
@@ -400,7 +909,7 @@
Application Registry to be added to categories and then to pages.
</para>
</section>
- <section id="consumer_gui">
+ <section>
<title>Configuring a remote producer using the configuration portlet</title>
<para>
This section will cover the steps of defining access to a remote producer using the configuration portlet so that its portlets can be
@@ -524,7 +1033,7 @@
</mediaobject>
</para>
</section>
- <section id="consumer_xml">
+ <section>
<title>Configuring access to remote producers via XML</title>
<para>While it is recommended you use the WSRP Configuration portlet to configure Consumers, the component provides an
alternative way to configure consumers by adding an XML file called
@@ -655,7 +1164,7 @@
<para>
This file contains the default configuration and you should not need to edit it. If you want to make
modifications to it, it is recommended that you follow the procedure detailed in
- <xref linkend="consumer_gui"/>.
+consumer_gui .
</para>
</note>
</para>
12 years
gatein SVN: r8995 - epp/docs/branches/6.0/Release_Notes/en-US.
by do-not-reply@jboss.org
Author: rdickens
Date: 2012-12-12 01:55:47 -0500 (Wed, 12 Dec 2012)
New Revision: 8995
Added:
epp/docs/branches/6.0/Release_Notes/en-US/Components.xml
epp/docs/branches/6.0/Release_Notes/en-US/Introduction.xml
Modified:
epp/docs/branches/6.0/Release_Notes/en-US/Known_Issues.xml
epp/docs/branches/6.0/Release_Notes/en-US/New_Features.xml
epp/docs/branches/6.0/Release_Notes/en-US/Release_Notes.xml
epp/docs/branches/6.0/Release_Notes/en-US/Resolved_Issues.xml
epp/docs/branches/6.0/Release_Notes/en-US/Unsupported_Features.xml
Log:
Rough draft of Release Notes for review
Added: epp/docs/branches/6.0/Release_Notes/en-US/Components.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/Components.xml (rev 0)
+++ epp/docs/branches/6.0/Release_Notes/en-US/Components.xml 2012-12-12 06:55:47 UTC (rev 8995)
@@ -0,0 +1,94 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="components">
+ <title>Components</title>
+ <remark>Updated table from https://docspace.corp.redhat.com/docs/DOC-68705 (version 34)</remark>
+ <table frame="all" pgwide="1">
+ <title>Component Versions</title>
+ <tgroup cols="2" colsep="1">
+ <colspec colnum="1"/>
+ <colspec colnum="2"/>
+ <thead>
+ <row>
+ <entry>Component</entry>
+ <entry>Version</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>JBoss Enterprise Application Platform</entry>
+ <entry>6.0.1GA</entry>
+ </row>
+ <row>
+ <entry>eXo kernel</entry>
+ <entry>2.4.0-CR2</entry>
+ </row>
+ <row>
+ <entry>eXo Core</entry>
+ <entry>2.5.0-CR2</entry>
+ </row>
+ <row>
+ <entry>eXo WS</entry>
+ <entry>2.3.0-CR2</entry>
+ </row>
+ <row>
+ <entry>eXo JCR</entry>
+ <entry>1.15.0-CR2</entry>
+ </row>
+ <row>
+ <entry>GateIn Common</entry>
+ <entry>2.1.0.Final 2.1.0.Beta01</entry>
+ </row>
+ <row>
+ <entry>GateIn dep</entry>
+ <entry>1.2.0.Final-redhat-1 1.2.0.Beta01</entry>
+ </row>
+ <row>
+ <entry>GateIn Management</entry>
+ <entry>1.1.0.CR4</entry>
+ </row>
+ <row>
+ <entry>GateIn MOP</entry>
+ <entry>1.2.0.CR01</entry>
+ </row>
+ <row>
+ <entry>GateIn Parent</entry>
+ <entry>1.2.0.Final-redhat-1 1.2.0.Beta01</entry>
+ </row>
+ <row>
+ <entry>GateIn PC</entry>
+ <entry>2.4.0.CR01</entry>
+ </row>
+ <row>
+ <entry>GateIn shindig</entry>
+ <entry>2.0.2.Final-gatein-3</entry>
+ </row>
+ <row>
+ <entry>GateIn Simple Captcha</entry>
+ <entry>1.1.1.Final-gatein-3</entry>
+ </row>
+ <row>
+ <entry>GateIn SSO</entry>
+ <entry>1.3.0.CR03</entry>
+ </row>
+ <row>
+ <entry>GateIn WCI</entry>
+ <entry>2.3.0.CR03</entry>
+ </row>
+ <row>
+ <entry>GateIn WSRP</entry>
+ <entry>2.2.0.CR03</entry>
+ </row>
+ <row>
+ <entry>PicketLink IDM</entry>
+ <entry>1.4.0.M03</entry>
+ </row>
+ <row>
+ <entry>Portlet Bridge</entry>
+ <entry>3.1.0.Final</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+</chapter>
Added: epp/docs/branches/6.0/Release_Notes/en-US/Introduction.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/Introduction.xml (rev 0)
+++ epp/docs/branches/6.0/Release_Notes/en-US/Introduction.xml 2012-12-12 06:55:47 UTC (rev 8995)
@@ -0,0 +1,25 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "Release_Notes.ent">
+%BOOK_ENTITIES;
+]>
+<chapter id="Introduction">
+ <title>Introduction</title>
+ <para>Welcome to JBoss Portal Platform 6. As you become familiar with the newest version of JBoss Portal Platform, these Release Notes provide you with information about new features, newly-resolved issues, and known issues. Use this document in conjunction with the entire JBoss Portal Platform 6 suite of documentation, available at http://docs.redhat.com/ .</para>
+
+ <section>
+ <title>Beta Participants</title>
+ <para>Thank you for participating in the JBoss Enterprise Application Platform 6 Beta evaluation program. Your feedback is valuable. To assist you with your evaluation, please take the time to review the sections below for new features, untested configurations, and known issues.</para>
+ <para>To provide feedback on your experience, contact Red Hat Global Support Services.</para>
+ </section>
+ <section>
+ <title>Overview</title>
+ <para>JBoss Portal Platform offers an intuitive, easy to manage user interface and a proven core infrastructure to enable organizations to quickly build dynamic web sites in a highly reusable way. By bringing the principles of JBoss Open Choice to the presentation layer, JBoss Portal Platform 6 maximizes existing skills and technology investments.</para>
+ <para>By integrating open source frameworks such as JBoss Seam, Hibernate, Tomcat, and JBoss Cache, JBoss Portal Platform takes advantage of innovations in the open source community.</para>
+ <para>JBoss Portal Platform &VZ; is fully tested and supported by Red Hat, and is certified to work on many leading enterprise hardware and software products.</para>
+ </section>
+ <section>
+ <title>Supported Configurations</title>
+ <para>Every JBoss® Portal Platform (JBoss EPP) release is tested and certified on a variety of market-leading operating systems, Java™ Virtual Machines (JVMs), and database combinations. For details of configurations on which JBoss Portal Platform is supported, refer to <ulink url="https://access.redhat.com/knowledge/articles/119833" />.</para>
+ </section>
+</chapter>
Modified: epp/docs/branches/6.0/Release_Notes/en-US/Known_Issues.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/Known_Issues.xml 2012-12-12 06:55:35 UTC (rev 8994)
+++ epp/docs/branches/6.0/Release_Notes/en-US/Known_Issues.xml 2012-12-12 06:55:47 UTC (rev 8995)
@@ -3,5 +3,22 @@
]>
<chapter id="known">
<title>Known Issues</title>
-<para>There are no Known issues in this release.</para>
+<para>BZ873711 - Picketlink IDM test suite failing for Sybase 15.7 with "SQLGrammarException: Incorrect syntax" as apparent cause.</para>
+<para>Cause: Unknown</para>
+<para>Consequence: </para>
+<para>Fix: Issue can fixed by using of <systemitem>org.hibernate.dialect.SybaseASE157Dialect</systemitem> instead of <systemitem>org.hibernate.dialect.SybaseAnywhereDialect</systemitem> or <systemitem>org.hibernate.dialect.SybaseASE15Dialect</systemitem>, which is autodetected by Hibernate.</para>
+<para>In <filename>hibernates.xml</filename>, explicitly specify the Hibernate dialect, as in the following example:
+ <code lang="XML">
+ <configuration>
+ <configuration-name>sybase157</configuration-name>
+ <properties>
+ <property>
+ <name>hibernate.dialect</name>
+ <value>org.hibernate.dialect.SybaseASE157Dialect</value>
+ </property>
+ </properties>
+ </configuration>
+ </code>
+</para>
+<para>Result: The message <screen>"SQLGrammarException: Incorrect syntax"</screen> no longer occurs.</para>
</chapter>
Modified: epp/docs/branches/6.0/Release_Notes/en-US/New_Features.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/New_Features.xml 2012-12-12 06:55:35 UTC (rev 8994)
+++ epp/docs/branches/6.0/Release_Notes/en-US/New_Features.xml 2012-12-12 06:55:47 UTC (rev 8995)
@@ -1,117 +1,14 @@
<?xml version='1.0'?>
-<!DOCTYPE variablelist PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
-
-<variablelist>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1224 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1224" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- The Services Management Gadget currently has a display issue with the tabs displaying to the left of the table containing the data. This problem presented on Microsoft Internet Explorer 7 on Windows Vista. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1236 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1236" /></term>
- <listitem>
-
- <remark>Assignee is: mwringe</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- org.exoplatform.services.cache.impl.jboss.ExoCacheFactoryImpl.createCache runs for both clustered and non-clustered environments. This class registers JBoss Cache to JMX, which produces MBeans for clustered services regardless of whether the clustered services are actively used in the environment. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1258 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1258" /></term>
- <listitem>
-
- <remark>Assignee is: mwringe</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- Some CSS issues have been identified with the way the Portal home page is rendered. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1271 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1271" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- When adding a portlet into a 2-column layout container, the container collapses while dragging the portlet into the container. The container sometimes remains collapsed after moving the portlet into the container. This problem presented on Microsoft Windows 7, using Internet Explorer 8. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1345 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1345" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- An interface abnormality was discovered in the Account Portlet. If more than one instance of the Account Portlet is present on a page, tabs switching will work in the first portlet as designed. If tab switching is attempted in the other instances, the tab and the content in the portlet flashes temporarily, and the original tab is shown again. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
-
- <!-- https://issues.jboss.org/browse/JBEPP-1359 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1359" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- Sybase 15.5 imposes a limitation on the case used in portal names. Only lowercase portal names are supported. The problem does not present in Sybase 15.0.3. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
-</variablelist>
+<chapter id="new_features">
+ <title>New Features</title>
+ <para>JBoss Portal Platform &VZ; is hosted on JBoss Enterprise Application Platform 6, providing all the features available in the latest major release.</para>
+ <para>Portlet bridge support for JSF 2.1 and RichFaces 4 has been added, enabling the deployment of portlets written in either framework.</para>
+ <para>SAML 2.0 support.</para>
+ <para>Apache CXF support for WSRP.</para>
+ <para>UXP Enablement has been reinstated, allowing for platform applications to be hosted on JBoss Portal Platform.</para>
+ <para>A "Standalone mode" has been added, allowing access to JBoss Portal Platform gadgets without the portal chrome.</para>
+ <para>"WebOS mode" has been added. This mode enables you to present the portal apps in a desktop-like user interface where apps are launched from a dock and apps are opened in movable/resizeable windows.</para>
+</chapter>
Modified: epp/docs/branches/6.0/Release_Notes/en-US/Release_Notes.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/Release_Notes.xml 2012-12-12 06:55:35 UTC (rev 8994)
+++ epp/docs/branches/6.0/Release_Notes/en-US/Release_Notes.xml 2012-12-12 06:55:47 UTC (rev 8995)
@@ -5,274 +5,12 @@
]>
<book>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Book_Info.xml"/>
- <part>
- <title>General Info</title>
- <chapter id="Portal_Platform_Introduction">
- <title>What is JBoss Portal Platform </title>
- <para>JBoss Portal Platform offers an intuitive, easy to manage user interface and a proven core infrastructure to enable organizations to quickly build dynamic web sites in a highly reusable way. By bringing the principles of JBoss Open Choice to the presentation layer, JBoss Portal Platform 6 maximizes existing skills and technology investments.
- </para>
- <para>By integrating open source frameworks such as JBoss Seam, Hibernate, Tomcat, and JBoss Cache, JBoss Portal Platform takes advantage of innovations in the open source community. </para>
- <para>JBoss Enterprise Portal Platform &VZ; is fully tested and supported by Red Hat, and is certified to work on many leading enterprise hardware and software products.</para>
- </chapter>
-<!--<chapter id="Site_Publisher_Introduction">
- <title>What is Site Publisher</title>
- <para>
- JBoss Site Publisher (powered by eXo) is an add-on component for JBoss Enterprise Portal Platform. Site Publisher enables users to create, edit and publish rich web content within the context of their portal installation.
- </para>
- <note>
- <title>Subscription</title>
- <para>
- Subscriptions to JBoss Site Publisher are available at an additional fee over and above JBoss Enterprise Portal Platform subscriptions.
- </para>
- </note>
- <para>
- JBoss Site Publisher simplifies the authoring and management for every website an organization needs to deploy. It includes the ability to administer sites, manage navigation, and publish content. Site Publisher delivers powerful functionality to everyone responsible for maintaining web content:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- Webmasters can easily administer multiple websites.
- </para>
- </listitem>
- <listitem>
- <para>
- Website administrators can set permission policies according to user roles to better control website changes.
- </para>
- </listitem>
- <listitem>
- <para>
- Content providers can use JBoss Enterprise Portal Platform’s tools to create content and then choose how to publish it using blogs, RSS feeds, social networks and more.
- </para>
- </listitem>
- <listitem>
- <para>
- Web developers can introduce other forms of rich media content to create truly professional websites easily and efficiently.
- </para>
- </listitem>
- </itemizedlist>
-</chapter>--> <chapter id="Release_Notes-Installation">
- <title>Installation</title>
- <para>
- The JBoss Enterprise Portal Platform <citetitle>Installation Guide</citetitle> contains detailed installation instructions as well as environment requirements.
- </para>
- <para>
- The Installation Guide is available in multiple formats from <ulink url="http://access.redhat.com/knowledge/docs/JBoss_Enterprise_Portal_Platform/" type="http"/>.
- </para>
- </chapter>
- <chapter id="Release_Notes-Component_Features">
- <title>Component versions </title>
- <remark>Updated table from https://docspace.corp.redhat.com/docs/DOC-68705 (version 34)</remark>
- <table frame="all" pgwide="1">
- <title>Component Versions</title>
- <tgroup cols="2" colsep="1">
- <colspec colnum="1"/>
- <colspec colnum="2"/>
- <thead>
- <row>
- <entry>Component</entry>
- <entry>Version</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>JBoss Enterprise Application Platform</entry>
- <entry>5.1.2-GA</entry>
- </row>
- <row>
- <entry>eXo junit</entry>
- <entry>1.2.1-GA</entry>
- </row>
- <row>
- <entry>eXo kernel</entry>
- <entry>2.3.8-GA</entry>
- </row>
- <row>
- <entry>eXo Core</entry>
- <entry>2.4.8-GA</entry>
- </row>
- <row>
- <entry>eXo WS</entry>
- <entry>2.2.8-GA</entry>
- </row>
- <row>
- <entry>eXo JCR</entry>
- <entry>1.14.8-GA</entry>
- </row>
- <row>
- <entry>Apache Shindig</entry>
- <entry>2.0.2-CP01</entry>
- </row>
- <row>
- <entry>Simple Captcha</entry>
- <entry>1.1.1-GA-Patch01</entry>
- </row>
- <row>
- <entry>GateIn Parent</entry>
- <entry>1.1.0-GA</entry>
- </row>
- <row>
- <entry>GateIn dep</entry>
- <entry>1.1.0-GA</entry>
- </row>
- <row>
- <entry>GateIn Common</entry>
- <entry>2.0.4-GA</entry>
- </row>
- <row>
- <entry>GateIn WCI</entry>
- <entry>2.1.1-GA</entry>
- </row>
- <row>
- <entry>GateIn PC</entry>
- <entry>2.3.1-GA</entry>
- </row>
- <row>
- <entry>GateIn WSRP</entry>
- <entry>2.1.7-EPP522-GA</entry>
- </row>
- <row>
- <entry>GateIn MOP</entry>
- <entry>1.1.2-GA</entry>
- </row>
- <row>
- <entry>GateIn SSO</entry>
- <entry>1.1.1-GA</entry>
- </row>
- <row>
- <entry>PicketLink IDM</entry>
- <entry>1.3.2.CR01</entry>
- </row>
- <row>
- <entry>Chromattic</entry>
- <entry>1.1.3</entry>
- </row>
- <row>
- <entry>Portlet Bridge</entry>
- <entry>2.3.1.GA.EPP522</entry>
- </row>
- <row>
- <entry>Seam</entry>
- <entry>2.2.5.EAP5</entry>
- </row>
- <row>
- <entry>Richfaces</entry>
- <entry>3.3.1.SP3</entry>
- </row>
- <row>
- <entry>Groovy</entry>
- <entry>1.7.6</entry>
- </row>
- <row>
- <entry>Commons DBCP</entry>
- <entry>1.4</entry>
- </row>
- <row>
- <entry>Commons IO</entry>
- <entry>1.4</entry>
- </row>
- <row>
- <entry>Commons Lang</entry>
- <entry>2.6</entry>
- </row>
- <row>
- <entry>HSQLDB</entry>
- <entry>2.0.0</entry>
- </row>
- <row>
- <entry>JBoss Cache</entry>
- <entry>3.2.7</entry>
- </row>
- <row>
- <entry>GateIn Management</entry>
- <entry>1.0.1-GA</entry>
- </row>
- <row>
- <entry>GateIn JBossON plug-in</entry>
- <entry>1.0.1</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
- </chapter>
-<!--<chapter>
- <title>Upgraded Components</title>
- <formalpara>
- <title>New Components</title>
- <para>The following new components warrant special mention.</para>
- </formalpara>
- <remark>NEEDINFO: anything we need to mention here?</remark>
- <variablelist>
- <varlistentry>
- <term>Gatein JON Plugin</term>
- <listitem>
- <para>The Gatein JON plugin allows the portal to interact with JBoss Operations Network. The plugin captures portlet and site statistics.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- <formalpara>
- <title>Updated Components</title>
- <para>The following updated components warrant special mention.</para>
- </formalpara>
- <remark>NEEDINFO: anything we need to mention here?</remark>
- <variablelist>
- <varlistentry>
- <term>Java Content Repository</term>
- <listitem>
- <para>The JCR configuration has been corrected in the configuration.properties file. The previous configuration was incorrect. </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Java Open Single Sign-on (JOSSO) </term>
- <listitem>
- <para>Packaging changes require different file paths for JOSSO. Refer to the Reference Guide "Java Open Single Sign-On Project" section for more information.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- <note>
- <para>For detailed information about component versions included in this release, refer to <xref linkend="Release_Notes-Component_Features"/></para>
- </note>
-</chapter>--> <chapter id="Release_Notes-Documentation">
- <title>Documentation</title>
- <para>
- An <citetitle>Installation Guide</citetitle> and a <citetitle>User Guide</citetitle> for JBoss Enterprise Portal Platform are available at <ulink url="http://access.redhat.com/knowledge/docs/JBoss_Enterprise_Portal_Platform/" type="http"/>. JBoss Enterprise Portal Platform specific documentation is also available from this location.</para>
- <para>In this release, the <citetitle>Installation Guide</citetitle> has undergone heavy rework and is now presented in a task-based narrative style. Any feedback you have regarding this new format would be greatly appreciated. You can provide feedback by following the instructions in the Feedback section located in the preface of the <citetitle>Installation Guide</citetitle>.</para>
- </chapter>
- <chapter id="Release_Notes-_Product_Support_and_License_Website_Links_">
- <title> Product support links </title>
- <formalpara id="form-Release_Notes-_Product_Support_and_License_Website_Links_-Support_Processes">
- <title>Product Update and Support Processes</title>
- <para>
- <ulink url="https://access.redhat.com/support/policy/updates/jboss_notes/">https://access.redhat.com/support/policy/updates/jboss_notes/</ulink>
- </para>
- </formalpara>
- <formalpara id="form-Release_Notes-_Product_Support_and_License_Website_Links_-_Developer_Support_Scope_of_Coverage_">
- <title> Developer Support Scope of Coverage, and Service Level Agreement</title>
- <para><ulink url="https://access.redhat.com/support/offerings/developer/">https://access.redhat.com/support/offerings/developer/</ulink>
-
- </para>
- </formalpara>
- <formalpara id="form-Release_Notes-_Product_Support_and_License_Website_Links_-_JBoss_End_User_License_Agreement_">
- <title>Certified and Compatible Configurations</title>
- <para>
- <ulink url="http://www.jboss.com/products/platforms/portals/testedconfigurations/">http://www.jboss.com/products/platforms/portals/testedconfigurations/</ulink>
- </para>
- </formalpara>
- </chapter>
- </part>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="known.xml" encoding="XML"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="resolved.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="enhancement.xml" encoding="XML"/>
-<!--<part>
- <title>Site Publisher plug-in</title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sp_known.xml" encoding="XML"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sp_resolved.xml" encoding="XML"/>
- <chapter id="Release_Notes-Issues_Resolved_Upstream">
- <title>Issues Resolved Upstream<remark>Issues Resolved Upstream</remark></title>
- <para>This release contains Site Publisher issues resolved upstream by eXo Platform. The following major issues fixed by eXo Platform have been verified by the JBoss Enterprise Portal Platform Engineering team and included as part of this release. </para>
- <para><remark>These issues have been pulled out of eXo Platform's JIRA instance using a modified version of JOT. The issues included here are CRITICAL and BLOCKER issues only. </remark></para>
- <remark>An issue with my extraction script from eXo JIRA is preventing me from pulling out the following issues: https://jira.exoplatform.org/secure/IssueNavigator.jspa?requestId=14125&a... </remark>
- <remark>The script is abandonware, and I have no other way of doing extraction.</remark>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="resolved_issues_eXo.xml" encoding="XML"/>
- </chapter>
-</part>--> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Revision_History.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Introduction.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="New_Features.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Unsupported_Features.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Components.xml"/>
+ <!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Resolved_Issues.xml"/> -->
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Known_Issues.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Revision_History.xml"/>
+ <index />
</book>
Modified: epp/docs/branches/6.0/Release_Notes/en-US/Resolved_Issues.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/Resolved_Issues.xml 2012-12-12 06:55:35 UTC (rev 8994)
+++ epp/docs/branches/6.0/Release_Notes/en-US/Resolved_Issues.xml 2012-12-12 06:55:47 UTC (rev 8995)
@@ -2,6 +2,6 @@
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
<chapter id="resolved">
-<title>Resolved Issues</title>
-<para>There are no Resolved Issues in this release.</para>
+ <title>Resolved Issues</title>
+ <para>There are no Resolved Issues in this release.</para>
</chapter>
Modified: epp/docs/branches/6.0/Release_Notes/en-US/Unsupported_Features.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/Unsupported_Features.xml 2012-12-12 06:55:35 UTC (rev 8994)
+++ epp/docs/branches/6.0/Release_Notes/en-US/Unsupported_Features.xml 2012-12-12 06:55:47 UTC (rev 8995)
@@ -1,117 +1,8 @@
<?xml version='1.0'?>
-<!DOCTYPE variablelist PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
-
-<variablelist>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1224 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1224" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- The Services Management Gadget currently has a display issue with the tabs displaying to the left of the table containing the data. This problem presented on Microsoft Internet Explorer 7 on Windows Vista. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1236 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1236" /></term>
- <listitem>
-
- <remark>Assignee is: mwringe</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- org.exoplatform.services.cache.impl.jboss.ExoCacheFactoryImpl.createCache runs for both clustered and non-clustered environments. This class registers JBoss Cache to JMX, which produces MBeans for clustered services regardless of whether the clustered services are actively used in the environment. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1258 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1258" /></term>
- <listitem>
-
- <remark>Assignee is: mwringe</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- Some CSS issues have been identified with the way the Portal home page is rendered. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1271 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1271" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- When adding a portlet into a 2-column layout container, the container collapses while dragging the portlet into the container. The container sometimes remains collapsed after moving the portlet into the container. This problem presented on Microsoft Windows 7, using Internet Explorer 8. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1345 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1345" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- An interface abnormality was discovered in the Account Portlet. If more than one instance of the Account Portlet is present on a page, tabs switching will work in the first portlet as designed. If tab switching is attempted in the other instances, the tab and the content in the portlet flashes temporarily, and the original tab is shown again. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
-
- <!-- https://issues.jboss.org/browse/JBEPP-1359 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1359" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- Sybase 15.5 imposes a limitation on the case used in portal names. Only lowercase portal names are supported. The problem does not present in Sybase 15.0.3. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
-</variablelist>
+<chapter id="usupported_features">
+ <title>Unsupported Features</title>
+ <para>The Site Publisher add-on is no longer supported.</para>
+</chapter>
12 years
gatein SVN: r8994 - epp/docs/branches/6.0/Release_Notes/en-US.
by do-not-reply@jboss.org
Author: rdickens
Date: 2012-12-12 01:55:35 -0500 (Wed, 12 Dec 2012)
New Revision: 8994
Removed:
epp/docs/branches/6.0/Release_Notes/en-US/enhancement.xml
epp/docs/branches/6.0/Release_Notes/en-US/feature_requests.xml
Log:
Deleted unwanted files
Deleted: epp/docs/branches/6.0/Release_Notes/en-US/enhancement.xml
===================================================================
(Binary files differ)
Deleted: epp/docs/branches/6.0/Release_Notes/en-US/feature_requests.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/feature_requests.xml 2012-12-12 06:55:27 UTC (rev 8993)
+++ epp/docs/branches/6.0/Release_Notes/en-US/feature_requests.xml 2012-12-12 06:55:35 UTC (rev 8994)
@@ -1,4 +0,0 @@
-
-<para>
-There are no feature requests in this release.
