5:46 p.m.
Author: smumford
Date: 2011-11-28 18:46:40 -0500 (Mon, 28 Nov 2011)
New Revision: 8154
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default124.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default125.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default126.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default127.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default128.xml
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default129.java
epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
JBEPP-1406: Corrected SSO issues due to referring to outdated GateIn docs
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default124.xml
===================================================================
---
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default124.xml 2011-11-28
22:40:37 UTC (rev 8153)
+++
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default124.xml 2011-11-28
23:46:40 UTC (rev 8154)
@@ -1,13 +1,13 @@
<!-- SPNEGO domain -->
- <application-policy name="host">
- <authentication>
- <login-module code="com.sun.security.auth.module.Krb5LoginModule"
flag="required">
- <module-option name="storeKey">true</module-option>
- <module-option name="useKeyTab">true</module-option>
- <module-option
name="principal">HTTP/server.local.network(a)LOCAL.NETWORK</module-option>
- <module-option
name="keyTab">/home/user/krb5keytabs/jboss.keytab</module-option>
- <module-option name="doNotPrompt">true</module-option>
- <module-option name="debug">true</module-option>
- </login-module>
- </authentication>
+<application-policy name="host">
+ <authentication>
+ <login-module code="com.sun.security.auth.module.Krb5LoginModule"
flag="required">
+ <module-option name="storeKey">true</module-option>
+ <module-option name="useKeyTab">true</module-option>
+ <module-option
name="principal">HTTP/server.local.network(a)LOCAL.NETWORK</module-option>
+ <module-option
name="keyTab">/etc/krb5.keytab</module-option>
+ <module-option name="doNotPrompt">true</module-option>
+ <module-option name="debug">true</module-option>
+ </login-module>
+ </authentication>
</application-policy>
\ No newline at end of file
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default125.xml
===================================================================
---
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default125.xml 2011-11-28
22:40:37 UTC (rev 8153)
+++
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default125.xml 2011-11-28
23:46:40 UTC (rev 8154)
@@ -1,30 +1,31 @@
- <property name="authenticators">
- <map keyClass="java.lang.String"
valueClass="java.lang.String">
- <entry>
- <key>BASIC</key>
-
<value>org.apache.catalina.authenticator.BasicAuthenticator</value>
- </entry>
- <entry>
- <key>CLIENT-CERT</key>
- <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
- </entry>
- <entry>
- <key>DIGEST</key>
-
<value>org.apache.catalina.authenticator.DigestAuthenticator</value>
- </entry>
- <entry>
- <key>FORM</key>
-
<value>org.apache.catalina.authenticator.FormAuthenticator</value>
- </entry>
- <entry>
- <key>NONE</key>
-
<value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
- </entry>
+<deployment xmlns="urn:jboss:bean-deployer:2.0">
+<property name="authenticators">
+ <map class="java.util.Properties" keyClass="java.lang.String"
valueClass="java.lang.String">
+ <entry>
+ <key>BASIC</key>
+ <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
+ </entry>
+ <entry>
+ <key>CLIENT-CERT</key>
+ <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
+ </entry>
+ <entry>
+ <key>DIGEST</key>
+ <value>org.apache.catalina.authenticator.DigestAuthenticator</value>
+ </entry>
+ <entry>
+ <key>FORM</key>
+ <value>org.apache.catalina.authenticator.FormAuthenticator</value>
+ </entry>
+ <entry>
+ <key>NONE</key>
+
<value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
+ </entry>
- <!-- Add this entry -->
- <entry>
- <key>SPNEGO</key>
- <value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
- </entry>
- </map>
- </property>
\ No newline at end of file
+ <!-- Add this entry -->
+ <entry>
+ <key>SPNEGO</key>
+ <value>org.gatein.sso.spnego.GateInNegotiationAuthenticator</value>
+ </entry>
+ </map>
+</property>
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default126.xml
===================================================================
---
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default126.xml 2011-11-28
22:40:37 UTC (rev 8153)
+++
