Author: smumford
Date: 2010-05-12 02:22:13 -0400 (Wed, 12 May 2010)
New Revision: 3061
Modified:
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/AccessingUserProfile.xml
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/OrganizationAPI.xml
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/WSRP.xml
Log:
JBEPP-276: Miscellaneous copy edits and minor structural changes
Modified:
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/AccessingUserProfile.xml
===================================================================
---
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/AccessingUserProfile.xml 2010-05-12
02:49:29 UTC (rev 3060)
+++
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/AccessingUserProfile.xml 2010-05-12
06:22:13 UTC (rev 3061)
@@ -9,7 +9,7 @@
The following code retrieves the details for a logged-in user:
</para>
-<programlisting role="JAVA">// Alternative context: WebuiRequestContext
context = WebuiRequestContext.getCurrentInstance() ;
+<programlisting language="Java" role="JAVA">// Alternative
context: WebuiRequestContext context = WebuiRequestContext.getCurrentInstance() ;
PortalRequestContext context = PortalRequestContext.getCurrentInstance() ;
// Get the id of the user logged
String userId = context.getRemoteUser();
@@ -32,13 +32,13 @@
<orderedlist>
<listitem>
-<programlisting role="JAVA">OrganizationService service =
(OrganizationService)
+<programlisting language="Java" role="JAVA">OrganizationService
service = (OrganizationService)
ExoContainerContext.getCurrentContainer().getComponentInstanceOfType(OrganizationService.class);
</programlisting>
</listitem>
<listitem>
-<programlisting role="JAVA">OrganizationService service =
(OrganizationService)
+<programlisting language="Java" role="JAVA">OrganizationService
service = (OrganizationService)
PortalContainer.getInstance().getComponentInstanceOfType(OrganizationService.class);
</programlisting>
</listitem>
Modified:
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml
===================================================================
---
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2010-05-12
02:49:29 UTC (rev 3060)
+++
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/BackendConfiguration.xml 2010-05-12
06:22:13 UTC (rev 3061)
@@ -6,10 +6,10 @@
<section id="sect-Reference_Guide-PicketLink_IDM_integration">
<title>PicketLink IDM integration</title>
<para>
- &PRODUCT; uses PicketLink IDM component to keep the necessary identity information
(users, groups, memberships, etc.). While legacy interfaces are still used
(org.exoplatform.services.organization) for identity management, there is a wrapper
implementation that delegates to PicketLink IDM framework.
+ &PRODUCT; uses the <literal>PicketLink IDM</literal> component to store
necessary identity information about users, groups and memberships. While legacy
interfaces are still used
(<literal>org.exoplatform.services.organization</literal>) for identity
management, there is a wrapper implementation that delegates to PicketLink IDM framework.
</para>
<para>
- This section does not provide information about PicketLink IDM and its configuration.
Please, refer to the appropriate project documentation (<ulink
url="http://jboss.org/picketlink/IDM.html" />) for further information.
+ This section does not provide information about <literal>PicketLink
IDM</literal> and its configuration. Please, refer to the appropriate project
documentation (<ulink
url="http://jboss.org/picketlink/IDM.html" />) for
further information.
</para>
<note>
<para>
@@ -17,16 +17,16 @@
</para>
</note>
<para>
- The identity model represented in '<emphasis
role="bold">org.exoplatform.services.organization</emphasis>'
interfaces and the one used in <emphasis role="bold">PicketLink
IDM</emphasis> have some major differences.
+ The identity models represented in the
<literal>org.exoplatform.services.organization</literal> interfaces and the
one used in <emphasis role="bold">PicketLink IDM</emphasis> have
some major differences.
</para>
<!-- <para>
TODO: tell more about org.exoplatform.services.organization
</para> -->
<para>
- For example: <emphasis role="bold">PicketLink IDM</emphasis>
provides greater abstraction. It is possible for groups in <emphasis
role="bold">IDM</emphasis> framework to form memberships with many
parents (which requires recursive ID translation), while GateIn model allows only pure
tree-like membership structures.