-</para>
12 years
gatein SVN: r8993 - epp/docs/branches/6.0/Release_Notes/en-US.
by do-not-reply@jboss.org
Author: rdickens
Date: 2012-12-12 01:55:27 -0500 (Wed, 12 Dec 2012)
New Revision: 8993
Added:
epp/docs/branches/6.0/Release_Notes/en-US/Unsupported_Features.xml
Removed:
epp/docs/branches/6.0/Release_Notes/en-US/needinfo.xml
Log:
More work to align book's structure with that of similar books
Added: epp/docs/branches/6.0/Release_Notes/en-US/Unsupported_Features.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/Unsupported_Features.xml (rev 0)
+++ epp/docs/branches/6.0/Release_Notes/en-US/Unsupported_Features.xml 2012-12-12 06:55:27 UTC (rev 8993)
@@ -0,0 +1,117 @@
+<?xml version='1.0'?>
+<!DOCTYPE variablelist PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+
+<variablelist>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1224 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1224" /></term>
+ <listitem>
+
+ <remark>This issue is unassigned!</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ The Services Management Gadget currently has a display issue with the tabs displaying to the left of the table containing the data. This problem presented on Microsoft Internet Explorer 7 on Windows Vista. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1236 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1236" /></term>
+ <listitem>
+
+ <remark>Assignee is: mwringe</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ org.exoplatform.services.cache.impl.jboss.ExoCacheFactoryImpl.createCache runs for both clustered and non-clustered environments. This class registers JBoss Cache to JMX, which produces MBeans for clustered services regardless of whether the clustered services are actively used in the environment. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1258 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1258" /></term>
+ <listitem>
+
+ <remark>Assignee is: mwringe</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ Some CSS issues have been identified with the way the Portal home page is rendered. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1271 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1271" /></term>
+ <listitem>
+
+ <remark>This issue is unassigned!</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ When adding a portlet into a 2-column layout container, the container collapses while dragging the portlet into the container. The container sometimes remains collapsed after moving the portlet into the container. This problem presented on Microsoft Windows 7, using Internet Explorer 8. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1345 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1345" /></term>
+ <listitem>
+
+ <remark>This issue is unassigned!</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ An interface abnormality was discovered in the Account Portlet. If more than one instance of the Account Portlet is present on a page, tabs switching will work in the first portlet as designed. If tab switching is attempted in the other instances, the tab and the content in the portlet flashes temporarily, and the original tab is shown again. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1359 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1359" /></term>
+ <listitem>
+
+ <remark>This issue is unassigned!</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ Sybase 15.5 imposes a limitation on the case used in portal names. Only lowercase portal names are supported. The problem does not present in Sybase 15.0.3. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+</variablelist>
Deleted: epp/docs/branches/6.0/Release_Notes/en-US/needinfo.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/needinfo.xml 2012-12-12 06:55:13 UTC (rev 8992)
+++ epp/docs/branches/6.0/Release_Notes/en-US/needinfo.xml 2012-12-12 06:55:27 UTC (rev 8993)
@@ -1,19 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-]>
-
-<chapter id = "needinfo_issues">
- <title>NEEDINFO</title>
-
- <para>
- The following issues require more information from developers, or need to be processed by the lead writer before they can be approved for Release Note inclusion.
- </para>
- <remark>
- These tickets will not be included in Release Notes as they currently stand.
- This could be because the tickets have not been processed by the docs lead (still at required_doc_text?),
- or the tickets have not been set to the correct resolution status (VERIFIED, CLOSED).
- </remark>
- <variablelist>
-
- </variablelist>
-</chapter>
12 years
gatein SVN: r8992 - epp/docs/branches/6.0/Release_Notes/en-US.
by do-not-reply@jboss.org
Author: rdickens
Date: 2012-12-12 01:55:13 -0500 (Wed, 12 Dec 2012)
New Revision: 8992
Added:
epp/docs/branches/6.0/Release_Notes/en-US/Known_Issues.xml
epp/docs/branches/6.0/Release_Notes/en-US/New_Features.xml
epp/docs/branches/6.0/Release_Notes/en-US/Resolved_Issues.xml
Removed:
epp/docs/branches/6.0/Release_Notes/en-US/known.xml
epp/docs/branches/6.0/Release_Notes/en-US/new_features.xml
epp/docs/branches/6.0/Release_Notes/en-US/resolved.xml
Log:
Renamed files
Copied: epp/docs/branches/6.0/Release_Notes/en-US/Known_Issues.xml (from rev 8985, epp/docs/branches/6.0/Release_Notes/en-US/known.xml)
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/Known_Issues.xml (rev 0)
+++ epp/docs/branches/6.0/Release_Notes/en-US/Known_Issues.xml 2012-12-12 06:55:13 UTC (rev 8992)
@@ -0,0 +1,7 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="known">
+<title>Known Issues</title>
+<para>There are no Known issues in this release.</para>
+</chapter>
Copied: epp/docs/branches/6.0/Release_Notes/en-US/New_Features.xml (from rev 8985, epp/docs/branches/6.0/Release_Notes/en-US/new_features.xml)
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/New_Features.xml (rev 0)
+++ epp/docs/branches/6.0/Release_Notes/en-US/New_Features.xml 2012-12-12 06:55:13 UTC (rev 8992)
@@ -0,0 +1,117 @@
+<?xml version='1.0'?>
+<!DOCTYPE variablelist PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+
+<variablelist>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1224 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1224" /></term>
+ <listitem>
+
+ <remark>This issue is unassigned!</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ The Services Management Gadget currently has a display issue with the tabs displaying to the left of the table containing the data. This problem presented on Microsoft Internet Explorer 7 on Windows Vista. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1236 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1236" /></term>
+ <listitem>
+
+ <remark>Assignee is: mwringe</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ org.exoplatform.services.cache.impl.jboss.ExoCacheFactoryImpl.createCache runs for both clustered and non-clustered environments. This class registers JBoss Cache to JMX, which produces MBeans for clustered services regardless of whether the clustered services are actively used in the environment. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1258 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1258" /></term>
+ <listitem>
+
+ <remark>Assignee is: mwringe</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ Some CSS issues have been identified with the way the Portal home page is rendered. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1271 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1271" /></term>
+ <listitem>
+
+ <remark>This issue is unassigned!</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ When adding a portlet into a 2-column layout container, the container collapses while dragging the portlet into the container. The container sometimes remains collapsed after moving the portlet into the container. This problem presented on Microsoft Windows 7, using Internet Explorer 8. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1345 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1345" /></term>
+ <listitem>
+
+ <remark>This issue is unassigned!</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ An interface abnormality was discovered in the Account Portlet. If more than one instance of the Account Portlet is present on a page, tabs switching will work in the first portlet as designed. If tab switching is attempted in the other instances, the tab and the content in the portlet flashes temporarily, and the original tab is shown again. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+
+ <!-- https://issues.jboss.org/browse/JBEPP-1359 -->
+ <varlistentry>
+ <term><ulink url="https://issues.jboss.org/browse/JBEPP-1359" /></term>
+ <listitem>
+
+ <remark>This issue is unassigned!</remark>
+
+
+ <remark>JIRA is OPEN</remark>
+
+
+ <para>
+ Sybase 15.5 imposes a limitation on the case used in portal names. Only lowercase portal names are supported. The problem does not present in Sybase 15.0.3. A fix is being investigated.
+ </para>
+
+ </listitem>
+ </varlistentry>
+
+</variablelist>
Copied: epp/docs/branches/6.0/Release_Notes/en-US/Resolved_Issues.xml (from rev 8985, epp/docs/branches/6.0/Release_Notes/en-US/resolved.xml)
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/Resolved_Issues.xml (rev 0)
+++ epp/docs/branches/6.0/Release_Notes/en-US/Resolved_Issues.xml 2012-12-12 06:55:13 UTC (rev 8992)
@@ -0,0 +1,7 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="resolved">
+<title>Resolved Issues</title>
+<para>There are no Resolved Issues in this release.</para>
+</chapter>
Deleted: epp/docs/branches/6.0/Release_Notes/en-US/known.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/known.xml 2012-12-12 05:41:40 UTC (rev 8991)
+++ epp/docs/branches/6.0/Release_Notes/en-US/known.xml 2012-12-12 06:55:13 UTC (rev 8992)
@@ -1,7 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-]>
-<chapter id="known">
-<title>Known Issues</title>
-<para>There are no Known issues in this release.</para>
-</chapter>
Deleted: epp/docs/branches/6.0/Release_Notes/en-US/new_features.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/new_features.xml 2012-12-12 05:41:40 UTC (rev 8991)
+++ epp/docs/branches/6.0/Release_Notes/en-US/new_features.xml 2012-12-12 06:55:13 UTC (rev 8992)
@@ -1,117 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE variablelist PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-]>
-
-
-<variablelist>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1224 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1224" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- The Services Management Gadget currently has a display issue with the tabs displaying to the left of the table containing the data. This problem presented on Microsoft Internet Explorer 7 on Windows Vista. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1236 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1236" /></term>
- <listitem>
-
- <remark>Assignee is: mwringe</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- org.exoplatform.services.cache.impl.jboss.ExoCacheFactoryImpl.createCache runs for both clustered and non-clustered environments. This class registers JBoss Cache to JMX, which produces MBeans for clustered services regardless of whether the clustered services are actively used in the environment. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1258 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1258" /></term>
- <listitem>
-
- <remark>Assignee is: mwringe</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- Some CSS issues have been identified with the way the Portal home page is rendered. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1271 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1271" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- When adding a portlet into a 2-column layout container, the container collapses while dragging the portlet into the container. The container sometimes remains collapsed after moving the portlet into the container. This problem presented on Microsoft Windows 7, using Internet Explorer 8. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
- <!-- https://issues.jboss.org/browse/JBEPP-1345 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1345" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- An interface abnormality was discovered in the Account Portlet. If more than one instance of the Account Portlet is present on a page, tabs switching will work in the first portlet as designed. If tab switching is attempted in the other instances, the tab and the content in the portlet flashes temporarily, and the original tab is shown again. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
-
- <!-- https://issues.jboss.org/browse/JBEPP-1359 -->
- <varlistentry>
- <term><ulink url="https://issues.jboss.org/browse/JBEPP-1359" /></term>
- <listitem>
-
- <remark>This issue is unassigned!</remark>
-
-
- <remark>JIRA is OPEN</remark>
-
-
- <para>
- Sybase 15.5 imposes a limitation on the case used in portal names. Only lowercase portal names are supported. The problem does not present in Sybase 15.0.3. A fix is being investigated.
- </para>
-
- </listitem>
- </varlistentry>
-
-</variablelist>
Deleted: epp/docs/branches/6.0/Release_Notes/en-US/resolved.xml
===================================================================
--- epp/docs/branches/6.0/Release_Notes/en-US/resolved.xml 2012-12-12 05:41:40 UTC (rev 8991)
+++ epp/docs/branches/6.0/Release_Notes/en-US/resolved.xml 2012-12-12 06:55:13 UTC (rev 8992)
@@ -1,7 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-]>
-<chapter id="resolved">
-<title>Resolved Issues</title>
-<para>There are no Resolved Issues in this release.</para>
-</chapter>
12 years
gatein SVN: r8991 - epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity.
by do-not-reply@jboss.org
Author: smumford
Date: 2012-12-12 00:41:40 -0500 (Wed, 12 Dec 2012)
New Revision: 8991
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
BZ856430: Fix minor build errors
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-12 05:37:16 UTC (rev 8990)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-12 05:41:40 UTC (rev 8991)
@@ -639,14 +639,14 @@
</section>
</section>
- <section>
+ <section id="sect-Deploying_CAS_on_Tomcat">
<title><remark>BZ#856430 </remark>Build and Deploy the CAS</title>
<remark>BZ#856430 - jmorgan - This is a new sections which captures the final step an admin needs to do to bring all the cofiguration together.</remark>
<para>
Jasig CAS uses Apache Maven to build the <filename>cas.war</filename> file. Follow the instructions to produce this file, and deploy it to the Apache Tomcat server.
</para>
- <procedure id="sect-Deploying_CAS_on _Tomcat">
+ <procedure>
<title>Building CAS, and Deploying to Tomcat</title>
<step>
@@ -1186,7 +1186,8 @@
</substeps>
</step>
- <substeps>
+ <step>
+ <substeps>
<step>
<para>
Start the Portal.
@@ -1205,6 +1206,7 @@
</para>
</step>
</substeps>
+ </step>
</procedure>
</section>
</section>
@@ -1225,7 +1227,7 @@
</para>
<para>
- Refer to <xref linkend="sect-Deploying_CAS_on _Tomcat"/> for more details.
+ Refer to <xref linkend="sect-Deploying_CAS_on_Tomcat"/> for more details.
</para>
</step>
12 years
gatein SVN: r8990 - epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity.
by do-not-reply@jboss.org
Author: smumford
Date: 2012-12-12 00:37:16 -0500 (Wed, 12 Dec 2012)
New Revision: 8990
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
BZ856430: First edit of new JOSSO content from docs.jboss.org
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-12 04:43:37 UTC (rev 8989)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-12 05:37:16 UTC (rev 8990)
@@ -646,7 +646,7 @@
Jasig CAS uses Apache Maven to build the <filename>cas.war</filename> file. Follow the instructions to produce this file, and deploy it to the Apache Tomcat server.
</para>
- <procedure>
+ <procedure id="sect-Deploying_CAS_on _Tomcat">
<title>Building CAS, and Deploying to Tomcat</title>
<step>
@@ -743,120 +743,113 @@
</note>
</section>
- <section id="sid-55477376_JOSSO-ObtainingJOSSO">
- <title>Obtaining JOSSO</title>
+ <section>
+ <title>JOSSO 1.8</title>
- <para>
- JOSSO can be downloaded from <ulink url="http://sourceforge.net/projects/josso/files/"/> . Use the package that embeds Apache Tomcat.
- </para>
+ <section id="sid-55477376_JOSSO-ObtainingJOSSO">
+ <title>Obtaining JOSSO</title>
+
+ <para>
+ JOSSO can be downloaded from <ulink url="http://sourceforge.net/projects/josso/files/"/> . Use the package that embeds Apache Tomcat.
+ </para>
+
+ <para>
+ Once downloaded, extract the package into what will be called <replaceable>JOSSO_HOME</replaceable> in this example.
+ </para>
+ </section>
- <para>
- Once downloaded, extract the package into what will be called <replaceable>JOSSO_HOME</replaceable> in this example.
- </para>
- </section>
-
- <section id="sid-55477376_JOSSO-JOSSOserver">
- <title>JOSSO server</title>
-
- <para>
- This section describes how to set up the JOSSO server to authenticate against the JBoss Portal Platform using the REST authentication plugin. In this example, the JOSSO server will be installed on Tomcat.
- </para>
-
- <procedure>
- <step>
- <para>
- <emphasis role="bold">Optional:</emphasis> To use the SSO authentication plugin with JOSSO (not-mandatory but recommended. See <xref linkend="sect-CAS-Authentication_Process"/> for details):
- </para>
+ <section id="sid-55477376_JOSSO-JOSSOserver">
+ <title>JOSSO server</title>
+
+ <para>
+ This section describes how to set up the JOSSO server to authenticate against the JBoss Portal Platform using the REST authentication plugin. In this example, the JOSSO server will be installed on Tomcat.
+ </para>
+
+ <procedure>
+ <step>
+ <para>
+ <emphasis role="bold">Optional:</emphasis> To use the SSO authentication plugin with JOSSO (not-mandatory but recommended. See <xref linkend="sect-CAS-Authentication_Process"/> for details):
+ </para>
+
+ <para>
+ Copy the files from <filename>SSO_HOME/josso/josso-<replaceable><version></replaceable>/plugin</filename> into the Tomcat directory (<replaceable>JOSSO_HOME</replaceable>). (<replaceable>SSO_HOME</replaceable> points to directory with JBoss Portal Platform as mentioned in <xref linkend="sect-Reference_Guide-SSO_Single_Sign_On"/>)
+ </para>
+
+ <para>
+ This action will replace some, and add other, JAR files to the <filename>JOSSO_HOME/webapps/josso/WEB-INF/lib</filename> directory.
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <filename>JOSSO_HOME/lib/josso-gateway-config.xml</filename>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <filename>JOSSO_HOME/lib/josso-gateway-gatein-stores.xml</filename>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <filename>JOSSO_HOME/webapps/josso/WEB-INF/classes/gatein.properties</filename>
+ </para>
+
+ <para>
+ This file may need to be reconfigured according to your JBoss Portal Platform environment (you need to use the host and port of your JBoss Portal Platform instance as this will be used by the Authentication plugin to send REST requests over HTTP).
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
- <itemizedlist>
- <listitem>
- <para>
- <emphasis role="bold">JOSSO 1.8.1:</emphasis> Copy the files from <filename>SSO_HOME/josso/josso-181/plugin</filename> into the Tomcat directory (<replaceable>JOSSO_HOME</replaceable>). (<replaceable>SSO_HOME</replaceable> points to directory with JBoss Portal Platform as mentioned in <xref linkend="sect-Reference_Guide-SSO_Single_Sign_On"/>)
- </para>
- </listitem>
+ <step>
+ <para>
+ Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and replace the <literal>8080</literal> port to <literal>8888</literal> to change the default Tomcat port and avoid a conflict with the default JBoss Portal Platform port (for testing purposes).
+ </para>
- <listitem>
- <para>
- <emphasis role="bold">JOSSO 1.8.2:</emphasis> Copy the files from <filename>SSO_HOME/josso/josso-182/plugin</filename> into the Tomcat directory (<replaceable>JOSSO_HOME</replaceable>).
- </para>
+ <note>
+ <title>Port Conflicts</title>
<para>
- This action will replace some, and add other, JAR files to the <filename>JOSSO_HOME/webapps/josso/WEB-INF/lib</filename> directory.
+ If JBoss Portal Platform is running on the same machine as Tomcat, other ports need to be changed in addition to <literal>8080</literal> to avoid port conflicts. They can be changed to any free port. For example, you can change the admin port from <literal>8005</literal> to <literal>8805</literal>, and AJP port from <literal>8009</literal> to <literal>8809</literal>.
</para>
+ </note>
+ </step>
+
+ <step>
+ <para>
+ Tomcat should now allow access to <uri>http://localhost:8888/josso/signon/login.do</uri>. However, if you are using SSO Authentication plugin, the login will not be available at this stage as your JBoss Portal Platform is not yet set up.
+ </para>
+
+ <figure>
+ <title/>
- <itemizedlist>
- <listitem>
- <para>
- <filename>JOSSO_HOME/lib/josso-gateway-config.xml</filename>
- </para>
- </listitem>
-
- <listitem>
- <para>
- <filename>JOSSO_HOME/lib/josso-gateway-gatein-stores.xml</filename>
- </para>
- </listitem>
-
- <listitem>
- <para>
- <filename>JOSSO_HOME/webapps/josso/WEB-INF/classes/gatein.properties</filename>
- </para>
-
- <para>
- This file may need to be reconfigured according to your JBoss Portal Platform environment (you need to use the host and port of your JBoss Portal Platform instance as this will be used by the Authentication plugin to send REST requests over HTTP).
- </para>
- </listitem>
- </itemizedlist>
- </listitem>
- </itemizedlist>
- </step>
+ <mediaobject>
+ <imageobject role="html">
+ <imagedata align="center" fileref="images/AuthenticationAndIdentity/SSO/josso.png" format="PNG"/>
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sid-55477376_JOSSO-SetuptheJOSSOclient">
+ <title>JOSSO client</title>
- <step>
- <para>
- Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and replace the <literal>8080</literal> port to <literal>8888</literal> to change the default Tomcat port and avoid a conflict with the default JBoss Portal Platform port (for testing purposes).
- </para>
-
- <note>
- <title>Port Conflicts</title>
+ <procedure>
+ <step>
+ <para>
+ Some of the configuration properties in <filename>JBOSS_HOME/standalone/configuration/gatein/configuration.properties</filename> need to be set on the client server.
+ </para>
<para>
- If JBoss Portal Platform is running on the same machine as Tomcat, other ports need to be changed in addition to <literal>8080</literal> to avoid port conflicts. They can be changed to any free port. For example, you can change the admin port from <literal>8005</literal> to <literal>8805</literal>, and AJP port from <literal>8009</literal> to <literal>8809</literal>.
+ Locate the <literal>#SSO</literal> section of the file and edit it to match the sample below:
</para>
- </note>
- </step>
-
- <step>
- <para>
- Tomcat should now allow access to <uri>http://localhost:8888/josso/signon/login.do</uri>. However, if you are using SSO Authentication plugin, the login will not be available at this stage as your JBoss Portal Platform is not yet set up.
- </para>
-
- <figure>
- <title/>
- <mediaobject>
- <imageobject role="html">
- <imagedata align="center" fileref="images/AuthenticationAndIdentity/SSO/josso.png" format="PNG"/>
- </imageobject>
- </mediaobject>
- </figure>
- </step>
- </procedure>
- </section>
-
- <section id="sid-55477376_JOSSO-SetuptheJOSSOclient">
- <title>JOSSO client</title>
-
- <procedure>
- <step>
- <para>
- Some of the configuration properties in <filename>JBOSS_HOME/standalone/configuration/gatein/configuration.properties</filename> need to be set on the client server.
- </para>
-
- <para>
- Locate the <literal>#SSO</literal> section of the file and edit it to match the sample below:
- </para>
-
- <informalexample>
+ <informalexample>
<programlisting>
#SSO
gatein.sso.enabled=true
@@ -873,71 +866,378 @@
gatein.sso.filter.logout.url=${gatein.sso.josso.base.url}/logout.do
gatein.sso.filter.login.sso.url=${gatein.sso.server.url}?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@(a)/initiatessologin
</programlisting>
- </informalexample>
+ </informalexample>
+
+ <para>
+ Most of the properties are described in <xref linkend="sect-CAS_Configuring_the_Platform"/>.