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default126.xml 2011-11-28
23:46:40 UTC (rev 8154)
@@ -1,20 +1,54 @@
<deployment xmlns="urn:jboss:bean-deployer:2.0">
+
+ <application-policy xmlns="urn:jboss:security-beans:1.0"
name="gatein-form-auth-domain">
+ <authentication>
+ <login-module code="org.gatein.wci.security.WCILoginModule"
flag="optional">
+ <module-option
name="portalContainerName">portal</module-option>
+ <module-option
name="realmName">gatein-domain</module-option>
+ </login-module>
+ <login-module
code="org.exoplatform.services.security.jaas.SharedStateLoginModule"
flag="required">
+ <module-option
name="portalContainerName">portal</module-option>
+ <module-option
name="realmName">gatein-domain</module-option>
+ </login-module>
+
+ <!-- Uncomment this part to check on each login if user is member of
"/platform/users" group and if not
+ create such membership -->
+ <!--
+ <login-module
code="org.exoplatform.services.organization.idm.CustomMembershipLoginModule"
flag="required">
+ <module-option
name="portalContainerName">portal</module-option>
+ <module-option
name="realmName">gatein-domain</module-option>
+ <module-option
name="membershipType">member</module-option>
+ <module-option
name="groupId">/platform/users</module-option>
+ </login-module>
+ -->
+
+ <login-module
code="org.exoplatform.services.security.j2ee.JbossLoginModule"
flag="required">
+ <module-option
name="portalContainerName">portal</module-option>
+<!-- logout needs to be performed from 'gatein-domain' as it is used for
JaasSecurityManager. -->
+ <module-option
name="realmName">gatein-domain</module-option>
+ </login-module>
+ </authentication>
+ </application-policy>
+
+
<application-policy xmlns="urn:jboss:security-beans:1.0"
name="gatein-domain">
- <!-- Uncomment this for Kerberos based SSO integration -->
<authentication>
- <login-module
+ <login-module
code="org.gatein.sso.spnego.SPNEGOLoginModule"
flag="requisite">
<module-option
name="password-stacking">useFirstPass</module-option>
<module-option
name="serverSecurityDomain">host</module-option>
- </login-module>
+ <module-option
name="removeRealmFromPrincipal">true</module-option>
+ <module-option
name="usernamePasswordDomain">gatein-form-auth-domain</module-option>
+ </login-module>
<login-module
code="org.gatein.sso.agent.login.SPNEGORolesModule"
flag="required">
<module-option
name="password-stacking">useFirstPass</module-option>
<module-option
name="portalContainerName">portal</module-option>
<module-option
name="realmName">gatein-domain</module-option>
- </login-module>
+ </login-module>
</authentication>
</application-policy>
+
</deployment>
\ No newline at end of file
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default127.xml
===================================================================
---
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default127.xml 2011-11-28
22:40:37 UTC (rev 8153)
+++
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default127.xml 2011-11-28
23:46:40 UTC (rev 8154)
@@ -1,14 +1,17 @@
- <!--
- <login-config>
- <auth-method>FORM</auth-method>
- <realm-name>gatein-domain</realm-name>
+<!-- <login-config>
+ <auth-method>FORM</auth-method>
+ <realm-name>gatein-domain</realm-name>
<form-login-config>
- <form-login-page>/initiatelogin</form-login-page>
+ <form-login-page>/initiatelogin</form-login-page>
<form-error-page>/errorlogin</form-error-page>
</form-login-config>
</login-config>
- -->
+-->
<login-config>
<auth-method>SPNEGO</auth-method>
- <realm-name>SPNEGO</realm-name>
+ <realm-name>SPNEGO</realm-name>
+ <form-login-config>
+ <form-login-page>/initiatelogin</form-login-page>
+ <form-error-page>/errorlogin</form-error-page>
+ </form-login-config>
</login-config>
\ No newline at end of file
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default128.xml
===================================================================
---
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default128.xml 2011-11-28
22:40:37 UTC (rev 8153)
+++
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default128.xml 2011-11-28
23:46:40 UTC (rev 8154)
@@ -1,22 +1,24 @@
<filter>
<filter-name>LoginRedirectFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
- <init-param>
- <!-- This should point to your SSO authentication server -->
- <param-name>LOGIN_URL</param-name>
- <param-value>/portal/private/classic</param-value>
+ <init-param>
+ <!-- This should point to your SSO authentication server -->
+ <param-name>LOGIN_URL</param-name>