+ For example; <literal>PicketLink IDM</literal> provides greater
abstraction. It is possible for groups in the <emphasis
role="bold">IDM</emphasis> framework to form memberships with many
parents (which requires recursive ID translation), while the
<literal>org.exoplatform.services.organization</literal> model allows only
pure tree-like membership structures.
</para>
<para>
- Additionally, GateIn <emphasis>membership</emphasis> concept needs to be
translated into the IDM <emphasis>Role</emphasis> concept. Therefore
<emphasis role="bold">PicketLink IDM</emphasis> model is used in a
limited way. All these translations are applied by the integration layer.
+ Additionally, <literal>org.exoplatform.services.organization</literal>
<emphasis>membership</emphasis> concept needs to be translated into the IDM
<emphasis>Role</emphasis> concept. Therefore <literal>PicketLink
IDM</literal> model is used in a limited way. All these translations are applied by
the integration layer.
</para>
<section
id="sect-Reference_Guide-PicketLink_IDM_integration-Configuration_files">
<title>Configuration files</title>
@@ -39,87 +39,86 @@
<area coords="22"
id="area-Reference_Guide-PicketLink_IDM_integration-Configuration_files-JBossIDMOrganizationServiceImpl"
/>
</areaspec>
-<programlisting><configuration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+<programlisting language="XML"
role="XML"><![CDATA[<configuration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_0.xsd
http://www.exoplaform.org/xml/ns/kernel_1_0.xsd"
-
xmlns="http://www.exoplaform.org/xml/ns/kernel_1_0.xsd">
+
xmlns="http://www.exoplaform.org/xml/ns/kernel_1_0.xsd">
- <component>
-
<key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
-
<type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
- <init-params>
- <value-param>
- <name>config</name>
-
<value>war:/conf/organization/idm-config.xml</value>
- </value-param>
- <value-param>
- <name>portalRealm</name>
- <value>realm${container.name.suffix}</value>
- </value-param>
- </init-params>
- </component>
+ <component>
+
<key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
+
<type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
+ <init-params>
+ <value-param>
+ <name>config</name>
+ <value>war:/conf/organization/idm-config.xml</value>
+ </value-param>
+ <value-param>
+ <name>portalRealm</name>
+ <value>realm${container.name.suffix}</value>
+ </value-param>
+ </init-params>
+ </component>
- <component>
-
<key>org.exoplatform.services.organization.OrganizationService</key>
-
<type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
- <init-params>
- <object-param>
- <name>configuration</name>
- <object
type="org.exoplatform.services.organization.idm.Config">
- <field name="useParentIdAsGroupType">
- <boolean>true</boolean>
- </field>
+ <component>
+ <key>org.exoplatform.services.organization.OrganizationService</key>
+
<type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
+ <init-params>
+ <object-param>
+ <name>configuration</name>
+ <object type="org.exoplatform.services.organization.idm.Config">
+ <field name="useParentIdAsGroupType">
+ <boolean>true</boolean>
+ </field>
- <field name="forceMembershipOfMappedTypes">
- <boolean>true</boolean>
- </field>
+ <field name="forceMembershipOfMappedTypes">
+ <boolean>true</boolean>
+ </field>
- <field name="pathSeparator">
- <string>.</string>
- </field>
+ <field name="pathSeparator">
+ <string>.</string>
+ </field>
- <field name="rootGroupName">
- <string>GTN_ROOT_GROUP</string>
- </field>
+ <field name="rootGroupName">
+ <string>GTN_ROOT_GROUP</string>
+ </field>
- <field name="groupTypeMappings">
- <map type="java.util.HashMap">
- <entry>
-
<key><string>/</string></key>
-
<value><string>root_type</string></value>
- </entry>
+ <field name="groupTypeMappings">
+ <map type="java.util.HashMap">
+ <entry>
+ <key><string>/</string></key>