+ </para>
+
+ <para>
+ Some of the properites differ for JOSSO:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ The Logout filter is <code>org.gatein.sso.agent.filter.JOSSOLogoutFilter</code>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <code>gatein.sso.josso.host</code> points to the location of the JOSSO server.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <code>gatein.sso.portal.url</code> must be changed if you intend to access JBoss Portal Platform on any URL other than <emphasis role="italics">localhost:8080</emphasis>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The <code>gatein.sso.josso.agent.config.file</code> property points to the location of the Agent configuration file, which is relative to classpath. Therefore the agent file location is actually located at <filename>JBOSS_HOME/gatein/gatein.ear/portal.war/WEB-INF/classes/sso/josso/1.8/josso-agent-config.xml</filename>.
+ </para>
+
+ <para>
+ In the majority of cases, nothing in this file will need to be configured beyond the defaults.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
- <para>
- Most of the properties are described in <xref linkend="sect-CAS_Configuring_the_Platform"/>.
- </para>
+ <step>
+ <para>
+ JOSSO has some specific dependencies, which differ between various versions. The original <code>org.gatein.sso</code> SSO module must be replaced with one appropriate for your version of JOSSO. The alternate modules are available in the JOSSO download.
+ </para>
+
+ <substeps>
+ <step>
+ <para>
+ Delete the <filename>JBOSS_HOME/modules/org/gatein/sso</filename> directory.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Copy the <filename>SSO_HOME/josso/gatein-josso-<replaceable><version></replaceable>/modules/org/gatein/sso</filename> directory into <filename>JBOSS_HOME/modules/org/gatein/</filename>.
+ </para>
+ </step>
+ </substeps>
+ </step>
+ </procedure>
+
+ <para>
+ From now on, all links redirecting to the user authentication pages will redirect to the JOSSO centralized authentication form. If you set Authentication plugin for JOSSO, you can login with JBoss Portal Platform credentials (like john/gtn) on JOSSO side.
+ </para>
+ </section>
+ </section>
+
+ <section>
+ <title>JOSSO 2.2</title>
+
+ <para>
+ JOSSO 2.2 takes a different approach to SSO than JOSSO 1.8. It is designed to allow users to create their own SSO environment by modelling it in flash web application called <emphasis role="strong">atricore-console</emphasis>.
+ </para>
+
+ <para>
+ Unfortunately this make it more difficult to use the SSO Authentication plugin as it's not easily possible to configure an existing JOSSO 2.2 environment via Spring XML files. Using the AuthenticationPlugin with JOSSO 2.2 is not supported.
+ </para>
+
+ <section id="sid-55477376_JOSSO-JOSSO2.2serversetup">
+ <title>JOSSO 2.2 server setup</title>
+
+ <para>
+ You can downloaded JOSSO 2.2.0 from <ulink url="http://www.josso.org">JOSSO site</ulink> and follow the instructions from the JOSSO 2 quickstart in <ulink url="http://www.josso.org/confluence/display/JOSSO1/JOSSO2+Quick+start"/> .
+ </para>
+
+ <para>
+ After unzipping the download and running the JOSSO, you can access the <application>atricore</application> console at <uri>http://server.local.network:8081/atricore-console</uri> (<emphasis>server.local.network</emphasis> is the virtual host defined in <filename>/etc/hosts</filename>).
+ </para>
+
+ <procedure>
+ <step>
+ <para>
+ Login to the portal as <literal>admin/admin</literal>.
+ </para>
+ </step>
- <para>
- Some of the properites differ for JOSSO:
- </para>
+ <step>
+ <para>
+ Create a new empty <emphasis role="italics">Identity appliance</emphasis> with the following details:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ Name: <emphasis role="italics">MYFIRSTIA</emphasis>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Realm name: <emphasis role="italics">com.mycompany.myrealm</emphasis>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Appliance location: <emphasis role="italics"> <uri>http://server.local.network:8081</uri> </emphasis>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
- <itemizedlist>
- <listitem>
- <para>
- The Logout filter is <code>org.gatein.sso.agent.filter.JOSSOLogoutFilter</code>.
- </para>
- </listitem>
+ <step>
+ <para>
+ Create a new Identity provider named <emphasis role="italics">AcmeIDP</emphasis> (use the default settings)
+ </para>
- <listitem>
+ <figure>
+ <title>Identity Provider configuration</title>
+
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="author/download/attachments/55477376/josso22-acmeidp.png"/>
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </step>
+
+ <step>
+ <para>
+ Create an Identity vault <emphasis role="italics">IDPUsers</emphasis> and connect it with <emphasis role="italics">AcmeIDP</emphasis> via <emphasis role="italics">Identity lookup</emphasis> connection.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Create a Service provider called <emphasis role="italics">SP1</emphasis> but let the hosts to be on <emphasis role="italics">server.local.network:8081</emphasis>.
+ </para>
+
+ <figure>
+ <title>Service Provider configuration</title>
+
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="author/download/attachments/55477376/josso22-sp1.png"/>
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </step>
+
+ <step>
+ <para>
+ Create an Identity vault <emphasis role="italics">SP1Users</emphasis> and wire it with SP1 via <emphasis role="italics">Identity lookup</emphasis> connection.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Create empty temporary directory <filename>/tmp/tomcat7</filename> and then in the <application>atricore</application> console create new Execution environment of type <emphasis role="italics">Tomcat</emphasis> with the following parameters:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ Name: <emphasis role="italics">SP1EE</emphasis>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Version: <emphasis role="italics">7.0.x</emphasis>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Target host: <emphasis role="italics">Local</emphasis>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Install home: <emphasis role="italics">/tmp/tomcat7</emphasis> (Directory <code>/tmp/tomcat7</code> must exists, but it could be empty directory without any tomcat presented as we do not overwrite existing setup or install demo apps).
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <figure>
+ <title>SP Execution Environment configuration</title>
+
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="author/download/attachments/55477376/josso22-sp1ee.png"/>
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </step>
+
+ <step>
+ <para>
+ Wire <emphasis role="italics">SP1</emphasis> and <emphasis role="italics">SP1EE</emphasis> via an <emphasis role="italics">Activation</emphasis> connection.
+ </para>
+
+ <para>
+ <remark>Docs note: I don't even know what this sentence is trying to say.</remark> Left default values of parameters instead of parameter <emphasis role="italics">Partner application location</emphasis> needs to be configured to <ulink url="http://localhost:8080/portal"/>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Wire <emphasis role="italics">SP1</emphasis> and <emphasis role="italics">AcmeIDP</emphasis> via <emphasis role="italics">Federated connection</emphasis>.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Click <guilabel>Save</guilabel> and save this model.
+ </para>
+
+ <figure>
+ <title>Overview with SP connection details</title>
+
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="author/download/attachments/55477376/josso22-connection.png"/>
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </step>
+
+ <step>
+ <para>
+ Go to the <emphasis role="italics">Identity appliance lifecycle management</emphasis> tab and go through lifecycle of Identity appliance (<menuchoice><guimenuitem>Saved</guimenuitem><guimenuitem>Staged</guimenuitem><guimenuitem>Deployed</guimenuitem><guimenuitem>Started</guimenuitem></menuchoice>) as suggested in the quickstart.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Go to the <emphasis role="italics">Account & Entitlement management</emphasis> tab and create users. Users must be created this way because REST callbacks to the Portal are not supported in this release.
+ </para>
+
+ <para>
+ This example will create the following user/password accounts: <literal>john</literal>/<literal>password</literal>, <literal>root</literal>/<literal>password</literal> and <literal>demo</literal>/<literal>password</literal>.
+ </para>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sid-55477376_JOSSO-JOSSOclientsetup">
+ <title>JOSSO client setup</title>
+
+ <para>
+ This section assumes that all relevant configurations were made as described in <xref linkend="sid-55477376_JOSSO-JOSSO2.2serversetup"/>.
+ </para>
+
+ <procedure>
+ <step>
+ <para>
+ Assuming again that you have JBoss Portal Platform running on JBoss Enterprise Platform 6, you need to change some of the properties in the SSO sections of <filename>JBOSS_HOME/standalone/configuration/gatein/configuration.properties</filename> to match those below:
+ </para>
+
+ <informalexample>
+<programlisting>
+# SSO
+gatein.sso.enabled=true
+gatein.sso.callback.enabled=${gatein.sso.enabled}
+gatein.sso.login.module.enabled=${gatein.sso.enabled}
+gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule
+gatein.sso.filter.initiatelogin.enabled=false
+gatein.sso.filter.initiatelogin.josso2.enabled=true
+gatein.sso.josso.agent.config.file=sso/josso/2.2/josso-agent-config.xml
+gatein.sso.josso.properties.file=file:${jboss.home.dir}/standalone/configuration/gatein/configuration.properties
+gatein.sso.portal.url=http://localhost:8080
+gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter
+gatein.sso.filter.logout.url=
+gatein.sso.josso.host=server.local.network:8081
+gatein.sso.server.url=http://${gatein.sso.josso.host}
+gatein.sso.josso.identityApplianceId=MYFIRSTIA
+gatein.sso.josso.partnerAppId=SP1
+gatein.sso.josso.partnerAppPoint=SP1EE
+gatein.sso.filter.login.sso.url=${gatein.sso.server.url}/IDBUS/${gatein.sso.josso.identityApplianceId}/${gatein.sso.josso.partnerAppPoint}/JOSSO/SSO/REDIR?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@(a)/josso_security_check&josso_partnerapp_id=${gatein.sso.josso.partnerAppId}
+</programlisting>
+ </informalexample>
+
+ <para>
+ Note that <code>gatein.sso.filter.logout.url</code> is empty now as the logout URL will be obtained from JOSSO agent configuration in file <filename>JBOSS_HOME/gatein/gatein.ear/portal.war/WEB-INF/classes/sso/josso/2.2/josso-agent-config.xml</filename>.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Update Sthe SO module in EAP 6 :
+ </para>
+
+ <substeps>
+ <step>
+ <para>
+ Delete the <filename>JBOSS_HOME/modules/org/gatein/sso</filename> directory.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Copy the <filename>GATEIN_SSO_HOME/josso/gatein-josso-182/modules/org/gatein/sso into JBOSS_HOME/modules/org/gatein/</filename> directory.
+ </para>
+ </step>
+ </substeps>
+ </step>
+
+ <substeps>
+ <step>
<para>
- <code>gatein.sso.josso.host</code> points to the location of the JOSSO server.
+ Start the Portal.
</para>
- </listitem>
-
- <listitem>
+
<para>
- <code>gatein.sso.portal.url</code> must be changed if you intend to access JBoss Portal Platform on any URL other than <emphasis role="italics">localhost:8080</emphasis>.
+ Access <uri>http://localhost:8080/portal</uri> and click <emphasis role="italics">Sign in</emphasis>.
</para>
- </listitem>
-
- <listitem>
+
<para>
- The <code>gatein.sso.josso.agent.config.file</code> property points to the location of the Agent configuration file, which is relative to classpath. Therefore the agent file location is actually located at <filename>JBOSS_HOME/gatein/gatein.ear/portal.war/WEB-INF/classes/sso/josso/1.8/josso-agent-config.xml</filename>.
+ You will be redirected to JOSSO, but you will need to login with the username/password account created via the JOSSO console (for example <literal>john</literal>/<literal>password</literal>) as REST callbacks are not supported.
</para>
<para>
- In the majority of cases, nothing in this file will need to be configured beyond the defaults.
+ After a successful login to JOSSO, you will be redirected to the Portal as <literal>john</literal>.
</para>
- </listitem>
- </itemizedlist>
- </step>
+ </step>
+ </substeps>
+ </procedure>
+ </section>
+ </section>
+
+ <section>
+ <title>Setup with portal on Tomcat</title>
+
+ <para>
+ If you have JBoss Portal Platform on Tomcat 7 and you want to configure it for SSO against JOSSO you must complete the following additional steps:
+ </para>
+
+ <procedure>
+ <title></title>
<step>
<para>
- JOSSO has some specific dependencies, which differ between various versions. The original <code>org.gatein.sso</code> SSO module must be replaced with one appropriate for your version of JOSSO. The alternate modules are available in the JOSSO download.
+ Add <code>ServletAccessValve</code> into <filename>server.xml</filename> (as was done to set up CAS single sign-on).
</para>
- <substeps>
- <step>
- <para>
- Delete the <filename>JBOSS_HOME/modules/org/gatein/sso</filename> directory.
- </para>
- </step>
-
- <step>
- <para>
- Copy the <filename>SSO_HOME/josso/gatein-josso-<replaceable><version></replaceable>/modules/org/gatein/sso</filename> directory into <filename>JBOSS_HOME/modules/org/gatein/</filename>.
- </para>
- </step>
- </substeps>
+ <para>
+ Refer to <xref linkend="sect-Deploying_CAS_on _Tomcat"/> for more details.
+ </para>
</step>
+
+ <step>
+ <para>
+ Copy the JAR files for the appropriate JOSSO version from <filename>GATEIN_SSO_HOME/josso/gatein-josso-<replaceable><version></replaceable>/modules/org/gatein/sso/main into JBOSS_HOME/lib/</filename>.
+ </para>
+ <para>
+ Use <replaceable>gatein-josso-181</replaceable> if you are on JOSSO 1.8.1 or older or <replaceable>gatein-josso-182</replaceable> if you are on JOSSO 1.8.2 or newer or on JOSSO 2.2.
+ </para>
+ </step>
</procedure>
-
- <para>
- From now on, all links redirecting to the user authentication pages will redirect to the JOSSO centralized authentication form. If you set Authentication plugin for JOSSO, you can login with JBoss Portal Platform credentials (like john/gtn) on JOSSO side.
- </para>
</section>
<!-- Old JOSSO content replaced by action prompted by BZ#856430
12 years
gatein SVN: r8989 - in epp/docs/branches/6.0/Reference_Guide/en-US: images/AuthenticationAndIdentity/SSO and 1 other directories.
by do-not-reply@jboss.org
Author: smumford
Date: 2012-12-11 23:43:37 -0500 (Tue, 11 Dec 2012)
New Revision: 8989
Added:
epp/docs/branches/6.0/Reference_Guide/en-US/images/AuthenticationAndIdentity/SSO/josso.png
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
BZ856430: First edit of new JOSSO content from docs.jboss.org
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-12 04:09:24 UTC (rev 8988)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-12 04:43:37 UTC (rev 8989)
@@ -312,7 +312,7 @@
</author>
<revdescription>
<simplelist>
- <member>BZ#865640 - Amended the JOSSO wording in <xref linkend="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-JOSSO_server"/> to clarify that Red Hat does not support JOSSO server, but offers integration with the server. </member>
+ <member>BZ#865640 - Amended the JOSSO wording to clarify that Red Hat does not support JOSSO server, but offers integration with the server. </member>
</simplelist>
</revdescription>
</revision>
Added: epp/docs/branches/6.0/Reference_Guide/en-US/images/AuthenticationAndIdentity/SSO/josso.png
===================================================================
(Binary files differ)
Property changes on: epp/docs/branches/6.0/Reference_Guide/en-US/images/AuthenticationAndIdentity/SSO/josso.png
___________________________________________________________________
Added: svn:mime-type
+ image/png
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-12 04:09:24 UTC (rev 8988)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-12 04:43:37 UTC (rev 8989)
@@ -1,4 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
+<!-- This document was created with Syntext Serna Free. -->
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "../../Reference_Guide.ent">
%BOOK_ENTITIES;
@@ -686,7 +687,7 @@
</section>
<section id="sect-Reference_Guide-SSO_Single_Sign_On_-Java_Open_Single_Sign_On_Project">
- <title>Java Open Single Sign-On Project</title>
+ <title><remark>BZ#856430</remark>Java Open Single Sign-On Project</title>
<para>
Configuring JOSSO for JBoss Enterprise Application Platform requires an Apache server instance to host JOSSO. JBoss Enterprise Application Platform communicates with the JOSSO Apache instance through the single sign-on plug-in.
@@ -704,6 +705,242 @@
After completing all procedures in this section, all links redirecting to the user authentication pages will redirect to the JOSSO centralized authentication form.
</para>
+ <section>
+ <title>Authentication Process</title>
+
+ <para>
+ The login workflow for JOSSO is quite similar to that used for CAS authentications (specific details can be found in <xref linkend="sect-CAS-Authentication_Process"/>).
+ </para>
+
+ <para>
+ Essentially, after a user clicks to sign in they are redirected to the JOSSO login screen, where they supply the appropriate credentials. They are then redirected back to the Portal.
+ </para>
+
+ <para>
+ The <systemitem>JOSSOAgent</systemitem> component performs a validation of the ticket with the JOSSO server via a back channel after the <systemitem>InitiateLoginFilter</systemitem> has delegated the <parameter> josso_assertion_id </parameter> request to it. The JOSSO agent and JOSSO server communicate via web services.
+ </para>
+
+ <para>
+ After a successful validation, the user identity is successfully established and the user is logged into the requested Portal.
+ </para>
+
+ <para>
+ On logout, <systemitem>JOSSOLogoutFilter</systemitem> performs a logout on both the Portal and the JOSSO server (similar to the process for CAS).
+ </para>
+
+ <para>
+ While the authentication plugin (which is able to send REST requests to the portal, receive the response, and authenticate the user on the JOSSO side) is supported, this support is only for JOSSO 1.8 (not JOSSO 2.2 at this release).
+ </para>
+
+ <para>
+ In this example, we will assume again that JBoss Portal Platform will be running on JBoss Enterprise Application Platform 6 using port <emphasis role="italics">localhost:8080</emphasis> and that the JOSSO server will be running on Tomcat, using <emphasis role="italics">localhost:8888</emphasis>.
+ </para>
+
+ <note>
+ <para>
+ There are differences between various JOSSO minor versions (especially betweeen JOSSO versions 1.8.1 and 1.8.2) so instructions will be slightly different between various versions. This will be pointed in text in more details.
+ </para>
+ </note>
+ </section>
+
+ <section id="sid-55477376_JOSSO-ObtainingJOSSO">
+ <title>Obtaining JOSSO</title>
+
+ <para>
+ JOSSO can be downloaded from <ulink url="http://sourceforge.net/projects/josso/files/"/> . Use the package that embeds Apache Tomcat.
+ </para>
+
+ <para>
+ Once downloaded, extract the package into what will be called <replaceable>JOSSO_HOME</replaceable> in this example.
+ </para>
+ </section>
+
+ <section id="sid-55477376_JOSSO-JOSSOserver">
+ <title>JOSSO server</title>
+
+ <para>
+ This section describes how to set up the JOSSO server to authenticate against the JBoss Portal Platform using the REST authentication plugin. In this example, the JOSSO server will be installed on Tomcat.
+ </para>
+
+ <procedure>
+ <step>
+ <para>
+ <emphasis role="bold">Optional:</emphasis> To use the SSO authentication plugin with JOSSO (not-mandatory but recommended. See <xref linkend="sect-CAS-Authentication_Process"/> for details):
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <emphasis role="bold">JOSSO 1.8.1:</emphasis> Copy the files from <filename>SSO_HOME/josso/josso-181/plugin</filename> into the Tomcat directory (<replaceable>JOSSO_HOME</replaceable>). (<replaceable>SSO_HOME</replaceable> points to directory with JBoss Portal Platform as mentioned in <xref linkend="sect-Reference_Guide-SSO_Single_Sign_On"/>)
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <emphasis role="bold">JOSSO 1.8.2:</emphasis> Copy the files from <filename>SSO_HOME/josso/josso-182/plugin</filename> into the Tomcat directory (<replaceable>JOSSO_HOME</replaceable>).
+ </para>
+
+ <para>
+ This action will replace some, and add other, JAR files to the <filename>JOSSO_HOME/webapps/josso/WEB-INF/lib</filename> directory.
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <filename>JOSSO_HOME/lib/josso-gateway-config.xml</filename>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <filename>JOSSO_HOME/lib/josso-gateway-gatein-stores.xml</filename>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <filename>JOSSO_HOME/webapps/josso/WEB-INF/classes/gatein.properties</filename>
+ </para>
+
+ <para>
+ This file may need to be reconfigured according to your JBoss Portal Platform environment (you need to use the host and port of your JBoss Portal Platform instance as this will be used by the Authentication plugin to send REST requests over HTTP).
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </itemizedlist>
+ </step>
+
+ <step>
+ <para>
+ Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and replace the <literal>8080</literal> port to <literal>8888</literal> to change the default Tomcat port and avoid a conflict with the default JBoss Portal Platform port (for testing purposes).
+ </para>
+
+ <note>
+ <title>Port Conflicts</title>
+
+ <para>
+ If JBoss Portal Platform is running on the same machine as Tomcat, other ports need to be changed in addition to <literal>8080</literal> to avoid port conflicts. They can be changed to any free port. For example, you can change the admin port from <literal>8005</literal> to <literal>8805</literal>, and AJP port from <literal>8009</literal> to <literal>8809</literal>.
+ </para>
+ </note>
+ </step>
+
+ <step>
+ <para>
+ Tomcat should now allow access to <uri>http://localhost:8888/josso/signon/login.do</uri>. However, if you are using SSO Authentication plugin, the login will not be available at this stage as your JBoss Portal Platform is not yet set up.
+ </para>
+
+ <figure>
+ <title/>
+
+ <mediaobject>
+ <imageobject role="html">
+ <imagedata align="center" fileref="images/AuthenticationAndIdentity/SSO/josso.png" format="PNG"/>
+ </imageobject>
+ </mediaobject>
+ </figure>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sid-55477376_JOSSO-SetuptheJOSSOclient">
+ <title>JOSSO client</title>
+
+ <procedure>
+ <step>
+ <para>
+ Some of the configuration properties in <filename>JBOSS_HOME/standalone/configuration/gatein/configuration.properties</filename> need to be set on the client server.
+ </para>
+
+ <para>
+ Locate the <literal>#SSO</literal> section of the file and edit it to match the sample below:
+ </para>
+
+ <informalexample>
+<programlisting>
+#SSO
+gatein.sso.enabled=true
+gatein.sso.callback.enabled=${gatein.sso.enabled}
+gatein.sso.login.module.enabled=${gatein.sso.enabled}
+gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule
+gatein.sso.josso.agent.config.file=sso/josso/1.8/josso-agent-config.xml
+gatein.sso.josso.properties.file=file:${jboss.home.dir}/standalone/configuration/gatein/configuration.properties
+gatein.sso.josso.host=localhost:8888
+gatein.sso.josso.base.url=http://${gatein.sso.josso.host}/josso/signon
+gatein.sso.server.url=${gatein.sso.josso.base.url}/login.do
+gatein.sso.portal.url=http://localhost:8080
+gatein.sso.filter.logout.class=org.gatein.sso.agent.filter.JOSSOLogoutFilter
+gatein.sso.filter.logout.url=${gatein.sso.josso.base.url}/logout.do
+gatein.sso.filter.login.sso.url=${gatein.sso.server.url}?josso_back_to=${gatein.sso.portal.url}/@@portal.container.name@(a)/initiatessologin
+</programlisting>
+ </informalexample>
+
+ <para>
+ Most of the properties are described in <xref linkend="sect-CAS_Configuring_the_Platform"/>.
+ </para>
+
+ <para>
+ Some of the properites differ for JOSSO:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ The Logout filter is <code>org.gatein.sso.agent.filter.JOSSOLogoutFilter</code>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <code>gatein.sso.josso.host</code> points to the location of the JOSSO server.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <code>gatein.sso.portal.url</code> must be changed if you intend to access JBoss Portal Platform on any URL other than <emphasis role="italics">localhost:8080</emphasis>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The <code>gatein.sso.josso.agent.config.file</code> property points to the location of the Agent configuration file, which is relative to classpath. Therefore the agent file location is actually located at <filename>JBOSS_HOME/gatein/gatein.ear/portal.war/WEB-INF/classes/sso/josso/1.8/josso-agent-config.xml</filename>.