+ <param-value>/portal/private/classic</param-value>
</init-param>
</filter>
+
<filter>
- <filter-name>SPNEGOFilter</filter-name>
- <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
+ <filter-name>SPNEGOFilter</filter-name>
+ <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>LoginRedirectFilter</filter-name>
- <url-pattern>/*</url-pattern>
+ <url-pattern>/*</url-pattern>
</filter-mapping>
-<filter-mapping>
- <filter-name>SPNEGOFilter</filter-name>
- <url-pattern>/*</url-pattern>
+
+<filter-mapping>
+ <filter-name>SPNEGOFilter</filter-name>
+ <url-pattern>/login</url-pattern>
</filter-mapping>
\ No newline at end of file
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default129.java
===================================================================
---
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default129.java 2011-11-28
22:40:37 UTC (rev 8153)
+++
epp/docs/branches/5.2/Reference_Guide/en-US/extras/Authentication_Identity_SSO/default129.java 2011-11-28
23:46:40 UTC (rev 8154)
@@ -1,4 +1,4 @@
<!--
-<a
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
+<a class="Login"
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-->
-<a
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
\ No newline at end of file
+<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
\ No newline at end of file
Modified:
epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
---
epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2011-11-28
22:40:37 UTC (rev 8153)
+++
epp/docs/branches/5.2/Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2011-11-28
23:46:40 UTC (rev 8154)
@@ -1605,6 +1605,36 @@
</para>
<programlisting language="XML" role="XML"><xi:include
href="../../extras/Authentication_Identity_SSO/default127.xml"
parse="text" xmlns:xi="http://www.w3.org/2001/XInclude"
/></programlisting>
+ <para>
+ This integrates SPNEGO support into the Portal web archive by
switching the authentication mechanism from the default "FORM"-based to
"SPNEGO"-based authentication.
+ </para>
+ <para>
+ You can see that the SPNEGO portion also contains the element
<code>form-login-config</code>, which is required if you want to enable a
fallback to FORM based authentication function.
+ </para>
+ <para>
+ In this case, the portal will attempt to authenticate the user
with their Kerberos ticket through SPNEGO. If the user does not have a Kerberos ticket,
they will be redirected to FORM authentication and via the login screen.
+ </para>
+ <para>
+ This configuration ensures the first authentication attempt is
though SPNEGO and, if this attempt is unsuccessful, another attempt is made using the FORM
method. This could occur if the user does not have a valid Kerberos ticket or if the web
browser in use does not support SPNEGO authentication with the Kerberos server.
+ </para>
+ <para>
+ If the fallback to FORM function is not required, the
<code>form-login-config</code> configuration can be disabled like so:
+ </para>
+<programlisting language="XML"
role="XML"><![CDATA[<login-config>
+ <auth-method>SPNEGO</auth-method>
+ <realm-name>SPNEGO</realm-name>
+<!-- <form-login-config>
+ <form-login-page>/initiatelogin</form-login-page>
+ <form-error-page>/errorlogin</form-error-page>
+ </form-login-config>
+-->
+ </login-config>
+]]></programlisting>
+ <para>
+ In this case the user needs to authenticate through SPNEGO and if
that fails, the user will receive an authentication error with HTTP code
<literal>401</literal>. The FORM fallback will not be offered.
+ </para>
+ </step>
+ <step>
<para>
Integrate the request pre-processing needed for SPNEGO via
filters by adding the following filters to the
<filename><replaceable><JBOSS_HOME></replaceable>/server/<replaceable><PROFILE></replaceable>/deploy/gatein.ear/02portal.war/WEB-INF/web.xml</filename>
at the top of the Filter chain.
</para>
@@ -1626,9 +1656,12 @@
</para>
<programlisting language="Java" role="Java"><xi:include
href="../../extras/Authentication_Identity_SSO/default130.java"
parse="text" xmlns:xi="http://www.w3.org/2001/XInclude"
/></programlisting>
- <para>
- The <replaceable>PROFILE</replaceable> parameter in
the above command should be replaced with the server profile modified with the above
configuration.
- </para>
+ <note>
+ <title>Note</title>
+ <para>
+ The <replaceable>PROFILE</replaceable>
parameter in the above command should be replaced with the server profile modified with
the above configuration.
+ </para>
+ </note>
</step>
<step>