+ <value><string>root_type</string></value>
+ </entry>
- <!-- Sample mapping -->
- <!--
- <entry>
-
<key><string>/platform/*</string></key>
-
<value><string>platform_type</string></value>
- </entry>
- <entry>
-
<key><string>/organization/*</string></key>
-
<value><string>organization_type</string></value>
- </entry>
- -->
+ <!-- Sample mapping -->
+ <!--
+ <entry>
+ <key><string>/platform/*</string></key>
+ <value><string>platform_type</string></value>
+ </entry>
+ <entry>
+ <key><string>/organization/*</string></key>
+
<value><string>organization_type</string></value>
+ </entry>
+ -->
- </map>
- </field>
+ </map>
+ </field>
- <field name="associationMembershipType">
- <string>member</string>
- </field>
+ <field name="associationMembershipType">
+ <string>member</string>
+ </field>
- <field name="ignoreMappedMembershipType">
- <boolean>false</boolean>
- </field>
- </object>
- </object-param>
- </init-params>
+ <field name="ignoreMappedMembershipType">
+ <boolean>false</boolean>
+ </field>
+ </object>
+ </object-param>
+ </init-params>
- </component>
+ </component>
-</configuration>
-</programlisting>
+</configuration>]]></programlisting>
<calloutlist>
<callout
arearefs="area-Reference_Guide-PicketLink_IDM_integration-Configuration_files-JBossIDMServiceImpl">
<para>
@@ -130,10 +129,10 @@
<term>config</term>
<listitem>
<para>
- (value-param)
+ <parameter>(value-param)</parameter>
</para>
<para>
- PicketLink IDM configuration file
+ The PicketLink IDM configuration file.
</para>
</listitem>
</varlistentry>
@@ -141,7 +140,7 @@
<term>hibernate.properties</term>
<listitem>
<para>
- (properties-param)
+ <parameter>(properties-param)</parameter>
</para>
<para>
A list of hibernate properties used to create SessionFactory that will be
injected to JBoss Identity IDM configuration registry.
@@ -168,10 +167,10 @@
<term>jndiName</term>
<listitem>
<para>
- (value-param)
+ <parameter>(value-param)</parameter>
</para>
<para>
- If the 'config' parameter is not provided, this parameter will be used
to perform JNDI lookup for IdentitySessionFactory
+ If the <literal>config</literal> parameter is not provided, this
parameter will be used to perform JNDI lookup for IdentitySessionFactory.
</para>
</listitem>
</varlistentry>
@@ -179,10 +178,10 @@
<term>portalRealm</term>
<listitem>
<para>
- (value-param)
+ <parameter>(value-param)</parameter>
</para>
<para>
- The realm name that should be used to obtain proper IdentitySession. The default
is 'PortalRealm'.
+ The realm name that should be used to obtain proper IdentitySession. The default
is <literal>PortalRealm</literal>.
</para>
</listitem>
</varlistentry>
@@ -193,14 +192,14 @@
The <emphasis
role="bold">org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</emphasis>
key is a main entrypoint implementing <emphasis
role="bold">org.exoplatform.services.organization.OrganizationService</emphasis>
and is dependant on <emphasis
role="bold">org.exoplatform.services.organization.idm.PicketLinkIDMService</emphasis>
</para>
<para>
- <emphasis
role="bold">org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</emphasis>
service has the following options defined as fields of object-param of type <emphasis
role="bold">org.exoplatform.services.organization.idm.Config</emphasis>:
+ The <emphasis
role="bold">org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</emphasis>
service has the following options defined as fields of
<parameter>object-param</parameter> of type <emphasis
role="bold">org.exoplatform.services.organization.idm.Config</emphasis>:
</para>
<variablelist>
<varlistentry>
<term>defaultGroupType</term>
<listitem>
<para>
- The name of the PicketLink IDM GroupType that will be used to store groups. The
default is 'GTN_GROUP_TYPE'.
+ The name of the PicketLink IDM GroupType that will be used to store groups. The
default is '<literal>GTN_GROUP_TYPE</literal>'.