+ </para>
+
+ <para>
+ In the majority of cases, nothing in this file will need to be configured beyond the defaults.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+
+ <step>
+ <para>
+ JOSSO has some specific dependencies, which differ between various versions. The original <code>org.gatein.sso</code> SSO module must be replaced with one appropriate for your version of JOSSO. The alternate modules are available in the JOSSO download.
+ </para>
+
+ <substeps>
+ <step>
+ <para>
+ Delete the <filename>JBOSS_HOME/modules/org/gatein/sso</filename> directory.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Copy the <filename>SSO_HOME/josso/gatein-josso-<replaceable><version></replaceable>/modules/org/gatein/sso</filename> directory into <filename>JBOSS_HOME/modules/org/gatein/</filename>.
+ </para>
+ </step>
+ </substeps>
+ </step>
+ </procedure>
+
+ <para>
+ From now on, all links redirecting to the user authentication pages will redirect to the JOSSO centralized authentication form. If you set Authentication plugin for JOSSO, you can login with JBoss Portal Platform credentials (like john/gtn) on JOSSO side.
+ </para>
+ </section>
+<!-- Old JOSSO content replaced by action prompted by BZ#856430
+
<procedure id="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-JOSSO_server">
<title>Download and extract JOSSO server</title>
@@ -883,6 +1120,7 @@
<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default115.xml" parse="text"/></programlisting>
</step>
</procedure>
+ </section> -->
</section>
<section id="sect-Reference_Guide-SSO_Single_Sign_On_-OpenSSO">
@@ -1827,7 +2065,7 @@
<sso cache-container="web" cache-name="sso" reauthenticate="true" />
]]></programlisting>
<para>
- The <literal>true</literal> value ensures that reauthentication with user credentials will be performed against the web application's security domain in each HTTP request. This will enforce creation of a new principal with updated roles for the web application. As user credentials are used for authentication in this case, it is required that the same user credentials exist in both the web application and the JBoss Portal Platform instance.
+ The <literal>true</literal> value ensures that reauthentication with user credentials will be performed against the web application's security domain in each HTTP request. This will enforce creation of a new principal with updated roles for the web application. As user credentials are used for authentication in this case, it is required that the same user credentials exist in both the web application and the JBoss Portal Platform instance.
</para>
</section>
</section>
12 years
gatein SVN: r8988 - in epp/docs/branches/6.0: Reference_Guide/en-US/modules/PortletDevelopment and 2 other directories.
by do-not-reply@jboss.org
Author: aakanksha_writer
Date: 2012-12-11 23:09:24 -0500 (Tue, 11 Dec 2012)
New Revision: 8988
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/PortletDevelopment/PortletBridge.xml
epp/docs/branches/6.0/User_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/User_Guide/en-US/modules/Supported_Browsers.xml
Log:
bug 856445 resolved
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-11 10:09:49 UTC (rev 8987)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-12 04:09:24 UTC (rev 8988)
@@ -7,20 +7,20 @@
<title>Revision History</title>
<simpara>
<revhistory>
- <revision>
- <revnumber>6.0.0-25</revnumber>
- <date>Fri Dec 7 2012</date>
- <author>
- <firstname>Petr</firstname>
- <surname>Penicka</surname>
- <email></email>
- </author>
- <revdescription>
+ <revision>
+ <revnumber>6.0.0-18</revnumber>
+ <date>Mon Dec 11 2012</date>
+ <author>
+ <firstname>Aakanksha</firstname>
+ <surname>Singh</surname>
+ <email/>
+ </author>
+ <revdescription>
<simplelist>
- <member>BZ#856450: modified information about SSO in a cluster based on an updated Confluence document.</member>
+ <member>BZ#856445 - Removed instances of unsupported version of desktop browsers </member>
</simplelist>
- </revdescription>
- </revision>
+ </revdescription>
+ </revision>
<revision>
<revnumber>6.0.0-24</revnumber>
<date>Tue Dec 04 2012</date>
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/PortletDevelopment/PortletBridge.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/modules/PortletDevelopment/PortletBridge.xml 2012-12-11 10:09:49 UTC (rev 8987)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/PortletDevelopment/PortletBridge.xml 2012-12-12 04:09:24 UTC (rev 8988)
@@ -311,8 +311,8 @@
<entry>
<literal>a4j:outputPanel</literal>
</entry>
- <entry> Yes (except Firefox 3.5) </entry>
<entry> Yes </entry>
+ <entry> Yes </entry>
</row>
<row>
<entry>
@@ -325,7 +325,7 @@
<entry>
<literal>rich:dataTable</literal>
</entry>
- <entry> Yes (except Firefox 3.6 and IE8) </entry>
+ <entry> Yes </entry>
<entry> No </entry>
</row>
<row>
@@ -360,7 +360,7 @@
<entry>
<literal>rich:extendedDataTable</literal>
</entry>
- <entry> Yes (except IE7) </entry>
+ <entry> Yes </entry>
<entry> No </entry>
</row>
<row>
@@ -374,8 +374,8 @@
<entry>
<literal>rich:scrollableDataTable</literal>
</entry>
- <entry> Yes (except Firefox 3.6) </entry>
<entry> Yes </entry>
+ <entry> Yes </entry>
</row>
<row>
<entry>
@@ -402,8 +402,8 @@
<entry>
<literal>rich:tree</literal>
</entry>
- <entry> Yes (except Firefox 3.5) </entry>
<entry> Yes </entry>
+ <entry> Yes </entry>
</row>
<row>
<entry>
@@ -549,8 +549,8 @@
<entry>
<literal>rich:inputNumberSpinner</literal>
</entry>
- <entry> Yes (except IE7) </entry>
<entry> Yes </entry>
+ <entry> Yes </entry>
</row>
<row>
<entry>
Modified: epp/docs/branches/6.0/User_Guide/en-US/Revision_History.xml
===================================================================
--- epp/docs/branches/6.0/User_Guide/en-US/Revision_History.xml 2012-12-11 10:09:49 UTC (rev 8987)
+++ epp/docs/branches/6.0/User_Guide/en-US/Revision_History.xml 2012-12-12 04:09:24 UTC (rev 8988)
@@ -7,6 +7,20 @@
<title>Revision History</title>
<simpara>
<revhistory>
+ <revision>
+ <revnumber>6.0.0-9</revnumber>
+ <date>Mon Dec 06 2012</date>
+ <author>
+ <firstname>Aakanksha</firstname>
+ <surname>Singh</surname>
+ <email>aasingh(a)redhat.com</email>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>BZ#856445 - removed references to unsupported version of browser.</member>
+ </simplelist>
+ </revdescription>
+ </revision>
<revision>
<revnumber>6.0.0-8</revnumber>
<date>Mon Nov 12 2012</date>
Modified: epp/docs/branches/6.0/User_Guide/en-US/modules/Supported_Browsers.xml
===================================================================
--- epp/docs/branches/6.0/User_Guide/en-US/modules/Supported_Browsers.xml 2012-12-11 10:09:49 UTC (rev 8987)
+++ epp/docs/branches/6.0/User_Guide/en-US/modules/Supported_Browsers.xml 2012-12-12 04:09:24 UTC (rev 8988)
@@ -15,12 +15,12 @@
--> <itemizedlist>
<listitem>
<para>
- <ulink url="http://www.mozilla.com/en-US/firefox/new/" type="http">Firefox</ulink> (versions 3.5 to 10).
+ <ulink url="http://www.mozilla.com/en-US/firefox/new/" type="http">Firefox</ulink>.
</para>
</listitem>
<listitem>
<para>
- <ulink url="http://windows.microsoft.com/en-AU/internet-explorer/downloads/ie" type="http">Internet Explorer</ulink> (versions 7 to 9).
+ <ulink url="http://windows.microsoft.com/en-AU/internet-explorer/downloads/ie" type="http">Internet Explorer</ulink>.
</para>
</listitem>
<listitem>
12 years
gatein SVN: r8986 - epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity.
by do-not-reply@jboss.org
Author: smumford
Date: 2012-12-10 19:56:25 -0500 (Mon, 10 Dec 2012)
New Revision: 8986
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
Reformatted XML for easier reading...because Serna hates XML
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-09 23:45:57 UTC (rev 8985)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2012-12-11 00:56:25 UTC (rev 8986)
@@ -3,245 +3,312 @@
<!ENTITY % BOOK_ENTITIES SYSTEM "../../Reference_Guide.ent">
%BOOK_ENTITIES;
]>
-<chapter id="sect-Reference_Guide-SSO_Single_Sign_On">
- <title>Single Sign-On</title>
- <section id="sect-SSO_Single_Sign_On_-Overview">
- <title>Overview and Configuration Assumptions</title>
- <para>
-JBoss Portal Platform provides an implementation of single sign-on (<literal>SSO</literal>) as an integration and aggregation platform.
- </para>
- <para>
+ <chapter id="sect-Reference_Guide-SSO_Single_Sign_On">
+ <title>Single Sign-On</title>
+
+ <section id="sect-SSO_Single_Sign_On_-Overview">
+ <title>Overview and Configuration Assumptions</title>
+
+ <para>
+ JBoss Portal Platform provides an implementation of single sign-on (<literal>SSO</literal>) as an integration and aggregation platform.
+ </para>
+
+ <para>
When logging into the portal, users can access many systems through portlets using a single identity. In many cases, however, the portal infrastructure must be integrated with other SSO enabled systems.
- </para>
- <para>
+ </para>
+
+ <para>
There are many different Identity Management solutions available. In most cases each SSO framework provides a unique way to plug into a Java EE application.
- </para>
- <para>
+ </para>
+
+ <para>
This section will cover the implementation of four different SSO plug-ins with JBoss Portal Platform:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <xref linkend="sect-SSO_Single_Sign_On_-Central_Authentication_Service"/>
- </para>
- </listitem>
- <listitem>
- <para>
- <xref linkend="sect-Reference_Guide-SSO_Single_Sign_On_-Java_Open_Single_Sign_On_Project"/>
- </para>
- </listitem>
- <listitem>
- <para>
- <xref linkend="sect-Reference_Guide-SSO_Single_Sign_On_-OpenSSO"/>
- </para>
- </listitem>
- <listitem>
- <para>
- <xref linkend="sect-Reference_Guide-SSO_Single_Sign_On_-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism"/>
- </para>
- </listitem>
- </itemizedlist>
- <note>
- <title>Prerequisites</title>
- <para>
- In this tutorial, the SSO server is being installed in a Tomcat environment. Tomcat can be obtained from <ulink url="http://tomcat.apache.org" type="http"> http://tomcat.apache.org </ulink> .
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <xref linkend="sect-SSO_Single_Sign_On_-Central_Authentication_Service"/>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="sect-Reference_Guide-SSO_Single_Sign_On_-Java_Open_Single_Sign_On_Project"/>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="sect-Reference_Guide-SSO_Single_Sign_On_-OpenSSO"/>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <xref linkend="sect-Reference_Guide-SSO_Single_Sign_On_-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism"/>
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <note>
+ <title>Prerequisites</title>
+
+ <para>
+ In this tutorial, the SSO server is being installed in a Tomcat environment. Tomcat can be obtained from <ulink url="http://tomcat.apache.org" type="http"> http://tomcat.apache.org </ulink> .
</para>
- </note>
- <para>
+ </note>
+
+ <para>
All the packages required for SSO setup can be found in the <filename><filename>JPP_DIST</filename>/gatein-sso</filename> directory of the JBoss Portal Platform binary package.
- </para>
- <para>
+ </para>
+
+ <para>
In the following scenarios this directory will be referred to as <replaceable>PORTAL_SSO</replaceable>.
- </para>
- <warning>
- <para>
- Users are advised to not run any portal extensions that could override the data when manipulating the <filename>gatein.ear</filename> file directly.
+ </para>
+
+ <warning>
+ <para>
+ Users are advised to not run any portal extensions that could override the data when manipulating the <filename>gatein.ear</filename> file directly.
</para>
<!-- Removed in GateIn reference-guide
<para>
Remove <filename>JBOSS_HOME/server/PROFILE/deploy/gatein-sample-extension.ear</filename> and <filename>JBOSS_HOME/server/PROFILE/deploy/gatein-sample-portal.ear</filename> which are packaged by default with JBoss Enterprise Portal Platform.
- </para> --> </warning>
- </section>
- <section id="sect-SSO_Single_Sign_On_-Central_Authentication_Service">
- <title><remark>BZ#856430</remark>Central Authentication Service (CAS)</title>
- <para>The CAS single sign-on (SSO) plug-in enables seamless integration between the platform and the CAS SSO framework. General information about CAS can be found on the
- <ulink url="http://www.jasig.org/cas">Jasig website</ulink>
- .
- </para>
- <section id="sect-CAS-Authentication_Process">
- <title>Authentication Process</title>
- <para>The authentication process with CAS integration occurs in the following order:</para>
- <orderedlist>
- <listitem>
- <para>A user visits the main portal page, and wishes to authenticate. The user clicks
- <emphasis role="italics">Sign in</emphasis>. </para>
- </listitem>
- <listitem>
- <para>Normally this action would present the portal login dialog, however with SSO integration enabled, the action redirects the user to a marker URL such as
- <ulink url="http://localhost:8080/portal/sso"/>.
+ </para> -->
+ </warning>
+ </section>
+
+ <section id="sect-SSO_Single_Sign_On_-Central_Authentication_Service">
+ <title><remark>BZ#856430</remark>Central Authentication Service (CAS)</title>
+
+ <para>
+ The CAS single sign-on (SSO) plug-in enables seamless integration between the platform and the CAS SSO framework. General information about CAS can be found on the <ulink url="http://www.jasig.org/cas">Jasig website</ulink> .
+ </para>
+
+ <section id="sect-CAS-Authentication_Process">
+ <title>Authentication Process</title>
+
+ <para>
+ The authentication process with CAS integration occurs in the following order:
</para>
- <para>The portal handles this user action by calling the interceptor (Servlet filter)
- <emphasis role="strong">LoginRedirectFilter</emphasis>, which redirects the user seamlessly away from the
- <emphasis role="italics">/portal/sso</emphasis>
- URL to the CAS server page.
+
+ <orderedlist>
+ <listitem>
+ <para>
+ A user visits the main portal page, and wishes to authenticate. The user clicks <emphasis role="italics">Sign in</emphasis>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Normally this action would present the portal login dialog, however with SSO integration enabled, the action redirects the user to a marker URL such as <ulink url="http://localhost:8080/portal/sso"/>.
+ </para>
+
+ <para>
+ The portal handles this user action by calling the interceptor (Servlet filter) <emphasis role="strong">LoginRedirectFilter</emphasis>, which redirects the user seamlessly away from the <emphasis role="italics">/portal/sso</emphasis> URL to the CAS server page.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The interceptor redirects the user to the CAS login page <ulink url="http://localhost:8888/cas/login"/> . The user enters the correct authentication information, and submits the form.
+ </para>
+
+ <para>
+ The CAS server retrieves the information from the identity store. The store could be an external database, a LDAP server, or from information obtained through an authentication plug-in such as the one shipped with JBoss Portal Platform. Refer to <xref linkend="sect-CAS_Authentication_Plug-in"/> for specific details about this technology.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Once CAS determines the user has the correct access privileges to access the portal server, CAS redirects the user back to the portal through another marker URL such as <ulink url="http://localhost:8080/portal/initiatelogin"/> .
+ </para>
+
+ <para>
+ The <emphasis role="strong">InitiateLoginFilter</emphasis> interceptor acts on the user redirection to <emphasis role="italics">/portal/initiatelogin</emphasis> by obtaining a CAS ticket attached in the HTTP request inside the <emphasis role="italics">ticket</emphasis> parameter. The interceptor then delegates validation of this ticket to a configured <emphasis role="strong">CASAgent</emphasis> component.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The <emphasis>CASAgent</emphasis> validates the ticket by sending a validation request to the CAS server through a configured back channel. The CAS server validates the request, and ensures it contains the user name of the authenticated user in step 3.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ After SSO validation, <emphasis role="italics">InitiateLoginFilter</emphasis> redirects the user to the portal login URL <ulink url="http://localhost:8080/portal/login"/> , which initiates JAAS authentication.
+ </para>
+
+ <para>
+ The <emphasis role="strong">SSOLoginModule</emphasis> detects whether the user has been successfully validated by <emphasis role="italics">CASAgent</emphasis>. If this is the case, the login module obtains data about user (groups, memberships) from <emphasis role="italics">OrganizationService</emphasis> and encapsulates the details into an <emphasis role="strong">Identity</emphasis> object.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The <emphasis role="strong">JBossAS7LoginModule</emphasis> completes the authentication request by establishing the JAAS <emphasis role="italics">Subject</emphasis>, and saves the <emphasis role="italics">Identity</emphasis> object to the <emphasis role="italics">IdentityRegistry</emphasis>. For more information about login modules, refer to <xref linkend="sect-Authentication_Authorization_Intro-Login_Modules"/>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ After successful JAAS authentication, the user is redirected to the portal in an authenticated state.
+ </para>
+ </listitem>
+ </orderedlist>
+
+ <para>
+ For more information about the available Login Modules shipped with the product, refer to the JBoss Enterprise Application Platform <citetitle>Security Guide</citetitle>.
</para>
- </listitem>
- <listitem>
- <para>The interceptor redirects the user to the CAS login page
- <ulink url="http://localhost:8888/cas/login"/>
- . The user enters the correct authentication information, and submits the form.
-</para>
- <para>The CAS server retrieves the information from the identity store. The store could be an external database, a LDAP server, or from information obtained through an authentication plug-in such as the one shipped with JBoss Portal Platform. Refer to <xref linkend="sect-CAS_Authentication_Plug-in"/> for specific details about this technology.</para>
- </listitem>
- <listitem>
- <para> Once CAS determines the user has the correct access privileges to access the portal server, CAS redirects the user back to the portal through another marker URL such as
- <ulink url="http://localhost:8080/portal/initiatelogin"/>
- . </para>
- <para>The <emphasis role="strong">InitiateLoginFilter</emphasis>
-interceptor acts on the user redirection to
- <emphasis role="italics">/portal/initiatelogin</emphasis>
-by obtaining a CAS ticket attached in the HTTP request inside the
- <emphasis role="italics">ticket</emphasis>
-parameter. The interceptor then delegates validation of this ticket to a configured
- <emphasis role="strong">CASAgent</emphasis>
- component. </para>
- </listitem>
- <listitem>
- <para>The <emphasis>CASAgent</emphasis> validates the ticket by sending a validation request to the CAS server through a configured back channel. The CAS server validates the request, and ensures it contains the user name of the authenticated user in step 3.
+ </section>
+
+ <section id="sect-CAS-Logout_Workflow">
+ <title>Logout Process</title>
+
+ <para>
+ The logout process with CAS integration occurs in the following order:
</para>
- </listitem>
- <listitem>
- <para>
- After SSO validation,
- <emphasis role="italics">InitiateLoginFilter</emphasis>
- redirects the user to the portal login URL
- <ulink url="http://localhost:8080/portal/login"/>
- , which initiates JAAS authentication.
-</para>
- <para>The <emphasis role="strong">SSOLoginModule</emphasis> detects whether the user has been successfully validated by
- <emphasis role="italics">CASAgent</emphasis>. If this is the case, the login module obtains data about user (groups, memberships) from
- <emphasis role="italics">OrganizationService</emphasis>
- and encapsulates the details into an
- <emphasis role="strong">Identity</emphasis>
- object. </para>
- </listitem>
- <listitem>
- <para>The
- <emphasis role="strong">JBossAS7LoginModule</emphasis> completes the authentication request by establishing the JAAS
- <emphasis role="italics">Subject</emphasis>,
- and saves the
- <emphasis role="italics">Identity</emphasis>
- object to the
- <emphasis role="italics">IdentityRegistry</emphasis>. For more information about login modules, refer to <xref linkend="sect-Authentication_Authorization_Intro-Login_Modules"/>.
-</para>
- </listitem>
- <listitem>
- <para>After successful JAAS authentication, the user is redirected to the portal in an authenticated state.</para>
- </listitem>
- </orderedlist>
- <para>For more information about the available Login Modules shipped with the product, refer to the JBoss Enterprise Application Platform <citetitle>Security Guide</citetitle>. </para>
- </section>
- <section id="sect-CAS-Logout_Workflow">
- <title>Logout Process</title>
- <para>The logout process with CAS integration occurs in the following order:</para>
- <orderedlist>
- <listitem>
- <para>The authenticated user clicks the
- <emphasis role="italics">Sign out</emphasis>
- link.
+
+ <orderedlist>
+ <listitem>
+ <para>
+ The authenticated user clicks the <emphasis role="italics">Sign out</emphasis> link.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The <emphasis role="strong">CASLogoutFilter</emphasis> interceptor recognizes the logout request, and redirects the user to the CAS logout page <ulink url="http://localhost:8888/cas/logout"/> .
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The CAS server logs out the user, and invalidate the CAS cookie <emphasis role="italics">CASTGC</emphasis> .
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ CAS redirects the user back to the portal using the logout redirection configured in <xref linkend="sect-CAS_Logout_Redirection"/> .
+ </para>
+
+ <para>
+ If the <emphasis role="italics">CASLogoutFilter</emphasis> is enabled, the user is logged out from both the portal and CAS server.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The logout redirection request completes the logout process on the CAS server's side, and the user is redirected to the portal's anonymous page.
+ </para>
+ </listitem>
+ </orderedlist>
+ </section>
+
+ <section id="sect-CAS-Configuration_Overview">
+ <title>CAS Configuration Overview</title>
+
+ <para>
+ For scope purposes, the setup instructions assume the following configuration outcomes:
</para>
- </listitem>
- <listitem>
- <para>The
- <emphasis role="strong">CASLogoutFilter</emphasis>
-interceptor recognizes the logout request, and redirects the user to the CAS logout page
- <ulink url="http://localhost:8888/cas/logout"/>
-. </para>
- </listitem>
- <listitem>
- <para>The
- CAS server logs out the user, and invalidate the CAS cookie
- <emphasis role="italics">CASTGC</emphasis> . </para>
- </listitem>
- <listitem>
- <para>CAS redirects the user back to the portal using the logout redirection configured in <xref linkend="sect-CAS_Logout_Redirection"/> .
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ The CAS 3.5 is downloaded, and required changes are made to authentication plug-in, logout redirection, and CASTGC cookie configuration.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Once configured, Apache Maven is used to create the custom CAS web archive, suitable for deployment.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The WAR is deployed to the Apache Tomcat server, which acts as the host for the CAS.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Apache Tomcat is configured to listen on <emphasis role="italics">localhost:8888</emphasis>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ JBoss Portal Platform is configured to listen on <emphasis role="italics">localhost:8080</emphasis>.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <section id="sect-CAS-Download_CAS">
+ <title><remark>BZ#856430 </remark>Download CAS</title>
+
+ <para>
+ CAS can be downloaded from <ulink url="http://www.jasig.org/cas/download"/> . The supported version is <emphasis role="italics">CAS 3.5</emphasis> . More recent CAS versions may also work, however have not been officially tested as part of this specific configuration exercise.
+ </para>
+ <remark>Docs Note - jmorgan - Marek, I originally incorrectly specified that an admin should extract the CAS source binary into the Tomcat server. It's my fault, because I didn't realise that you need to configure CAS first, *then* build the WAR, and finally deploy to Tomcat. The following sentence makes this much clearer now.</remark>
+ <para>
+ Extract the downloaded file into a suitable working directory. This location will be referred to as <code>CAS_DIR</code> in subsequent configuration instructions.
+ </para>
+ </section>
+ </section>
+
+ <section id="sect-CAS-Modifying_CAS_Server">
+ <title>Modifying the CAS server</title>
+
+ <para>
+ To configure the CAS server correctly, the most effective way is to make the necessary changes directly in the CAS code base. Follow the instructions in the sections below to make the required changes to the CAS code base, before using Maven to build the CAS web archive.
</para>
- <para>If the <emphasis role="italics">CASLogoutFilter</emphasis>
- is enabled, the user is logged out from both the portal and CAS server.
- </para>
- </listitem>
- <listitem>
- <para>
-The logout redirection request completes the logout process on the CAS server's side, and the user is redirected to the portal's anonymous page. </para>
- </listitem>
- </orderedlist>
- </section>
- <section id="sect-CAS-Configuration_Overview">
- <title>CAS Configuration Overview</title>
- <para>For scope purposes, the setup instructions assume the following configuration outcomes: </para>
- <itemizedlist>
- <listitem>
- <para>The CAS 3.5 is downloaded, and required changes are made to authentication plug-in, logout redirection, and CASTGC cookie configuration. </para>
- </listitem>
- <listitem>
- <para>Once configured, Apache Maven is used to create the custom CAS web archive, suitable for deployment.</para>
- </listitem>
- <listitem>
- <para>The WAR is deployed to the Apache Tomcat server, which acts as the host for the CAS.</para>
- </listitem>
- <listitem>
- <para>Apache Tomcat is configured to listen on <emphasis role="italics">localhost:8888</emphasis>.</para>
- </listitem>
- <listitem>
- <para>JBoss Portal Platform is configured to listen on
- <emphasis role="italics">localhost:8080</emphasis>.</para>
- </listitem>
- </itemizedlist>
- <section id="sect-CAS-Download_CAS">
- <title><remark>BZ#856430 </remark>Download CAS</title>
- <para>
- CAS can be downloaded from
- <ulink url="http://www.jasig.org/cas/download"/>
- . The supported version is
- <emphasis role="italics">CAS 3.5</emphasis>
- . More recent CAS versions may also work, however have not been officially tested as part of this specific configuration exercise.
- </para>
- <remark>Docs Note - jmorgan - Marek, I originally incorrectly specified that an admin should extract the CAS source binary into the Tomcat server. It's my fault, because I didn't realise that you need to configure CAS first, *then* build the WAR, and finally deploy to Tomcat. The following sentence makes this much clearer now.</remark>
- <para>
- Extract the downloaded file into a suitable working directory. This location will be referred to as
- <code>CAS_DIR</code>
- in subsequent configuration instructions.
- </para>
- </section>
- </section>
- <section id="sect-CAS-Modifying_CAS_Server">
- <title>Modifying the CAS server</title>
- <para>To configure the CAS server correctly, the most effective way is to make the necessary changes directly in the CAS code base. Follow the instructions in the sections below to make the required changes to the CAS code base, before using Maven to build the CAS web archive.</para>
- <section id="sect-CAS_Authentication_Plug-in">
- <title>Authentication Plug-in </title>
- <para>While it is possible (and perfectly acceptable) for an administrator to configure CAS to retrieve user credentials from an external database, or from a LDAP server, it is also possible to use JBoss technology. </para>
- <para>CAS can be configured to make secure authentication callbacks to a RESTful service installed on the remote portal instance using the supplied CAS <literal>AuthenticationPlugin</literal>. </para>
- <para>Implementing the <literal>AuthenticationPlugin</literal> on the CAS server has the advantage of leveraging a single identity storage for portal user, group and role data. If a new user is added using the portal user management interface, the user information is instantly accessible to the CAS server through the technology implemented by the <literal>AuthenticationPlugin</literal>. </para>
- <para>The plug-in verifies user credentials by connecting to an existing portal instance using REST over the HTTP protocol. The portal serves a REST authentication callback request, and verifies the user identity against the portal's own identity storage provided by the PicketLink IDM
- <emphasis role="italics">OrganizationService</emphasis>. The <literal>AuthenticationPlugin</literal> receives the portal's response to the CAS server, and continues with the authentication process based on user data in the response.
-</para>
- <para>For the plug-in to function correctly, it must be properly configured on the CAS server to connect to this service. Set up the server to authenticate against the portal using the REST call-back.</para>
- <procedure>
- <title>Configuring the Authentication plug-in</title>
- <step>
- <para>
- Open
- <code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml</code>
- .
- </para>
- </step>
- <step>
- <para>Replace the default configuration, which declares the Jasig <classname>SimpleTestUsernamePasswordAuthenticationHandler</classname> Authentication Handler with the following supported Authentication Handler. </para>
- <note>
- <para>This configuration is available in the
- <code><replaceable>PORTAL_SSO</replaceable>/cas.war/WEB-INF/deployerConfigContext.xml</code>. If you choose to take this configuration file, ensure the default host, port and context parameters are adjusted to match the values corresponding to the remote portal instance. </para>
- </note>
- <programlisting>
+
+ <section id="sect-CAS_Authentication_Plug-in">
+ <title>Authentication Plug-in</title>
+
+ <para>
+ While it is possible (and perfectly acceptable) for an administrator to configure CAS to retrieve user credentials from an external database, or from a LDAP server, it is also possible to use JBoss technology.
+ </para>
+
+ <para>
+ CAS can be configured to make secure authentication callbacks to a RESTful service installed on the remote portal instance using the supplied CAS <literal>AuthenticationPlugin</literal>.
+ </para>
+
+ <para>
+ Implementing the <literal>AuthenticationPlugin</literal> on the CAS server has the advantage of leveraging a single identity storage for portal user, group and role data. If a new user is added using the portal user management interface, the user information is instantly accessible to the CAS server through the technology implemented by the <literal>AuthenticationPlugin</literal>.
+ </para>
+
+ <para>
+ The plug-in verifies user credentials by connecting to an existing portal instance using REST over the HTTP protocol. The portal serves a REST authentication callback request, and verifies the user identity against the portal's own identity storage provided by the PicketLink IDM <emphasis role="italics">OrganizationService</emphasis>. The <literal>AuthenticationPlugin</literal> receives the portal's response to the CAS server, and continues with the authentication process based on user data in the response.
+ </para>
+
+ <para>
+ For the plug-in to function correctly, it must be properly configured on the CAS server to connect to this service. Set up the server to authenticate against the portal using the REST call-back.
+ </para>
+
+ <procedure>
+ <title>Configuring the Authentication plug-in</title>
+
+ <step>
+ <para>
+ Open <code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml</code> .
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Replace the default configuration, which declares the Jasig <classname>SimpleTestUsernamePasswordAuthenticationHandler</classname> Authentication Handler with the following supported Authentication Handler.
+ </para>
+
+ <note>
+ <para>
+ This configuration is available in the <code><replaceable>PORTAL_SSO</replaceable>/cas.war/WEB-INF/deployerConfigContext.xml</code>. If you choose to take this configuration file, ensure the default host, port and context parameters are adjusted to match the values corresponding to the remote portal instance.
+ </para>
+ </note>
+<programlisting>
<!--
XML comment used for configuration guidance removed for ease of readability+-->
<bean class="org.gatein.sso.cas.plugin.AuthenticationPlugin">
@@ -252,122 +319,189 @@
<property name="httpMethod"><value>POST</value></property>
</bean>
</programlisting>
- </step>
- <step>
- <para>
- Copy all jars from
- <code>PORTAL_SSO/cas/plugin/WEB-INF/lib/ </code>to the
- <code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/lib</code> directory.
- </para>
- </step>
- </procedure>
- </section>
- <section id="sect-CAS_Logout_Redirection">
- <title>Logout redirection setup</title>
- <para>The CAS server displays the CAS logout page with a link to return to the portal by default. To make the CAS server redirect to the portal page after a logout, modify
- <code>CAS_DIR/cas-server-webapp/src/main/webapp/</code>
- <code>WEB-INF/cas-servlet.xml</code>
- to include the
- <code>followServiceRedirects="true"</code>
- parameter:
- </para>
- <programlisting language=""><bean id="logoutController" class="org.jasig.cas.web.LogoutController"
+ </step>
+
+ <step>
+ <para>
+ Copy all jars from <code>PORTAL_SSO/cas/plugin/WEB-INF/lib/ </code>to the <code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/lib</code> directory.
+ </para>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sect-CAS_Logout_Redirection">
+ <title>Logout redirection setup</title>
+
+ <para>
+ The CAS server displays the CAS logout page with a link to return to the portal by default. To make the CAS server redirect to the portal page after a logout, modify <code>CAS_DIR/cas-server-webapp/src/main/webapp/</code> <code>WEB-INF/cas-servlet.xml</code> to include the <code>followServiceRedirects="true"</code> parameter:
+ </para>
+<programlisting language=""><bean id="logoutController" class="org.jasig.cas.web.LogoutController"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:logoutView="casLogoutView"
p:warnCookieGenerator-ref="warnCookieGenerator"
p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
p:followServiceRedirects="true"/>
</programlisting>
- </section>
- <section id="sect-CAS_SSO_Cookie_Configuration">
- <title>CAS SSO cookie configuration (CASTGC)</title>
- <para>Jasic CAS uses a cookie named <firstterm>CAS Ticket Granting Cookie</firstterm>
- (CASTGC)
-to control the authentication state within the browser session. The cookie contains a Ticket Granting Ticket (TGT), which preserves SSO authentication where more than one site is controlled by the same SSO profile. </para>
- <example id="exam-CASTGC_Authentication">
- <title>Basic CASTGC Portal Authentication Scenario </title>
- <para>Two portal servers are provisioned that use a single CAS server to manage authentication. The portals are named <literal>accounts</literal> and <literal>services</literal>.</para>
- <para>When a user initially accesses the <literal>accounts</literal> portal, they provide their SSO credentials, and CAS authenticates them as a registered user. The user then switches to the <literal>services</literal> portal, and is authenticated when she clicks the Sign in link. </para>
- <para>This behavior is correct given this example because the browser instance stores the browser authentication state using the CASTCG cookie. The CASTCG cookie in this instance creates new ticket for the <literal>services</literal> portal automatically based on the authentication state present for the accounts portal.
- </para>
- </example>
- <para>The behavior described in <xref linkend="exam-CASTGC_Authentication"/>exists through a secured connection only (https connection). To benefit from authentication across two or more portals, one of the options below must be implemented. Choose the correct option based on the deployment environment: </para>
- <variablelist>
- <varlistentry>
- <term>Testing</term>
- <listitem>
- <para>Alter the CASTGC cookie to be non-secure. </para>
- <para>The cookie can be accessed through http (insecure) connections. </para>
- <para>To configure this test behavior, open
- <code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml</code>
- and switch the attribute
- <code>cookieSecure</code>
- to false. </para>
- <programlisting><bean id="ticketGrantingTicketCookieGenerator"
+ </section>
+
+ <section id="sect-CAS_SSO_Cookie_Configuration">
+ <title>CAS SSO cookie configuration (CASTGC)</title>
+
+ <para>
+ Jasic CAS uses a cookie named
+ <firstterm>
+ CAS Ticket Granting Cookie
+ </firstterm>
+ (CASTGC) to control the authentication state within the browser session. The cookie contains a Ticket Granting Ticket (TGT), which preserves SSO authentication where more than one site is controlled by the same SSO profile.
+ </para>
+
+ <example id="exam-CASTGC_Authentication">
+ <title>Basic CASTGC Portal Authentication Scenario</title>
+
+ <para>
+ Two portal servers are provisioned that use a single CAS server to manage authentication. The portals are named <literal>accounts</literal> and <literal>services</literal>.
+ </para>
+
+ <para>
+ When a user initially accesses the <literal>accounts</literal> portal, they provide their SSO credentials, and CAS authenticates them as a registered user. The user then switches to the <literal>services</literal> portal, and is authenticated when she clicks the Sign in link.
+ </para>
+
+ <para>
+ This behavior is correct given this example because the browser instance stores the browser authentication state using the CASTCG cookie. The CASTCG cookie in this instance creates new ticket for the <literal>services</literal> portal automatically based on the authentication state present for the accounts portal.
+ </para>
+ </example>
+
+ <para>
+ The behavior described in <xref linkend="exam-CASTGC_Authentication"/>exists through a secured connection only (https connection). To benefit from authentication across two or more portals, one of the options below must be implemented. Choose the correct option based on the deployment environment:
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Testing</term>
+
+ <listitem>
+ <para>
+ Alter the CASTGC cookie to be non-secure.
+ </para>
+
+ <para>
+ The cookie can be accessed through http (insecure) connections.
+ </para>
+
+ <para>
+ To configure this test behavior, open <code>CAS_DIR/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml</code> and switch the attribute <code>cookieSecure</code> to false.
+ </para>
+<programlisting><bean id="ticketGrantingTicketCookieGenerator"
p:cookieSecure="false"
p:cookieMaxAge="-1"
p:cookieName="CASTGC"
p:cookiePath="/cas" /></programlisting>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Production</term>
- <listitem>
- <para>Correctly implement the https protocol for all production servers that rely on CAS. This configuration is the recommended method for any production server, and ensures greater security for CAS connections. Refer to the Jasig documentation about securing CAS <ulink url="https://wiki.jasig.org/display/CASUM/Securing+Your+New+CAS+Server "/> for information and resources.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </section>
- </section>
- <section id="sect-CAS-Install_Tomcat_Server">
- <title>Install Apache Tomcat Server</title>
- <para>Install and configure Apache Tomcat 7, which provides the host server for the CAS server. </para>
- <para>File name abbreviations in this section are described in <xref linkend="sect-File_Name_Conventions"/></para>
- <procedure>
- <title>Configuring Apache Tomcat for CAS</title>
- <step>
- <para>Visit <ulink url="http://tomcat.apache.org/download-70.cgi"/> and download the Tomcat 7 binary distribution.</para>
- </step>
- <step>
- <para>Extract and install the binary on the server that is required to host CAS. This directory is now referred to as <replaceable>TOMCAT_DIST</replaceable>.</para>
- </step>
- <step>
- <para>Edit <filename>TOMCAT_DIST/conf/server.xml</filename> and change port 8080 to 8888 to avoid a conflict with the default JBoss Portal Platform listen port.</para>
- <remark>BZ#856430 - jmorgan - Added the new ports from the Confluence SSO Server Setup section</remark>
- <important>
- <para>If the Apache Tomcat server is installed on the same machine as JBoss Portal Platform, ensure other listen ports common to both servers are changed to prevent configuration issues. For example, change the Tomcat admin port from 8005 to 8805, and the Tomcat AJP port from 8009 to 8809.</para>
- </important>
- </step>
- <step>
- <para>Ensure all Apache Tomcat ports are open in the server firewall, and the service is enabled and running so the platform can communicate with Apache Tomcat on the same server.
-</para>
- </step>
- </procedure>
- </section>
- <section id="sect-CAS-Modifying_the_Portal">
- <title>Modifying the Portal</title>
- <para>Before building and deploying the Jasig CAS sever, configuration needs to be implemented on the JBoss Portal Platform server to prepare the portal for CAS integration.</para>
- <section id="sect-CAS_Portal_SSO_Primary_Configuration_File">
- <title>Portal SSO Primary Configuration File</title>
- <para>
- The main portal configuration file for SSO integration is
- <code>JPP_SERVER/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/security-sso-configuration.xml</code>
- . All required SSO components such as agents and SSO interceptors (servlet filters in v5.x of the product) are configured in this file. </para>
- <para>In most cases, it will never be necessary to edit <filename>security-sso-configuration.xml</filename> directly when using JBoss Portal Platform. The portal architecture allows users to override the base configuration described in this file using name/value pairs configured in one place: <filename>JPP_SERVER/standalone/configuration/gatein/configuration.properties</filename></para>
- <para>The exception to this rule is where configuration present in <filename>security-sso-configuration.xml</filename> is fundamentally unsuitable for the production environment the server will be deployed to, or when additional underlying functionality is required (for example, another custom interceptor). </para>
- </section>
- <section id="sect-CAS_Configuring_the_Platform">
- <title>Portal configuration.properties for CAS SSO</title>
- <para>To prepare the portal platform for CAS authentication, SSO filters and login modules need to be specified in global configuration files. The location of the CAS server, as configured in a locally-running Apache Tomcat server, also needs to be specified.
-</para>
- <procedure>
- <title>Configuring SSO configuration.properties for CAS</title>
- <step>
- <para>Open <filename>JPP_SERVER/standalone/configuration/gatein/configuration.properties</filename> and locate the SSO sections in the file.</para>
- </step>
- <step>
- <para>Make the following changes to the file to declare the correct login module, server and portal URLs, and the logout filter.</para>
- <programlisting>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Production</term>
+
+ <listitem>
+ <para>
+ Correctly implement the https protocol for all production servers that rely on CAS. This configuration is the recommended method for any production server, and ensures greater security for CAS connections. Refer to the Jasig documentation about securing CAS <ulink url="https://wiki.jasig.org/display/CASUM/Securing+Your+New+CAS+Server "/> for information and resources.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
+ </section>
+
+ <section id="sect-CAS-Install_Tomcat_Server">
+ <title>Install Apache Tomcat Server</title>
+
+ <para>
+ Install and configure Apache Tomcat 7, which provides the host server for the CAS server.
+ </para>
+
+ <para>
+ File name abbreviations in this section are described in <xref linkend="sect-File_Name_Conventions"/>
+ </para>
+
+ <procedure>
+ <title>Configuring Apache Tomcat for CAS</title>
+
+ <step>
+ <para>
+ Visit <ulink url="http://tomcat.apache.org/download-70.cgi"/> and download the Tomcat 7 binary distribution.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Extract and install the binary on the server that is required to host CAS. This directory is now referred to as <replaceable>TOMCAT_DIST</replaceable>.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Edit <filename>TOMCAT_DIST/conf/server.xml</filename> and change port 8080 to 8888 to avoid a conflict with the default JBoss Portal Platform listen port.
+ </para>
+ <remark>BZ#856430 - jmorgan - Added the new ports from the Confluence SSO Server Setup section</remark>
+ <important>
+ <para>
+ If the Apache Tomcat server is installed on the same machine as JBoss Portal Platform, ensure other listen ports common to both servers are changed to prevent configuration issues. For example, change the Tomcat admin port from 8005 to 8805, and the Tomcat AJP port from 8009 to 8809.
+ </para>
+ </important>
+ </step>
+
+ <step>
+ <para>
+ Ensure all Apache Tomcat ports are open in the server firewall, and the service is enabled and running so the platform can communicate with Apache Tomcat on the same server.
+ </para>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sect-CAS-Modifying_the_Portal">
+ <title>Modifying the Portal</title>
+
+ <para>
+ Before building and deploying the Jasig CAS sever, configuration needs to be implemented on the JBoss Portal Platform server to prepare the portal for CAS integration.
+ </para>
+
+ <section id="sect-CAS_Portal_SSO_Primary_Configuration_File">
+ <title>Portal SSO Primary Configuration File</title>
+
+ <para>
+ The main portal configuration file for SSO integration is <code>JPP_SERVER/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/security-sso-configuration.xml</code> . All required SSO components such as agents and SSO interceptors (servlet filters in v5.x of the product) are configured in this file.
+ </para>
+
+ <para>
+ In most cases, it will never be necessary to edit <filename>security-sso-configuration.xml</filename> directly when using JBoss Portal Platform. The portal architecture allows users to override the base configuration described in this file using name/value pairs configured in one place: <filename>JPP_SERVER/standalone/configuration/gatein/configuration.properties</filename>
+ </para>
+
+ <para>
+ The exception to this rule is where configuration present in <filename>security-sso-configuration.xml</filename> is fundamentally unsuitable for the production environment the server will be deployed to, or when additional underlying functionality is required (for example, another custom interceptor).
+ </para>
+ </section>
+
+ <section id="sect-CAS_Configuring_the_Platform">
+ <title>Portal configuration.properties for CAS SSO</title>
+
+ <para>
+ To prepare the portal platform for CAS authentication, SSO filters and login modules need to be specified in global configuration files. The location of the CAS server, as configured in a locally-running Apache Tomcat server, also needs to be specified.
+ </para>
+
+ <procedure>
+ <title>Configuring SSO configuration.properties for CAS</title>
+
+ <step>
+ <para>
+ Open <filename>JPP_SERVER/standalone/configuration/gatein/configuration.properties</filename> and locate the SSO sections in the file.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Make the following changes to the file to declare the correct login module, server and portal URLs, and the logout filter.
+ </para>
+<programlisting>
# SSO
gatein.sso.enabled=true
gatein.sso.callback.enabled=${gatein.sso.enabled}
@@ -379,497 +513,649 @@
gatein.sso.filter.logout.url=${gatein.sso.server.url}/logout
gatein.sso.filter.login.sso.url=${gatein.sso.server.url}/login?service=${gatein.sso.portal.url}/@@[portal.container.name]@(a)/initiatessologin
</programlisting>
- </step>
- </procedure>
- <variablelist>
- <varlistentry>
- <term>gatein.sso.enabled</term>
- <listitem>
- <para>Specifies whether SSO integration is enabled on the portal. With this option set to "true" when a user clicks the
- <emphasis role="italics">Sign in</emphasis>
- link, the user is redirected to the
- <emphasis role="italics">/portal/sso</emphasis>
- URL rather than a standard Sign in dialog.
+ </step>
+ </procedure>
+
+ <variablelist>
+ <varlistentry>
+ <term>gatein.sso.enabled</term>
+
+ <listitem>
+ <para>
+ Specifies whether SSO integration is enabled on the portal. With this option set to "true" when a user clicks the <emphasis role="italics">Sign in</emphasis> link, the user is redirected to the <emphasis role="italics">/portal/sso</emphasis> URL rather than a standard Sign in dialog.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>gatein.sso.callback.enabled</term>
+
+ <listitem>
+ <para>
+ Specifies whether the REST callback authentication handler is enabled.
+ </para>
+
+ <para>
+ The handler is required if the CAS server must use the SSO Authentication plug-in to handle portal authentication. See <xref linkend="sect-CAS_Logout_Redirection"/> for details. The callback handler is enabled by default. Set the parameter to false if the Authentication Plugin on the CAS server side is not required.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>gatein.sso.login.module.enabled</term>
+
+ <listitem>
+ <para>
+ Specifies whether a pre-defined SSO login module declared in <filename> JPP_SERVER/standalone/configuration/standalone.xml</filename> is used for authentication. When the property is set to "true", the SSODelegateLoginModule delegates work to another login module, as specified using the <property>gatein.sso.login.module.class</property> property. SSODelegateLoginModule will also resend all its options to its delegate.
+ </para>
+
+ <para>
+ This parameter removes the need to manually change any login module configuration in the standalone.xml file, which simplifies platform configuration.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>gatein.sso.login.module.class</term>
+
+ <listitem>
+ <para>
+ Specifies the classname of the login module SSODelegateLoginModule will delegate to. This parameter will work only if gatein.sso.login.module.enabled is specified.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>gatein.sso.server.url</term>
+
+ <listitem>
+ <para>
+ Specifies the URL from which the CAS server is accessible.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>gatein.sso.portal.url</term>
+
+ <listitem>
+ <para>
+ Specifies the URL from which the JBoss Portal Platform is accessible.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>gatein.sso.filter.logout.class</term>
+
+ <listitem>
+ <para>
+ Specifies the class of the logout filter. In the example above <code>org.gatein.sso.agent.filter.CASLogoutFilter</code> is the correct choice because this filter is able to redirect to the CAS server and perform logout on CAS side.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>gatein.sso.filter.logout.url</term>
+
+ <listitem>
+ <para>
+ Specifies the CAS server logout URL, which is used for redirection by the logout filter
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>gatein.sso.filter.logout.enabled</term>
+
+ <listitem>
+ <para>
+ Optional parameter, which specifies whether the logout interceptor is enabled. To disable logout on CAS side, set the parameter value to " false" . This results in both options <code>gatein.sso.filter.logout.class</code> and <code>gatein.sso.filter.logout.url</code> are ignored
+ </para>
+
+ <para>
+ When a user logs out of the portal, the CAS authentication ticket is still valid for other CAS authenticated sites.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>gatein.sso.filter.login.sso.url</term>
+
+ <listitem>
+ <para>
+ Specifies the CAS server login URL, which is used by LoginRedirectFilter for redirection to the CAS server login page.
+ </para>
+ <remark>Docs Note - jmorgan - added this note about the p.c.n variable, and that it *shouldn't* be substituted for a hard-coded variable name.</remark>
+ <note>
+ <para>
+ The string <literal>@@portal.container.name(a)@ </literal>is dynamically replaced when the URL is interpreted by the platform's SSO Component. It is recommended that this string is used over hard-coding the name of the portal for future maintenance and ease of configuration changes.
+ </para>
+ </note>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
+ </section>
+
+ <section>
+ <title><remark>BZ#856430 </remark>Build and Deploy the CAS</title>
+ <remark>BZ#856430 - jmorgan - This is a new sections which captures the final step an admin needs to do to bring all the cofiguration together.</remark>
+ <para>
+ Jasig CAS uses Apache Maven to build the <filename>cas.war</filename> file. Follow the instructions to produce this file, and deploy it to the Apache Tomcat server.
</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>gatein.sso.callback.enabled</term>
- <listitem>
- <para>
-Specifies whether the REST callback authentication handler is enabled. </para>
- <para>The handler is required if the CAS server must use the SSO Authentication plug-in to handle portal authentication. See <xref linkend="sect-CAS_Logout_Redirection"/>
-for details. The callback handler is enabled by default. Set the parameter to false if the Authentication Plugin on the CAS server side is not required.
+
+ <procedure>
+ <title>Building CAS, and Deploying to Tomcat</title>
+
+ <step>
+ <para>
+ Install Maven by following the recommendations and links in the <ulink url="https://wiki.jasig.org/display/CASUM/Building+and+Deploying">Building and Deploying section</ulink> of the Jasig CAS user documentation.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ In a terminal, navigate to <filename>CAS_DIR/cas-server-webapp/</filename>, and run <command>mvn install</command>.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Copy <filename>CAS_DIR/cas-server-webapp/target/cas.war</filename> to <filename>TOMCAT_DIST/webapps</filename>.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Tomcat should be running by default, if the process has been followed up to this step. Start JBoss Portal Platform, and verify the server is running by opening <ulink url="http://localhost:8080/"/>.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Open <ulink url="http://localhost:8888/cas"/> to verify the CAS server has correctly deployed to Tomcat. If the link does not open the CAS login page, restart Apache Tomcat and try again.
+ </para>
+ </step>
+ </procedure>
+ <remark>BZ#856430 - jmorgan - Added this "wrap up" statement that should describe what customers are able to do after following the procedure.</remark>
+ <para>
+ The CAS server is now deployed to Tomcat, and the portal will now redirect users to the CAS login page when they click on the Sign In link.
</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>gatein.sso.login.module.enabled</term>
- <listitem>
- <para>Specifies whether a pre-defined SSO login module declared in <filename> JPP_SERVER/standalone/configuration/standalone.xml</filename> is used for authentication. When the property is set to "true", the SSODelegateLoginModule delegates work to another login module, as specified using the <property>gatein.sso.login.module.class</property> property. SSODelegateLoginModule will also resend all its options to its delegate.</para>
- <para>This parameter removes the need to manually change any login module configuration in the standalone.xml file, which simplifies platform configuration. </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>gatein.sso.login.module.class</term>
- <listitem>
- <para>Specifies the classname of the login module SSODelegateLoginModule will delegate to. This parameter will work only if gatein.sso.login.module.enabled is specified.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>gatein.sso.server.url</term>
- <listitem>
- <para>
- Specifies the URL from which the CAS server is accessible. </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>gatein.sso.portal.url</term>
- <listitem>
- <para>
- Specifies the URL from which the JBoss Portal Platform is accessible.
+ </section>
+ </section>
+
+ <section id="sect-Reference_Guide-SSO_Single_Sign_On_-Java_Open_Single_Sign_On_Project">
+ <title>Java Open Single Sign-On Project</title>
+
+ <para>
+ Configuring JOSSO for JBoss Enterprise Application Platform requires an Apache server instance to host JOSSO. JBoss Enterprise Application Platform communicates with the JOSSO Apache instance through the single sign-on plug-in.
+ </para>
+
+ <para>
+ This single sign-on plug-in enables seamless integration between JBoss Portal Platform and the Java Open Single Sign-On (JOSSO) framework. Details about JOSSO can be found at <ulink url="http://www.josso.org"/> .
+ </para>
+
+ <para>
+ The procedures in this section detail setting up the JOSSO server to authenticate against the JBoss Portal Platform login module.
+ </para>
+
+ <para>
+ After completing all procedures in this section, all links redirecting to the user authentication pages will redirect to the JOSSO centralized authentication form.
+ </para>
+
+ <procedure id="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-JOSSO_server">
+ <title>Download and extract JOSSO server</title>
+
+ <step>
+ <para>
+ Download an embedded Apache JOSSO version from <ulink url="http://sourceforge.net/projects/josso/files/JOSSO/" type="http"> http://sourceforge.net/projects/josso/files/ </ulink> .
+ </para>
+
+ <note>
+ <para>
+ Integration with JOSSO versions between 1.8.1 to 1.8.4 is supported. Versions other than these do not offer an embedded Apache instance.
+ </para>
+
+ <para>
+ The JOSSO version is referred to as <replaceable>josso-18X</replaceable> in all procedures within this section.
+ </para>
+ </note>
+ </step>
+
+ <step>
+ <para>
+ Extract the package to an appropriate directory. This location is referred to as <filename>JOSSO_HOME</filename> in this example.
+ </para>
+ </step>
+ </procedure>
+
+ <procedure id="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-Modifying_JOSSO_server">
+ <title>Configure the JOSSO server</title>
+
+ <step>
+ <para>
+ Copy the specified files from <filename>PORTAL_SSO/josso/<replaceable>josso-18X</replaceable>/plugin</filename>
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ josso-gateway-config.xml
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ josso-gateway-gatein-stores.xml
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+
+ <step>
+ <para>
+ Paste the files into the <filename><replaceable>JOSSO_HOME</replaceable>/webapps/josso/WEB-INF/lib</filename> directory.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Copy <filename>PORTAL_SSO/josso/<replaceable>josso-18X</replaceable>/plugin/gatein.properties</filename> to the <filename><replaceable>JOSSO_HOME</replaceable>/webapps/josso/WEB-INF/classes/</filename> directory
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Edit the <filename>JOSSO_HOME/conf/server.xml</filename> file and change all ports from 8080 to 8888. This port change prevents a conflict with the default JBoss Portal Platform port.
+ <note>
+ <title>Port Conflicts</title>
+
+ <para>
+ If JBoss Portal Platform is running on the same machine as Apache, other ports need to be changed in addition to 8080 in order to avoid port conflicts. They can be changed to any free port. For example, you can change the <literal>admin</literal> port from 8005 to 8805, and the <literal>AJP</literal> port from 8009 to 8809.
+ </para>
+ </note>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Follow the steps in <xref linkend="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-Setup_the_JOSSO_client"/> to configure the JOSSO Client.
+ </para>
+ </step>
+ </procedure>
+
+ <procedure id="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-Setup_the_JOSSO_client">
+ <title>Configure the JOSSO client</title>
+
+ <note>
+ <para>
+ There are some changes in JOSSO agent API between versions 1.8.1 and 1.8.2, which require different modules for different JOSSO versions. This procedure uses <replaceable>josso-18X</replaceable> to substitute the directory <filename>josso-181</filename>, or josso-182 or newer.
+ </para>
+ </note>
+
+ <step>
+ <para>
+ Copy the library files from <filename><replaceable>PORTAL_SSO</replaceable>/josso/<replaceable>josso-18X</replaceable>/gatein.ear/lib</filename> into <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/lib</filename>.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Copy <filename><replaceable>PORTAL_SSO</replaceable>/josso/<replaceable>josso-18X</replaceable>/gatein.ear/portal.war/WEB-INF/classes/josso-agent-config.xml</filename> and paste the file into the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/WEB-INF/classes</filename> directory.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Edit <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</filename> and uncomment this section:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default111.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Follow the procedure in <xref linkend="proc-Test_the_JOSSO_Installation"/> to verify the login configuration is correct.
+ </para>
+ </step>
+ </procedure>
+
+ <procedure id="proc-Test_the_JOSSO_Installation">
+ <title>Test the JOSSO Installation</title>
+
+ <step>
+ <para>
+ Start (or restart) JBoss Portal Platform.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Start (or restart) the JOSSO Apache instance.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Open <ulink url="http://localhost:8888/josso/signon/login.do"/> to display the JOSSO login screen.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Login with the user name <literal>root</literal> and the password <literal>gtn</literal> or any account created through the portal to verify the configuration to this point is correct.
+ </para>
+ </step>
+ </procedure>
+
+ <procedure id="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-Setup_the_portal_to_redirect_to_JOSSO">
+ <title>Redirect portal authentication to JOSSO</title>
+
+ <para>
+ Redirect all user authentication to the JOSSO server. Information about where the JOSSO server is hosted must be properly configured within the JBoss Portal Platform instance.
</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>gatein.sso.filter.logout.class</term>
- <listitem>
- <para>
- Specifies the class of the logout filter. In the example above
- <code>org.gatein.sso.agent.filter.CASLogoutFilter</code>
-is the correct choice because this filter is able to redirect to the CAS server and perform logout on CAS side.
+
+ <step>
+ <para>
+ In the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename> file modify the <guilabel>Sign In</guilabel> link as follows:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default112.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Modify the <guilabel>Sign In</guilabel> link in the <filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename> file as follows:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default113.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Replace the entire contents of <filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with the following HTML code:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default114.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Add the following Filters to the top of the filter chain in <filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default115.xml" parse="text"/></programlisting>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sect-Reference_Guide-SSO_Single_Sign_On_-OpenSSO">
+ <title>OpenSSO</title>
+
+ <para>
+ This section details the setting up of OpenSSO server to authenticate against the JBoss Portal Platform login module.
+ </para>
+
+ <procedure id="proc-Reference_Guide-OpenSSO-Obtaining_OpenSSO">
+ <title>Obtaining OpenSSO</title>
+
+ <step>
+ <para>
+ OpenSSO must be purchased from <ulink url="http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html" type="http"> Oracle </ulink> .
+ </para>
+
+ <para>
+ For testing purposes, use OpenSSO_80U2, which can be downloaded from <ulink url="http://download.oracle.com/otn/nt/middleware/11g/oracle_opensso_80U2.zip" type="http">Oracle </ulink> .
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Extract the package into a suitable location. This location will be referred to as <filename>OPENSSO_HOME</filename> in this example.
+ </para>
+ </step>
+ </procedure>
+
+ <note>
+ <para>
+ It is also possible to use OpenAM instead of OpenSSO server. OpenAM is free and the integration steps between JBoss Portal Platform and OpenAM are very similar as with OpenSSO. More info is available <ulink url="http://community.jboss.org/wiki/GateInAndOpenAMIntegration" type="http"> here </ulink> .
</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>gatein.sso.filter.logout.url</term>
- <listitem>
- <para>
- Specifies the CAS server logout URL, which is used for redirection by the logout filter
+ </note>
+
+ <section id="sect-Reference_Guide-SSO_Single_Sign_On_-Modifying_the_OpenSSO_server">
+ <title>Modifying the OpenSSO server</title>
+
+ <para>
+ To configure the web server as required, it is simpler to directly modify the source files.
</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>gatein.sso.filter.logout.enabled</term>
- <listitem>
- <para>Optional parameter, which specifies whether the logout interceptor is enabled. To disable logout on CAS side, set the parameter value to "
- false"
- . This results in both options
- <code>gatein.sso.filter.logout.class</code>
- and
- <code>gatein.sso.filter.logout.url</code> are ignored </para>
- <para>When a user logs out of the portal, the CAS authentication ticket is still valid for other CAS authenticated sites. </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>gatein.sso.filter.login.sso.url</term>
- <listitem>
- <para>
- Specifies the CAS server login URL, which is used by LoginRedirectFilter for redirection to the CAS server login page.
+
+ <para>
+ The first step is to add the JBoss Portal Platform Authentication Plugin.
</para>
- <remark>Docs Note - jmorgan - added this note about the p.c.n variable, and that it *shouldn't* be substituted for a hard-coded variable name.</remark>
- <note>
- <para>The string <literal>@@portal.container.name(a)@ </literal>is dynamically replaced when the URL is interpreted by the platform's SSO Component. It is recommended that this string is used over hard-coding the name of the portal for future maintenance and ease of configuration changes. </para>
- </note>
- </listitem>
- </varlistentry>
- </variablelist>
- </section>
- </section>
- <section>
- <title><remark>BZ#856430 </remark>Build and Deploy the CAS </title>
- <remark>BZ#856430 - jmorgan - This is a new sections which captures the final step an admin needs to do to bring all the cofiguration together.</remark>
- <para>Jasig CAS uses Apache Maven to build the <filename>cas.war</filename> file. Follow the instructions to produce this file, and deploy it to the Apache Tomcat server.</para>
- <procedure>
- <title>Building CAS, and Deploying to Tomcat</title>
- <step>
- <para>Install Maven by following the recommendations and links in the <ulink url="https://wiki.jasig.org/display/CASUM/Building+and+Deploying">Building and Deploying section</ulink> of the Jasig CAS user documentation.</para>
- </step>
- <step>
- <para>In a terminal, navigate to <filename>CAS_DIR/cas-server-webapp/</filename>, and run <command>mvn install</command>.</para>
- </step>
- <step>
- <para>Copy <filename>CAS_DIR/cas-server-webapp/target/cas.war</filename> to <filename>TOMCAT_DIST/webapps</filename>.</para>
- </step>
- <step>
- <para>Tomcat should be running by default, if the process has been followed up to this step. Start JBoss Portal Platform, and verify the server is running by opening <ulink url="http://localhost:8080/"/>.</para>
- </step>
- <step>
- <para>Open <ulink url="http://localhost:8888/cas"/> to verify the CAS server has correctly deployed to Tomcat. If the link does not open the CAS login page, restart Apache Tomcat and try again.</para>
- </step>
- </procedure>
- <remark>BZ#856430 - jmorgan - Added this "wrap up" statement that should describe what customers are able to do after following the procedure.</remark>
- <para>The CAS server is now deployed to Tomcat, and the portal will now redirect users to the CAS login page when they click on the Sign In link.</para>
- </section>
- </section>
- <section id="sect-Reference_Guide-SSO_Single_Sign_On_-Java_Open_Single_Sign_On_Project">
- <title>Java Open Single Sign-On Project</title>
- <para>Configuring JOSSO for JBoss Enterprise Application Platform requires an Apache server instance to host JOSSO. JBoss Enterprise Application Platform communicates with the JOSSO Apache instance through the single sign-on plug-in.</para>
- <para>
- This single sign-on plug-in enables seamless integration between JBoss Portal Platform and the Java Open Single Sign-On (JOSSO) framework. Details about JOSSO can be found at <ulink url="http://www.josso.org"/> .
- </para>
- <para> The procedures in this section detail setting up the JOSSO server to authenticate against the JBoss Portal Platform login module.
- </para>
- <para>After completing all procedures in this section, all links redirecting to the user authentication pages will redirect to the JOSSO centralized authentication form.
- </para>
- <procedure id="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-JOSSO_server">
- <title>Download and extract JOSSO server</title>
- <step>
- <para>
- Download an embedded Apache JOSSO version from <ulink url="http://sourceforge.net/projects/josso/files/JOSSO/" type="http"> http://sourceforge.net/projects/josso/files/ </ulink> .
- </para>
- <note>
- <para>Integration with JOSSO versions between 1.8.1 to 1.8.4 is supported. Versions other than these do not offer an embedded Apache instance.</para>
- <para>The JOSSO version is referred to as <replaceable>josso-18X</replaceable> in all procedures within this section. </para>
- </note>
- </step>
- <step>
- <para>
- Extract the package to an appropriate directory. This location is referred to as <filename>JOSSO_HOME</filename> in this example.
- </para>
- </step>
- </procedure>
- <procedure id="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-Modifying_JOSSO_server">
- <title>Configure the JOSSO server</title>
- <step>
- <para>Copy the specified files from <filename>PORTAL_SSO/josso/<replaceable>josso-18X</replaceable>/plugin</filename> </para>
- <itemizedlist>
- <listitem>
- <para>josso-gateway-config.xml</para>
- </listitem>
- <listitem>
- <para>josso-gateway-gatein-stores.xml</para>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>Paste the files into the <filename><replaceable>JOSSO_HOME</replaceable>/webapps/josso/WEB-INF/lib</filename> directory.</para>
- </step>
- <step>
- <para>Copy <filename>PORTAL_SSO/josso/<replaceable>josso-18X</replaceable>/plugin/gatein.properties</filename> to the <filename><replaceable>JOSSO_HOME</replaceable>/webapps/josso/WEB-INF/classes/</filename> directory</para>
- </step>
- <step>
- <para> Edit the <filename>JOSSO_HOME/conf/server.xml</filename> file and change all ports from 8080 to 8888. This port change prevents a conflict with the default JBoss Portal Platform port.
- <note>
- <title>Port Conflicts</title>
+
<para>
- If JBoss Portal Platform is running on the same machine as Apache, other ports need to be changed in addition to 8080 in order to avoid port conflicts. They can be changed to any free port. For example, you can change the <literal>admin</literal> port from 8005 to 8805, and the <literal>AJP</literal> port from 8009 to 8809.
- </para>
- </note>
-
- </para>
- </step>
- <step>
- <para>Follow the steps in <xref linkend="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-Setup_the_JOSSO_client"/> to configure the JOSSO Client. </para>
- </step>
- </procedure>
- <procedure id="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-Setup_the_JOSSO_client">
- <title> Configure the JOSSO client </title>
- <note>
- <para>
-There are some changes in JOSSO agent API between versions 1.8.1 and 1.8.2, which require different modules for different JOSSO versions.
-This procedure uses <replaceable>josso-18X</replaceable> to substitute the directory <filename>josso-181</filename>, or josso-182 or newer.
-</para>
- </note>
- <step>
- <para>Copy the library files from <filename><replaceable>PORTAL_SSO</replaceable>/josso/<replaceable>josso-18X</replaceable>/gatein.ear/lib</filename> into <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/lib</filename>.</para>
- </step>
- <step>
- <para>
- Copy <filename><replaceable>PORTAL_SSO</replaceable>/josso/<replaceable>josso-18X</replaceable>/gatein.ear/portal.war/WEB-INF/classes/josso-agent-config.xml</filename> and paste the file into the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/WEB-INF/classes</filename> directory.
- </para>
- </step>
- <step>
- <para>
- Edit <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</filename> and uncomment this section:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default111.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>Follow the procedure in <xref linkend="proc-Test_the_JOSSO_Installation"/> to verify the login configuration is correct. </para>
- </step>
- </procedure>
- <procedure id="proc-Test_the_JOSSO_Installation">
- <title>Test the JOSSO Installation</title>
- <step>
- <para>
- Start (or restart) JBoss Portal Platform.
- </para>
- </step>
- <step>
- <para>Start (or restart) the JOSSO Apache instance.</para>
- </step>
- <step>
- <para>Open <ulink url="http://localhost:8888/josso/signon/login.do"/> to display the JOSSO login screen.</para>
- </step>
- <step>
- <para>
- Login with the user name <literal>root</literal> and the password <literal>gtn</literal> or any account created through the portal to verify the configuration to this point is correct. </para>
- </step>
- </procedure>
- <procedure id="proc-Reference_Guide-Java_Open_Single_Sign_On_Project-Setup_the_portal_to_redirect_to_JOSSO">
- <title>Redirect portal authentication to JOSSO</title>
- <para>Redirect all user authentication to the JOSSO server.
- Information about where the JOSSO server is hosted must be properly configured within the JBoss Portal Platform instance.
- </para>
- <step>
- <para>
- In the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename> file modify the <guilabel>Sign In</guilabel> link as follows:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default112.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Modify the <guilabel>Sign In</guilabel> link in the <filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename> file as follows:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default113.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Replace the entire contents of <filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with the following HTML code:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default114.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Add the following Filters to the top of the filter chain in <filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default115.xml" parse="text"/></programlisting>
- </step>
- </procedure>
- </section>
- <section id="sect-Reference_Guide-SSO_Single_Sign_On_-OpenSSO">
- <title>OpenSSO</title>
- <para>
- This section details the setting up of OpenSSO server to authenticate against the JBoss Portal Platform login module.
- </para>
- <procedure id="proc-Reference_Guide-OpenSSO-Obtaining_OpenSSO">
- <title>Obtaining OpenSSO</title>
- <step>
- <para>
- OpenSSO must be purchased from <ulink url="http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html" type="http"> Oracle </ulink> .
- </para>
- <para>
- For testing purposes, use OpenSSO_80U2, which can be downloaded from <ulink url="http://download.oracle.com/otn/nt/middleware/11g/oracle_opensso_80U2.zip" type="http">Oracle </ulink> .
- </para>
- </step>
- <step>
- <para>
- Extract the package into a suitable location. This location will be referred to as <filename>OPENSSO_HOME</filename> in this example.
- </para>
- </step>
- </procedure>
- <note>
- <para>
- It is also possible to use OpenAM instead of OpenSSO server. OpenAM is free and the integration steps between JBoss Portal Platform and OpenAM are very similar as with OpenSSO. More info is available <ulink url="http://community.jboss.org/wiki/GateInAndOpenAMIntegration" type="http"> here </ulink> .
+ The plug-in makes secure callbacks to a RESTful service installed on the remote JBoss Portal Platform server to authenticate a user.
</para>
- </note>
- <section id="sect-Reference_Guide-SSO_Single_Sign_On_-Modifying_the_OpenSSO_server">
- <title>Modifying the OpenSSO server</title>
- <para>
- To configure the web server as required, it is simpler to directly modify the source files.
- </para>
- <para>
- The first step is to add the JBoss Portal Platform Authentication Plugin.
- </para>
- <para>
- The plug-in makes secure callbacks to a RESTful service installed on the remote JBoss Portal Platform server to authenticate a user.
- </para>
- <para>
- In order for the plug-in to function correctly, it needs to be properly configured to connect to this service. This configuration is done via the <filename>opensso.war/config/auth/default/AuthenticationPlugin.xml</filename> file.
- </para>
- <procedure id="proc-Reference_Guide-Modifying_the_OpenSSO_server-Modifying_OpenSSO_server">
- <title>Modifying OpenSSO server</title>
- <step>
- <para>
- Obtain a copy of Tomcat and extract it into a suitable location. This location will be referred to as <filename>TOMCAT_HOME</filename> in this example.
- </para>
- </step>
- <step>
- <para>
- Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and change the 8080 port to 8888 to avoid a conflict with the default JBoss Portal Platform port.
- <note>
- <para>
- If JBoss Portal Platform is running on the same machine as Tomcat, other ports need to be changed in addition to 8080 in order to avoid port conflicts. They can be changed to any free port. For example, you can change the admin port from 8005 to 8805 and the AJP port from 8009 to 8809.
+
+ <para>
+ In order for the plug-in to function correctly, it needs to be properly configured to connect to this service. This configuration is done via the <filename>opensso.war/config/auth/default/AuthenticationPlugin.xml</filename> file.
+ </para>
+
+ <procedure id="proc-Reference_Guide-Modifying_the_OpenSSO_server-Modifying_OpenSSO_server">
+ <title>Modifying OpenSSO server</title>
+
+ <step>
+ <para>
+ Obtain a copy of Tomcat and extract it into a suitable location. This location will be referred to as <filename>TOMCAT_HOME</filename> in this example.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and change the 8080 port to 8888 to avoid a conflict with the default JBoss Portal Platform port.
+ <note>
+ <para>
+ If JBoss Portal Platform is running on the same machine as Tomcat, other ports need to be changed in addition to 8080 in order to avoid port conflicts. They can be changed to any free port. For example, you can change the admin port from 8005 to 8805 and the AJP port from 8009 to 8809.
</para>
- </note>
-
- </para>
- </step>
- <step>
- <para>
- Ensure the <filename>TOMCAT_HOME/webapps/opensso/config/auth/default/AuthenticationPlugin.xml</filename> file matches the following:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default117.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Copy the following files into the Tomcat directory at <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/lib</filename>:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <filename><replaceable>PORTAL_SSO</replaceable>/opensso/plugin/WEB-INF/lib/sso-opensso-plugin-<replaceable>VERSION</replaceable>.jar</filename>
+ </note>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Ensure the <filename>TOMCAT_HOME/webapps/opensso/config/auth/default/AuthenticationPlugin.xml</filename> file matches the following:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default117.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Copy the following files into the Tomcat directory at <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/lib</filename>:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <filename><replaceable>PORTAL_SSO</replaceable>/opensso/plugin/WEB-INF/lib/sso-opensso-plugin-<replaceable>VERSION</replaceable>.jar</filename>
</para>
- </listitem>
- <listitem>
- <para>
- <filename><replaceable>PORTAL_SSO</replaceable>/opensso/plugin/WEB-INF/lib/commons-httpclient-<replaceable>VERSION</replaceable>.jar</filename>
+ </listitem>
+
+ <listitem>
+ <para>
+ <filename><replaceable>PORTAL_SSO</replaceable>/opensso/plugin/WEB-INF/lib/commons-httpclient-<replaceable>VERSION</replaceable>.jar</filename>
</para>
- </listitem>
- <listitem>
- <para>
- <filename><replaceable>PORTAL_SSO</replaceable>/opensso/plugin/WEB-INF/lib/commons-logging-<replaceable>VERSION</replaceable>.jar</filename>
+ </listitem>
+
+ <listitem>
+ <para>
+ <filename><replaceable>PORTAL_SSO</replaceable>/opensso/plugin/WEB-INF/lib/commons-logging-<replaceable>VERSION</replaceable>.jar</filename>
</para>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- Copy the <filename><replaceable>PORTAL_SSO</replaceable>/opensso/plugin/WEB-INF/classes/gatein.properties</filename> file into the <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/classes</filename> directory.
- </para>
- </step>
- <step>
- <para>
- Tomcat should start and be able to access <ulink url="http://localhost:8888/opensso/UI/Login?realm=gatein" type="http"> http://localhost:8888/opensso/UI/Login?realm=gatein </ulink> .
- </para>
- <mediaobject>
- <imageobject role="html">
- <imagedata width="444" align="center" scale="110" fileref="images/AuthenticationAndIdentity/SSO/opensso-shot.png" format="PNG"/>
- </imageobject>
- <imageobject role="fo">
- <imagedata width="444" contentwidth="150mm" align="center" fileref="images/AuthenticationAndIdentity/SSO/opensso-shot.png" format="PNG"/>
- </imageobject>
- </mediaobject>
- <note>
- <para>
+ </listitem>
+ </itemizedlist>
+ </step>
+
+ <step>
+ <para>
+ Copy the <filename><replaceable>PORTAL_SSO</replaceable>/opensso/plugin/WEB-INF/classes/gatein.properties</filename> file into the <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/classes</filename> directory.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Tomcat should start and be able to access <ulink url="http://localhost:8888/opensso/UI/Login?realm=gatein" type="http"> http://localhost:8888/opensso/UI/Login?realm=gatein </ulink> .
+ </para>
+
+ <mediaobject>
+ <imageobject role="html">
+ <imagedata width="444" align="center" scale="110" fileref="images/AuthenticationAndIdentity/SSO/opensso-shot.png" format="PNG"/>
+ </imageobject>
+
+ <imageobject role="fo">
+ <imagedata width="444" contentwidth="150mm" align="center" fileref="images/AuthenticationAndIdentity/SSO/opensso-shot.png" format="PNG"/>
+ </imageobject>
+ </mediaobject>
+
+ <note>
+ <para>
Login will not be available at this point.
- </para>
- </note>
- </step>
- </procedure>
- <procedure id="proc-Reference_Guide-Modifying_the_OpenSSO_server-Configure_the_gatein_realm">
- <title>Configure the "gatein" realm</title>
- <step>
- <para>
- Direct your browser to <ulink url="http://localhost:8888/opensso" type="http"> http://localhost:8888/opensso </ulink>
- </para>
- </step>
- <step>
- <para>
- Create a default configuration.
- </para>
- </step>
- <step>
- <para>
- Login as <literal>amadmin</literal>.
- </para>
- <important>
- <para>
- Go to <menuchoice>
- <guimenu>Configuration</guimenu>
- <guimenuitem> Authentication </guimenuitem>
- </menuchoice> and follow the link to <guilabel>Core</guilabel>
- </para>
- <para>
+ </para>
+ </note>
+ </step>
+ </procedure>
+
+ <procedure id="proc-Reference_Guide-Modifying_the_OpenSSO_server-Configure_the_gatein_realm">
+ <title>Configure the "gatein" realm</title>
+
+ <step>
+ <para>
+ Direct your browser to <ulink url="http://localhost:8888/opensso" type="http"> http://localhost:8888/opensso </ulink>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Create a default configuration.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Login as <literal>amadmin</literal>.
+ </para>
+
+ <important>
+ <para>
+ Go to <menuchoice> <guimenu>Configuration</guimenu> <guimenuitem> Authentication </guimenuitem> </menuchoice> and follow the link to <guilabel>Core</guilabel>
+ </para>
+
+ <para>
Add a new value with the class name <literal>org.gatein.sso.opensso.plugin.AuthenticationPlugin</literal>.
- </para>
- <para>
+ </para>
+
+ <para>
If this is not done <literal>AuthenticationPlugin</literal> is not available among other OpenSSO authentication modules.
- </para>
- </important>
- </step>
- <step>
- <para>
- Go to the <guilabel>Access control</guilabel> tab and create new realm called <literal>gatein</literal>.
- </para>
- </step>
- <step>
- <substeps>
- <step>
- <para>
- Go to the new <literal>gatein</literal> realm and click on the <guilabel>Authentication</guilabel> tab.
+ </para>
+ </important>
+ </step>
+
+ <step>
+ <para>
+ Go to the <guilabel>Access control</guilabel> tab and create new realm called <literal>gatein</literal>.
+ </para>
+ </step>
+
+ <step>
+ <substeps>
+ <step>
+ <para>
+ Go to the new <literal>gatein</literal> realm and click on the <guilabel>Authentication</guilabel> tab.
</para>
- </step>
- <step>
- <para>
- Click on <guilabel>LDAPService</guilabel> (at the bottom in the <guilabel>Authentication chaining</guilabel> section).
+ </step>
+
+ <step>
+ <para>
+ Click on <guilabel>LDAPService</guilabel> (at the bottom in the <guilabel>Authentication chaining</guilabel> section).
</para>
- </step>
- <step>
- <para>
- Change the selection from <literal>Datastore</literal>, which is the default module in the authentication chain, to <literal>AuthenticationPlugin</literal>.
+ </step>
+
+ <step>
+ <para>
+ Change the selection from <literal>Datastore</literal>, which is the default module in the authentication chain, to <literal>AuthenticationPlugin</literal>.
</para>
- </step>
- </substeps>
- <para>
- These changes enable authentication of the <literal>gatein</literal> realm using the <literal>GateIn REST</literal> service instead of the OpenSSO LDAP server.
- </para>
- </step>
- <step>
- <para>
- Go to <guilabel>Advanced properties</guilabel> and change <literal>UserProfile</literal> from <parameter>Required</parameter> to <parameter>Dynamic</parameter> to ensure all new users are automatically created in the OpenSSO datastore after successful authentication.
- </para>
- </step>
- <step>
- <para>
- Increase the user privileges to allow REST access with the following procedure:
- </para>
- <substeps>
- <step>
- <para>
- Go to <menuchoice>
- <guimenu>Access control</guimenu>
- <guimenuitem> Top level realm </guimenuitem>
- <guimenuitem> Privileges </guimenuitem>
- <guimenuitem> All authenticated users </guimenuitem>
- </menuchoice>.
+ </step>
+ </substeps>
+
+ <para>
+ These changes enable authentication of the <literal>gatein</literal> realm using the <literal>GateIn REST</literal> service instead of the OpenSSO LDAP server.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Go to <guilabel>Advanced properties</guilabel> and change <literal>UserProfile</literal> from <parameter>Required</parameter> to <parameter>Dynamic</parameter> to ensure all new users are automatically created in the OpenSSO datastore after successful authentication.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Increase the user privileges to allow REST access with the following procedure:
+ </para>
+
+ <substeps>
+ <step>
+ <para>
+ Go to <menuchoice> <guimenu>Access control</guimenu> <guimenuitem> Top level realm </guimenuitem> <guimenuitem> Privileges </guimenuitem> <guimenuitem> All authenticated users </guimenuitem> </menuchoice>.
</para>
- </step>
- <step>
- <para>
- Check the last two checkboxes:
+ </step>
+
+ <step>
+ <para>
+ Check the last two checkboxes:
</para>
- <itemizedlist>
- <listitem>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ Read and write access only for policy properties
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Read and write access to all realm and policy properties
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+ </substeps>
+ </step>
+
+ <step>
<para>
- Read and write access only for policy properties
- </para>
- </listitem>
- <listitem>
+ Repeat step 7 for the '<literal>gatein</literal>' realm as well.
+ </para>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sect-Reference_Guide-SSO_Single_Sign_On_-Setup_the_OpenSSO_Client">
+ <title>Setup the OpenSSO Client</title>
+
+ <procedure id="proc-Reference_Guide-Setup_the_OpenSSO_Client-Setup_the_OpenSSO_client">
+ <title>Setup the OpenSSO client</title>
+
+ <step>
<para>
- Read and write access to all realm and policy properties
- </para>
- </listitem>
- </itemizedlist>
- </step>
- </substeps>
- </step>
- <step>
- <para>
- Repeat step 7 for the '<literal>gatein</literal>' realm as well.
- </para>
- </step>
- </procedure>
- </section>
- <section id="sect-Reference_Guide-SSO_Single_Sign_On_-Setup_the_OpenSSO_Client">
- <title>Setup the OpenSSO Client</title>
- <procedure id="proc-Reference_Guide-Setup_the_OpenSSO_Client-Setup_the_OpenSSO_client">
- <title>Setup the OpenSSO client</title>
- <step>
- <para>
- Copy all libraries from the <filename><replaceable>PORTAL_SSO</replaceable>/opensso/gatein.ear/lib</filename> directory into the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/default/deploy/gatein.ear/lib</filename> directory.
- </para>
- <para>
- Alternatively, in a Tomcat environment, copy the libraries into the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/ibib</filename> directory.
- </para>
- </step>
- <step>
- <para>
- Edit the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</filename> and uncomment this section:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default118.xml" parse="text"/></programlisting>
- </step>
+ Copy all libraries from the <filename><replaceable>PORTAL_SSO</replaceable>/opensso/gatein.ear/lib</filename> directory into the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/default/deploy/gatein.ear/lib</filename> directory.
+ </para>
+
+ <para>
+ Alternatively, in a Tomcat environment, copy the libraries into the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/ibib</filename> directory.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Edit the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</filename> and uncomment this section:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default118.xml" parse="text"/></programlisting>
+ </step>
<!-- Removed as per https://issues.jboss.org/browse/JBEPP-1350
<step>
<para>
@@ -881,154 +1167,185 @@
realmName=gatein-domain;
</programlisting>
</step>
- --> <step>
- <para>
- Test the installation:
- </para>
- <procedure>
+ -->
+ <step>
+ <para>
+ Test the installation:
+ </para>
+
+ <procedure>
+ <step>
+ <para>
+ Access JBoss Portal Platform by going to <ulink url="http://localhost:8888/opensso/UI/Login?realm=gatein" type="http"> http://localhost:8888/opensso/UI/Login?realm=gatein </ulink> (assuming that the OpenSSO server using Tomcat is still running).
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Login with the username <literal>root</literal> and the password <literal>gtn</literal> or any account created through the portal.
+ </para>
+ </step>
+ </procedure>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sect-Reference_Guide-SSO_Single_Sign_On_-Setup_the_portal_to_redirect_to_OpenSSO">
+ <title>Setup the portal to redirect to OpenSSO</title>
+
+ <para>
+ The next part of the process is to redirect all user authentication to the OpenSSO server.
+ </para>
+
+ <para>
+ Information about where the OpenSSO server is hosted must be properly configured within the JBoss Portal Platform instance. The required configuration is done by modifying three files:
+ </para>
+
+ <procedure id="proc-Reference_Guide-Setup_the_portal_to_redirect_to_OpenSSO-Setup_the_portal_to_redirect_to_OpenSSO">
+ <title>Setup the portal to redirect to OpenSSO</title>
+
+ <step>
+ <para>
+ Modify the '<emphasis role="bold">Sign In</emphasis>' link in the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename> file as follows:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default119.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Modify the '<emphasis role="bold">Sign In</emphasis>' link in the <filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename> file as follows:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default120.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Replace the entire contents of <filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default121.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Add the following Filters to the top of the filter chain in <filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default122.xml" parse="text"/></programlisting>
+ </step>
+ </procedure>
+
+ <para>
+ From now on, all links redirecting to the user authentication pages will redirect to the OpenSSO centralized authentication form.
+ </para>
+ </section>
+ </section>
+
+ <section id="sect-Reference_Guide-SSO_Single_Sign_On_-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism">
+ <title>Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)</title>
+
+ <para>
+ The Simple and Protected GSSAPI Negotiation Mechanism (<emphasis role="bold">SPNEGO</emphasis>) uses desktop credentials provided during a desktop login to transparently authenticate a portal user through a web browser.
+ </para>
+
+ <para>
+ For illustrative purposes; a typical use case would be:
+ </para>
+
+ <procedure>
<step>
- <para>
- Access JBoss Portal Platform by going to <ulink url="http://localhost:8888/opensso/UI/Login?realm=gatein" type="http"> http://localhost:8888/opensso/UI/Login?realm=gatein </ulink> (assuming that the OpenSSO server using Tomcat is still running).
- </para>
+ <para>
+ A user logs into their desktop computer with a login that is governed by an Active Directory domain.
+ </para>
</step>
+
<step>
- <para>
- Login with the username <literal>root</literal> and the password <literal>gtn</literal> or any account created through the portal.
- </para>
+ <para>
+ The user then launches a web browser to access a web application (that uses JBoss Negotiation) hosted on JBoss Portal Platform.
+ </para>
</step>
- </procedure>
- </step>
- </procedure>
- </section>
- <section id="sect-Reference_Guide-SSO_Single_Sign_On_-Setup_the_portal_to_redirect_to_OpenSSO">
- <title>Setup the portal to redirect to OpenSSO</title>
- <para>
- The next part of the process is to redirect all user authentication to the OpenSSO server.
- </para>
- <para>
- Information about where the OpenSSO server is hosted must be properly configured within the JBoss Portal Platform instance. The required configuration is done by modifying three files:
- </para>
- <procedure id="proc-Reference_Guide-Setup_the_portal_to_redirect_to_OpenSSO-Setup_the_portal_to_redirect_to_OpenSSO">
- <title>Setup the portal to redirect to OpenSSO</title>
- <step>
- <para>
- Modify the '<emphasis role="bold">Sign In</emphasis>' link in the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename> file as follows:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default119.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Modify the '<emphasis role="bold">Sign In</emphasis>' link in the <filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename> file as follows:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default120.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Replace the entire contents of <filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default121.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Add the following Filters to the top of the filter chain in <filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default122.xml" parse="text"/></programlisting>
- </step>
- </procedure>
- <para>
- From now on, all links redirecting to the user authentication pages will redirect to the OpenSSO centralized authentication form.
- </para>
- </section>
- </section>
- <section id="sect-Reference_Guide-SSO_Single_Sign_On_-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism">
- <title>Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)</title>
- <para>
- The Simple and Protected GSSAPI Negotiation Mechanism (<emphasis role="bold">SPNEGO</emphasis>) uses desktop credentials provided during a desktop login to transparently authenticate a portal user through a web browser.
- </para>
- <para>
- For illustrative purposes; a typical use case would be:
- </para>
- <procedure>
- <step>
- <para>
- A user logs into their desktop computer with a login that is governed by an Active Directory domain.
- </para>
- </step>
- <step>
- <para>
- The user then launches a web browser to access a web application (that uses JBoss Negotiation) hosted on JBoss Portal Platform.
- </para>
- </step>
- <step>
- <para>
- The browser transfers the desktop credentials to the web application.
- </para>
- </step>
- <step>
- <para>
- JBoss EAP/AS uses background GSS messages with the Active Directory (or any Kerberos Server) to validate the Kerberos ticket from user.
- </para>
- </step>
- <step>
- <para>
- The user experiences a seamless single sign-on (SSO) into the web application.
- </para>
- </step>
- </procedure>
- <section id="sect-Reference_Guide-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism-SPNEGO_Server_Configuration">
- <title>SPNEGO Server Configuration</title>
- <para>
- In this section, we will describe some necessary steps for setup Kerberos server on Linux. This server will then be used for SPNEGO authentication against JBoss Portal Platform.
+
+ <step>
+ <para>
+ The browser transfers the desktop credentials to the web application.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ JBoss EAP/AS uses background GSS messages with the Active Directory (or any Kerberos Server) to validate the Kerberos ticket from user.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ The user experiences a seamless single sign-on (SSO) into the web application.
+ </para>
+ </step>
+ </procedure>
+
+ <section id="sect-Reference_Guide-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism-SPNEGO_Server_Configuration">
+ <title>SPNEGO Server Configuration</title>
+
+ <para>
+ In this section, we will describe some necessary steps for setup Kerberos server on Linux. This server will then be used for SPNEGO authentication against JBoss Portal Platform.
</para>
- <note>
- <title>SPNEGO Basics</title>
- <para>
- The procedure below only describes the basic steps to configure the SPNEGO server in a Linux environment. If you are already familiar with SPNEGO, or if you are using Windows and Active Directory domain, you can jump to the <xref linkend="proc-Reference_Guide-JBoss_Enterprise_Portal_Platform_Configuration-Advanced_SPNEGO_Configuration"/> to see how to integrate SPNEGO with JBoss Portal Platform.
- </para>
- <para>
- Please note that Kerberos setup is also dependent on your Linux distribution and so steps can be slightly different in your environment.
- </para>
- </note>
- <procedure id="proc-Reference_Guide-SPNEGO_Server_Configuration-SPNEGO_Basics">
- <title>SPNEGO Basics</title>
- <step>
- <para>
- Correct the setup of network on the machine. For example, if you are using the "server.local.network" domain as your machine where Kerberos and JBoss Portal Platform are localed, add the line containing the machine's IP address to the <emphasis role="bold">/etc/host </emphasis> file.
- </para>
- <programlisting>
+
+ <note>
+ <title>SPNEGO Basics</title>
+
+ <para>
+ The procedure below only describes the basic steps to configure the SPNEGO server in a Linux environment. If you are already familiar with SPNEGO, or if you are using Windows and Active Directory domain, you can jump to the <xref linkend="proc-Reference_Guide-JBoss_Enterprise_Portal_Platform_Configuration-Advanced_SPNEGO_Configuration"/> to see how to integrate SPNEGO with JBoss Portal Platform.
+ </para>
+
+ <para>
+ Please note that Kerberos setup is also dependent on your Linux distribution and so steps can be slightly different in your environment.
+ </para>
+ </note>
+
+ <procedure id="proc-Reference_Guide-SPNEGO_Server_Configuration-SPNEGO_Basics">
+ <title>SPNEGO Basics</title>
+
+ <step>
+ <para>
+ Correct the setup of network on the machine. For example, if you are using the "server.local.network" domain as your machine where Kerberos and JBoss Portal Platform are localed, add the line containing the machine's IP address to the <emphasis role="bold">/etc/host </emphasis> file.
+ </para>
+<programlisting>
192.168.1.88 server.local.network
</programlisting>
- <note>
- <para>
- It is not recommended you use loopback addresses.
+ <note>
+ <para>
+ It is not recommended you use loopback addresses.
+ </para>
+ </note>
+ </step>
+
+ <step>
+ <para>
+ Install Kerberos with these packages: krb5-admin-server, krb5-kdc, krb5-config, krb5-user, krb5-clients, and krb5-rsh-server.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Edit the Kerberos configuration file at <emphasis role="bold">/etc/krb5.config</emphasis>, including:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ Uncomment on these lines:
</para>
- </note>
- </step>
- <step>
- <para>
- Install Kerberos with these packages: krb5-admin-server, krb5-kdc, krb5-config, krb5-user, krb5-clients, and krb5-rsh-server.
- </para>
- </step>
- <step>
- <para>
- Edit the Kerberos configuration file at <emphasis role="bold">/etc/krb5.config</emphasis>, including:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- Uncomment on these lines:
- </para>
- <programlisting>
+<programlisting>
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
</programlisting>
- </listitem>
- <listitem>
- <para>
- Add <emphasis role="bold">local.network</emphasis> as a default realm and it is also added to the list of realms and remove the remains of realms. The content looks like:
- </para>
- <programlisting>
+ </listitem>
+
+ <listitem>
+ <para>
+ Add <emphasis role="bold">local.network</emphasis> as a default realm and it is also added to the list of realms and remove the remains of realms. The content looks like:
+ </para>
+<programlisting>
[libdefaults]
default_realm = LOCAL.NETWORK
@@ -1081,14 +1398,15 @@
krb4_convert = true
krb4_get_tickets = false
</programlisting>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- Edit the KDC configuraton file at <emphasis role="bold">/etc/krb5kdc/kdc.conf</emphasis> that looks like.
- </para>
- <programlisting>
+ </listitem>
+ </itemizedlist>
+ </step>
+
+ <step>
+ <para>
+ Edit the KDC configuraton file at <emphasis role="bold">/etc/krb5kdc/kdc.conf</emphasis> that looks like.
+ </para>
+<programlisting>
[kdcdefaults]
kdc_ports = 750,88
@@ -1110,158 +1428,179 @@
kdc = FILE:/home/gatein/krb5logs/kdc.log
admin_server = FILE:/home/gatein/krb5logs/kadmin.log
</programlisting>
- <itemizedlist>
- <listitem>
- <para>
- Create krb5kdc and krb5logs directory for Kerberos database as shown in the configuration file above.
- </para>
- </listitem>
- <listitem>
- <para>
- Next, create a KDC database using the following command.
- </para>
- <programlisting>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Create krb5kdc and krb5logs directory for Kerberos database as shown in the configuration file above.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Next, create a KDC database using the following command.
+ </para>
+<programlisting>
sudo krb5_newrealm
</programlisting>
- </listitem>
- <listitem>
- <para>
- Start the KDC and Kerberos admin servers using these commands:
- </para>
- <programlisting>
+ </listitem>
+
+ <listitem>
+ <para>
+ Start the KDC and Kerberos admin servers using these commands:
+ </para>
+<programlisting>
sudo /etc/init.d/krb5-kdc restart
sudo /etc/init.d/krb-admin-server restart
</programlisting>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- Add Principals and create Keys.
- </para>
- <itemizedlist>
- <listitem>
- <para>
- Start an interactive 'kadmin' session and create the necessary Principals.
- </para>
- <programlisting>
+ </listitem>
+ </itemizedlist>
+ </step>
+
+ <step>
+ <para>
+ Add Principals and create Keys.
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ Start an interactive 'kadmin' session and create the necessary Principals.
+ </para>
+<programlisting>
sudo kadmin.local
</programlisting>
- </listitem>
- <listitem>
- <para>
- Add the JBoss Portal Platform machine and keytab file that need to be authenticated.
- </para>
- <programlisting>
+ </listitem>
+
+ <listitem>
+ <para>
+ Add the JBoss Portal Platform machine and keytab file that need to be authenticated.
+ </para>
+<programlisting>
addprinc -randkey HTTP/server.local.network(a)LOCAL.NETWORK
ktadd HTTP/server.local.network(a)LOCAL.NETWORK
</programlisting>
- </listitem>
- <listitem>
- <para>
- Add the default JBoss Portal Platform user accounts and enter the password for each created user that will be authenticated.
- </para>
- <programlisting>
+ </listitem>
+
+ <listitem>
+ <para>
+ Add the default JBoss Portal Platform user accounts and enter the password for each created user that will be authenticated.
+ </para>
+<programlisting>
addprinc john
addprinc demo
addprinc root
</programlisting>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- Test your changed setup by using the command.
- </para>
- <programlisting>
+ </listitem>
+ </itemizedlist>
+ </step>
+
+ <step>
+ <para>
+ Test your changed setup by using the command.
+ </para>
+<programlisting>
kinit -A demo
</programlisting>
- <itemizedlist>
- <listitem>
- <para>
- If the setup works well, you are required to enter the password created for this user in Step 5. Without the -A, the kerberos ticket validation involved reverse DNS lookups, which can get very cumbersome to debug if your network's DNS setup is not great. This is a production level security feature, which is not necessary in this development setup. In production environment, it will be better to avoid -A option.
- </para>
- </listitem>
- <listitem>
- <para>
- After successful login to Kerberos, you can see your Kerberos ticket when using this command.
- </para>
- <programlisting>
+ <itemizedlist>
+ <listitem>
+ <para>
+ If the setup works well, you are required to enter the password created for this user in Step 5. Without the -A, the kerberos ticket validation involved reverse DNS lookups, which can get very cumbersome to debug if your network's DNS setup is not great. This is a production level security feature, which is not necessary in this development setup. In production environment, it will be better to avoid -A option.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ After successful login to Kerberos, you can see your Kerberos ticket when using this command.
+ </para>
+<programlisting>
klist
</programlisting>
- </listitem>
- <listitem>
- <para>
- If you want to logout and destroy your ticket, use this command.
- </para>
- <programlisting>
+ </listitem>
+
+ <listitem>
+ <para>
+ If you want to logout and destroy your ticket, use this command.
+ </para>
+<programlisting>
kdestroy
</programlisting>
- </listitem>
- </itemizedlist>
- </step>
- </procedure>
- </section>
- <section id="sect-Reference_Guide-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism-SPNEGO_Server_Configuration-Clients">
- <title>Clients</title>
- <para>
- After performing all configurations above, you need to enable the <emphasis role="bold">Negotiate authentication </emphasis> of Firefox in client machines so that clients could be authenticated by JBoss Portal Platform as follows:
+ </listitem>
+ </itemizedlist>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sect-Reference_Guide-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism-SPNEGO_Server_Configuration-Clients">
+ <title>Clients</title>
+
+ <para>
+ After performing all configurations above, you need to enable the <emphasis role="bold">Negotiate authentication </emphasis> of Firefox in client machines so that clients could be authenticated by JBoss Portal Platform as follows:
</para>
- <procedure>
- <step>
- <para>
- Start Firefox, then enter the command: <emphasis role="bold">about:config </emphasis> into the address field.
- </para>
- </step>
- <step>
- <para>
- Enter <emphasis role="bold">network.negotiate-auth</emphasis> and set the value as below:
- </para>
- <programlisting>
+
+ <procedure>
+ <step>
+ <para>
+ Start Firefox, then enter the command: <emphasis role="bold">about:config </emphasis> into the address field.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Enter <emphasis role="bold">network.negotiate-auth</emphasis> and set the value as below:
+ </para>
+<programlisting>
network.negotiate-auth.allow-proxies = true
network.negotiate-auth.delegation-uris = .local.network
network.negotiate-auth.gsslib (no-value)
network.negotiate-auth.trusted-uris = .local.network
network.negotiate-auth.using-native-gsslib = true
</programlisting>
- </step>
- </procedure>
- <note>
- <para>
- Consult documentation of your OS or web browser if using different browser than Firefox.
- </para>
- </note>
- </section>
- <section id="sect-Reference_Guide-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism-JBoss_Enterprise_Portal_Platform_Configuration">
- <title>JBoss Portal Platform Configuration</title>
- <para>
-JBoss Portal Platform uses JBoss Negotiation to enable SPNEGO-based desktop SSO for the portal. Here are the steps to integrate SPNEGO with JBoss Portal Platform.
+ </step>
+ </procedure>
+
+ <note>
+ <para>
+ Consult documentation of your OS or web browser if using different browser than Firefox.
+ </para>
+ </note>
+ </section>
+
+ <section id="sect-Reference_Guide-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism-JBoss_Enterprise_Portal_Platform_Configuration">
+ <title>JBoss Portal Platform Configuration</title>
+
+ <para>
+ JBoss Portal Platform uses JBoss Negotiation to enable SPNEGO-based desktop SSO for the portal. Here are the steps to integrate SPNEGO with JBoss Portal Platform.
</para>
- <procedure id="proc-Reference_Guide-JBoss_Enterprise_Portal_Platform_Configuration-Advanced_SPNEGO_Configuration">
- <title>Advanced SPNEGO Configuration</title>
- <step>
- <para>
- Activate the Host authentication. Add the following host login module to the <filename>jboss-as/server/<replaceable>PROFILE</replaceable>/conf/login-config.xml</filename>:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default124.xml" parse="text"/></programlisting>
- <para>
- The '<literal>keyTab</literal>' value should point to the keytab file that was generated by the <literal>kadmin</literal> Kerberos tool. When using Kerberos on Linux, it should be value of parameter <emphasis role="bold">admin_keytab</emphasis> from kdc.conf file. See the <xref linkend="proc-Reference_Guide-SPNEGO_Server_Configuration-SPNEGO_Basics"/> for more details.
- </para>
- </step>
- <step>
- <para>
- Extend the core authentication mechanisms to support SPNEGO. Under <filename>deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml</filename>, add a '<literal>SPNEGO</literal>' authenticators property
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default125.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Add the SSO module binaries by copying <filename>PORTAL_SSO/spnego/gatein.ear/lib/sso-agent.jar</filename> to the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/lib/</filename> directory.
- </para>
- <para>
- Copy the <filename>PORTAL_SSO/spnego/gatein.ear/lib/sso-spnego.jar</filename> file to the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/lib</filename> directory.
- </para>
- </step>
+
+ <procedure id="proc-Reference_Guide-JBoss_Enterprise_Portal_Platform_Configuration-Advanced_SPNEGO_Configuration">
+ <title>Advanced SPNEGO Configuration</title>
+
+ <step>
+ <para>
+ Activate the Host authentication. Add the following host login module to the <filename>jboss-as/server/<replaceable>PROFILE</replaceable>/conf/login-config.xml</filename>:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default124.xml" parse="text"/></programlisting>
+ <para>
+ The '<literal>keyTab</literal>' value should point to the keytab file that was generated by the <literal>kadmin</literal> Kerberos tool. When using Kerberos on Linux, it should be value of parameter <emphasis role="bold">admin_keytab</emphasis> from kdc.conf file. See the <xref linkend="proc-Reference_Guide-SPNEGO_Server_Configuration-SPNEGO_Basics"/> for more details.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Extend the core authentication mechanisms to support SPNEGO. Under <filename>deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml</filename>, add a '<literal>SPNEGO</literal>' authenticators property
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default125.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Add the SSO module binaries by copying <filename>PORTAL_SSO/spnego/gatein.ear/lib/sso-agent.jar</filename> to the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/lib/</filename> directory.
+ </para>
+
+ <para>
+ Copy the <filename>PORTAL_SSO/spnego/gatein.ear/lib/sso-spnego.jar</filename> file to the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/lib</filename> directory.
+ </para>
+ </step>
<!-- This step not required as EPP already has the correct version of Negotiation 2.0.4.GA
<step>
<para>
@@ -1270,36 +1609,42 @@
and copy this file to <filename>JBOSS_HOME/server/default/lib</filename> directory as well.
</para>
</step>
- --> <step>
- <para>
- Modify the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</filename> file to match the following:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default126.xml" parse="text"/></programlisting>
- <para>
- This activates SPNEGO LoginModules with fallback to FORM authentication. When SPNEGO is not available and it needs to fallback to FORM, it will use <emphasis role="bold">gatein-form-auth-domain</emphasis> security domain.
- </para>
- </step>
- <step>
- <para>
- Modify <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/WEB-INF/web.xml</filename> to match:
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default127.xml" parse="text"/></programlisting>
- <para>
- This integrates SPNEGO support into the Portal web archive by switching the authentication mechanism from the default "FORM"-based to "SPNEGO"-based authentication.
- </para>
- <para>
- You can see that the SPNEGO portion also contains the element <code>form-login-config</code>, which is required if you want to enable a fallback to FORM based authentication function.
- </para>
- <para>
- In this case, the portal will attempt to authenticate the user with their Kerberos ticket through SPNEGO. If the user does not have a Kerberos ticket, they will be redirected to FORM authentication and via the login screen.
- </para>
- <para>
- This configuration ensures the first authentication attempt is though SPNEGO and, if this attempt is unsuccessful, another attempt is made using the FORM method. This could occur if the user does not have a valid Kerberos ticket or if the web browser in use does not support SPNEGO authentication with the Kerberos server.
- </para>
- <para>
- If the fallback to FORM function is not required, the <code>form-login-config</code> configuration can be disabled like so:
- </para>
- <programlisting language="XML" role="XML"><![CDATA[<login-config>
+ -->
+ <step>
+ <para>
+ Modify the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</filename> file to match the following:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default126.xml" parse="text"/></programlisting>
+ <para>
+ This activates SPNEGO LoginModules with fallback to FORM authentication. When SPNEGO is not available and it needs to fallback to FORM, it will use <emphasis role="bold">gatein-form-auth-domain</emphasis> security domain.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Modify <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/WEB-INF/web.xml</filename> to match:
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default127.xml" parse="text"/></programlisting>
+ <para>
+ This integrates SPNEGO support into the Portal web archive by switching the authentication mechanism from the default "FORM"-based to "SPNEGO"-based authentication.
+ </para>
+
+ <para>
+ You can see that the SPNEGO portion also contains the element <code>form-login-config</code>, which is required if you want to enable a fallback to FORM based authentication function.
+ </para>
+
+ <para>
+ In this case, the portal will attempt to authenticate the user with their Kerberos ticket through SPNEGO. If the user does not have a Kerberos ticket, they will be redirected to FORM authentication and via the login screen.
+ </para>
+
+ <para>
+ This configuration ensures the first authentication attempt is though SPNEGO and, if this attempt is unsuccessful, another attempt is made using the FORM method. This could occur if the user does not have a valid Kerberos ticket or if the web browser in use does not support SPNEGO authentication with the Kerberos server.
+ </para>
+
+ <para>
+ If the fallback to FORM function is not required, the <code>form-login-config</code> configuration can be disabled like so:
+ </para>
+<programlisting language="XML" role="XML"><![CDATA[<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
<!-- <form-login-config>
@@ -1309,52 +1654,60 @@
-->
</login-config>
]]></programlisting>
- <para>
- In this case the user needs to authenticate through SPNEGO and if that fails, the user will receive an authentication error with HTTP code <literal>401</literal>. The FORM fallback will not be offered.
- </para>
- </step>
- <step>
- <para>
- Integrate the request pre-processing needed for SPNEGO via filters by adding the following filters to the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/WEB-INF/web.xml</filename> at the top of the Filter chain.
- </para>
- <programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default128.xml" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Edit the '<emphasis role="bold">Sign In</emphasis>' link in <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl</filename> to match the following:
- </para>
- <programlisting language="Java" role="Java"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default129.java" parse="text"/></programlisting>
- </step>
- <step>
- <para>
- Start the JBoss Portal Platform;
- </para>
- <programlisting language="Java" role="Java"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default130.java" parse="text"/></programlisting>
- <note>
- <title>Note</title>
+ <para>
+ In this case the user needs to authenticate through SPNEGO and if that fails, the user will receive an authentication error with HTTP code <literal>401</literal>. The FORM fallback will not be offered.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Integrate the request pre-processing needed for SPNEGO via filters by adding the following filters to the <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/WEB-INF/web.xml</filename> at the top of the Filter chain.
+ </para>
+<programlisting language="XML" role="XML"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default128.xml" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Edit the '<emphasis role="bold">Sign In</emphasis>' link in <filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl</filename> to match the following:
+ </para>
+<programlisting language="Java" role="Java"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default129.java" parse="text"/></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Start the JBoss Portal Platform;
+ </para>
+<programlisting language="Java" role="Java"><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="../../extras/Authentication_Identity_SSO/default130.java" parse="text"/></programlisting>
+ <note>
+ <title>Note</title>
+
+ <para>
+ The <replaceable>PROFILE</replaceable> parameter in the above command should be replaced with the server profile modified with the above configuration.
+ </para>
+ </note>
+ </step>
+
+ <step>
+ <para>
+ Login to Kerberos:
+ </para>
+<programlisting>kinit -A demo
+</programlisting>
+ </step>
+ </procedure>
+
<para>
- The <replaceable>PROFILE</replaceable> parameter in the above command should be replaced with the server profile modified with the above configuration.
- </para>
- </note>
- </step>
- <step>
- <para>
- Login to Kerberos:
- </para>
- <programlisting>kinit -A demo
-</programlisting>
- </step>
- </procedure>
- <para>
- Clicking the 'Sign In' link on the JBoss Portal Platform should automatically sign the 'demo' user into the portal.
+ Clicking the 'Sign In' link on the JBoss Portal Platform should automatically sign the 'demo' user into the portal.
</para>
- <para>
- If you destroy your kerberos ticket with command <command>kdestroy</command>, then try to login again, you will directed to the login screen of JBoss Portal Platform because you do not have active Kerberos ticket. You can login with predefined account and password "demo"/"gtn" .
+
+ <para>
+ If you destroy your kerberos ticket with command <command>kdestroy</command>, then try to login again, you will directed to the login screen of JBoss Portal Platform because you do not have active Kerberos ticket. You can login with predefined account and password "demo"/"gtn" .
</para>
- </section>
- </section>
- <section id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve">
- <title>Single Sign-On in a Cluster</title>
+ </section>
+ </section>
+
+ <section id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve">
+ <title>Single Sign-On in a Cluster</title>
<!-- Source Metadata
URL: https://issues.jboss.org/browse/JBQA-4530
Author [w/email]: Marek Posolda (mposolda(a)redhat.com)
@@ -1364,102 +1717,118 @@
voiii
URL: https://issues.jboss.org/browse/JBEPP-615
Author [w/email]: Marek Posolda (mposolda(a)redhat.com)
- -->
- <para>
+ -->
+ <para>
In a cluster, the JBoss SSO valve can be used to authenticate a user on one JBoss Portal Platform node and have that authentication automatically carried across to other nodes in the cluster.
- </para>
- <section id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve-Default_Config">
- <title>Default Configuration</title>
- <para>
- The JBoss SSO valve is enabled by default. The enablement is ensured by the following JBoss Web subsystem configuration entry in the <filename>JPP_DIST/standalone/configuration/standalon-ha.xml</filename> file:
- </para>
+ </para>
+
+ <section id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve-Default_Config">
+ <title>Default Configuration</title>
+
+ <para>
+ The JBoss SSO valve is enabled by default. The enablement is ensured by the following JBoss Web subsystem configuration entry in the <filename>JPP_DIST/standalone/configuration/standalon-ha.xml</filename> file:
+ </para>
<programlisting language="XML"><![CDATA[
<sso cache-container="web" cache-name="sso" reauthenticate="false" />
]]></programlisting>
- <para>
- When a loadbalancer is used in a cluster, no further configuration is needed to set up single sign-on. All JBoss Portal Platform servers in the cluster are accessed through the same URL, which is the URL of the loadbalancer. Automatic single sign-on is performed when the loadbalancer redirects client requests to individual nodes in the cluster.
- </para>
- </section>
- <section>
- <title>Clustered Single-Sign On in a Shared DNS Domain</title>
- <para>
- If multiple JBoss Portal Platform servers are accessed through different URLs in the same DNS domain, single sign-on can be configured by adding the <parameter>domain</parameter> parameter to the <parameter>sso</parameter> configuration entry.
- </para>
+ <para>
+ When a loadbalancer is used in a cluster, no further configuration is needed to set up single sign-on. All JBoss Portal Platform servers in the cluster are accessed through the same URL, which is the URL of the loadbalancer. Automatic single sign-on is performed when the loadbalancer redirects client requests to individual nodes in the cluster.
+ </para>
+ </section>
+
+ <section>
+ <title>Clustered Single-Sign On in a Shared DNS Domain</title>
+
+ <para>
+ If multiple JBoss Portal Platform servers are accessed through different URLs in the same DNS domain, single sign-on can be configured by adding the <parameter>domain</parameter> parameter to the <parameter>sso</parameter> configuration entry.
+ </para>
<programlisting language="XML"><![CDATA[
<sso cache-container="web" cache-name="sso" reauthenticate="false" domain="yourdomain.com"/>
]]></programlisting>
- <para>
- The parameter must be added to the entry on all servers in the cluster and the name of the shared DNS domain must be specified as its value. This configuration ensures that the <parameter>JSESSIONIDSSO</parameter> cookie will be scoped to the specified domain, which is otherwise scoped only to the host where the initial authentication was performed.
- </para>
- <para>
- The following procedure demonstrates how to configure and test single sign-on for two JBoss Portal Platform servers running in a shared domain on the same physical Linux machine.
- </para>
- <procedure id="proc-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Testing_the_SSO_Valve">
- <title>Configuring and Testing Single-Sign On in a Shared DNS Domain</title>
- <step>
- <para>
- Add the following lines to the <emphasis role="bold">/etc/hosts</emphasis> file. Modify the IP addresses in accordance with the IP addresses of the two JBoss Portal Platform servers.
- </para>
+ <para>
+ The parameter must be added to the entry on all servers in the cluster and the name of the shared DNS domain must be specified as its value. This configuration ensures that the <parameter>JSESSIONIDSSO</parameter> cookie will be scoped to the specified domain, which is otherwise scoped only to the host where the initial authentication was performed.
+ </para>
+
+ <para>
+ The following procedure demonstrates how to configure and test single sign-on for two JBoss Portal Platform servers running in a shared domain on the same physical Linux machine.
+ </para>
+
+ <procedure id="proc-Reference_Guide-Enabling_SSO_using_JBoss_SSO_Valve-Testing_the_SSO_Valve">
+ <title>Configuring and Testing Single-Sign On in a Shared DNS Domain</title>
+
+ <step>
+ <para>
+ Add the following lines to the <emphasis role="bold">/etc/hosts</emphasis> file. Modify the IP addresses in accordance with the IP addresses of the two JBoss Portal Platform servers.
+ </para>
<programlisting>
127.0.1.1 machine1.yourdomain.com
127.0.1.2 machine2.yourdomain.com
</programlisting>
- </step>
- <step>
- <para>
- On both servers, open the <filename><replaceable>JPP_DIST</replaceable>/standalone/configuration/standalone-ha.xml</filename> file. Add the <parameter>domain</parameter> parameter to the <parameter>sso</parameter> entry and specify the name of the shared DNS domain in its value.
- </para>
+ </step>
+
+ <step>
+ <para>
+ On both servers, open the <filename><replaceable>JPP_DIST</replaceable>/standalone/configuration/standalone-ha.xml</filename> file. Add the <parameter>domain</parameter> parameter to the <parameter>sso</parameter> entry and specify the name of the shared DNS domain in its value.
+ </para>
<programlisting language="XML"><![CDATA[
<sso cache-container="web" cache-name="sso" reauthenticate="false" domain="yourdomain.com"/>
-]]></programlisting>
- </step>
- <step>
- <para>
- Start the first server using the following command:
- </para>
+]]></programlisting>
+ </step>
+
+ <step>
+ <para>
+ Start the first server using the following command:
+ </para>
<programlisting>
./standalone.sh -b machine1.yourdomain.com -c standalone-ha.xml -Djboss.node.name=node1
</programlisting>
- </step>
- <step>
- <para>
- Start the second server using the following command:
- </para>
+ </step>
+
+ <step>
+ <para>
+ Start the second server using the following command:
+ </para>
<programlisting>
./standalone.sh -b machine2.yourdomain.com -c standalone-ha.xml -Djboss.node.name=node2
</programlisting>
- </step>
- <step>
- <para>
- Access the first server at <ulink url="http://machine1.yourdomain.com:8080/portal">http://machine1.yourdomain.com:8080/portal</ulink> and log in as a user.
- </para>
- </step>
- <step>
- <para>
- Access the second server at <ulink url="http://machine2.yourdomain.com:8080/portal">http://machine2.yourdomain.com:8080/portal</ulink>. When the page loads, you will be automatically logged in with the same user account that you used on the first server.
- </para>
- </step>
- <step>
- <para>
- Log out on any of the two servers. Then switch to the other server and verify that you have been logged out of this server as well.
- </para>
- </step>
- </procedure>
- </section>
- <section id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve-Other_Web_Apps">
- <title>Reauthentication</title>
- <para>
- The JBoss SSO valve can also be used to authenticate with any other web application. If that application uses the same roles as the main JBoss Portal Platform instance, no further configuration is required. Because the JBoss SSO valve includes the same JAAS principal in all HTTP requests, even in requests to other web applications, matching roles ensure successful authentication with those applications.
- </para>
- <para>
- To enable single sing-on authentication with an application that uses different roles, you need to set the <parameter>reauthenticate</parameter> parameter of the <parameter>sso</parameter> JBoss Web subsystem configuration entry to <literal>true</literal>.
- </para>
+ </step>
+
+ <step>
+ <para>
+ Access the first server at <ulink url="http://machine1.yourdomain.com:8080/portal">http://machine1.yourdomain.com:8080/portal</ulink> and log in as a user.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Access the second server at <ulink url="http://machine2.yourdomain.com:8080/portal">http://machine2.yourdomain.com:8080/portal</ulink>. When the page loads, you will be automatically logged in with the same user account that you used on the first server.
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Log out on any of the two servers. Then switch to the other server and verify that you have been logged out of this server as well.
+ </para>
+ </step>
+ </procedure>
+ </section>
+
+ <section id="sect-SSO_Single_Sign_On_-Enabling_SSO_using_JBoss_SSO_Valve-Other_Web_Apps">
+ <title>Reauthentication</title>
+
+ <para>
+ The JBoss SSO valve can also be used to authenticate with any other web application. If that application uses the same roles as the main JBoss Portal Platform instance, no further configuration is required. Because the JBoss SSO valve includes the same JAAS principal in all HTTP requests, even in requests to other web applications, matching roles ensure successful authentication with those applications.
+ </para>
+
+ <para>
+ To enable single sing-on authentication with an application that uses different roles, you need to set the <parameter>reauthenticate</parameter> parameter of the <parameter>sso</parameter> JBoss Web subsystem configuration entry to <literal>true</literal>.
+ </para>
<programlisting language="XML"><![CDATA[
<sso cache-container="web" cache-name="sso" reauthenticate="true" />
-]]></programlisting>
- <para>
- The <literal>true</literal> value ensures that reauthentication with user credentials will be performed against the web application's security domain in each HTTP request. This will enforce creation of a new principal with updated roles for the web application. As user credentials are used for authentication in this case, it is required that the same user credentials exist in both the web application and the JBoss Portal Platform instance.
- </para>
- </section>
- </section>
-</chapter>
+]]></programlisting>
+ <para>
+ The <literal>true</literal> value ensures that reauthentication with user credentials will be performed against the web application's security domain in each HTTP request. This will enforce creation of a new principal with updated roles for the web application. As user credentials are used for authentication in this case, it is required that the same user credentials exist in both the web application and the JBoss Portal Platform instance.
+ </para>
+ </section>
+ </section>
+ </chapter>
12 years