</para>
</listitem>
</varlistentry>
@@ -208,7 +207,7 @@
<term>rootGroupName</term>
<listitem>
<para>
- The name of the PicketLink IDM Group that will be used as a root parent. The
default is 'GTN_ROOT_GROUP'
+ The name of the PicketLink IDM Group that will be used as a root parent. The
default is '<literal>GTN_ROOT_GROUP</literal>'
</para>
</listitem>
</varlistentry>
@@ -216,7 +215,7 @@
<term>passwordAsAttribute</term>
<listitem>
<para>
- This parameter specifies if a password should be stored using PicketLink IDM
Credential object or as a plain attribute. The default is false.
+ This parameter specifies if a password should be stored using PicketLink IDM
Credential object or as a plain attribute. The default is <emphasis
role="bold">false</emphasis>.
</para>
</listitem>
</varlistentry>
@@ -224,7 +223,7 @@
<term>useParentIdAsGroupType</term>
<listitem>
<para>
- This parameter stores the parent ID path as a group type in PicketLink IDM for
any IDs not mapped with a specific type in 'groupTypeMappings'. If this option is
set to false, and no mappings are provided under 'groupTypeMappings', then only
one group with the given name can exist in the &PRODUCT; group tree.
+ This parameter stores the parent ID path as a group type in PicketLink IDM for
any IDs not mapped with a specific type in
'<literal>groupTypeMappings</literal>'. If this option is set to
<emphasis>false</emphasis>, and no mappings are provided under
'<literal>groupTypeMappings</literal>', then only one group with the
given name can exist in the &PRODUCT; group tree.
</para>
</listitem>
</varlistentry>
@@ -232,7 +231,7 @@
<term>pathSeparator</term>
<listitem>
<para>
- When 'userParentIdAsGroupType is set to true, this value will be used to
replace all "/" characters in IDs. The "/" character is not allowed to
be used in group type name in PicketLink IDM.
+ When '<literal>userParentIdAsGroupType</literal>' is set to
<emphasis>true</emphasis>, this value will be used to replace all
"/" characters in IDs. The "/" character is not allowed to be used in
group type name in PicketLink IDM.
</para>
</listitem>
</varlistentry>
@@ -262,10 +261,10 @@
<term>forceMembershipOfMappedTypes</term>
<listitem>
<para>
- Groups stored in PicketLink IDM with a type mapped in
'groupTypeMappings' will automatically be members under the mapped parent. Group
relationships linked by PicketLink IDM group association will not be necessary.
+ Groups stored in PicketLink IDM with a type mapped in
'<literal>groupTypeMappings</literal>' will automatically be members
under the mapped parent. Group relationships linked by PicketLink IDM group association
will not be necessary.
</para>
<para>
- This parameter can be set to false if all groups are added via &PRODUCT;
APIs. This may be useful with LDAP configuration as, when set to true, it will make every
entry added to LDAP appear in &PRODUCT;. This, however, is not true for entries added
via &PRODUCT; management UI.
+ This parameter can be set to <emphasis>false</emphasis> if all
groups are added via &PRODUCT; APIs. This may be useful with LDAP configuration as,
when set to true, it will make every entry added to LDAP appear in &PRODUCT;. This,
however, is not true for entries added via &PRODUCT; management UI.
</para>
</listitem>
</varlistentry>
@@ -273,29 +272,100 @@
<term>ignoreMappedMembershipType</term>
<listitem>
<para>
- If "associationMembershipType" option is used, and this option is set
to true, then Membership with MembershipType configured to be stored as PicketLink IDM
association will not be stored as PicketLink IDM Role.
+ If "<literal>associationMembershipType</literal>" option
is used, and this option is set to <emphasis>true</emphasis>, then Membership
with MembershipType configured to be stored as PicketLink IDM association will not be
stored as PicketLink IDM Role.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
- Additionally, <emphasis
role="bold">JBossIDMOrganizationServiceImpl</emphasis> uses those
defaults to perform identity management operations
+ Additionally, <literal>JBossIDMOrganizationServiceImpl</literal> uses
those defaults to perform identity management operations
</para>
<itemizedlist>
<listitem>
<para>
- &PRODUCT; User interface properties fields are persisted in JBoss Identity
IDM using those attributes names: firstName, lastName, email, createdDate, lastLoginTime,
organizationId, password (if password is configured to be stored as attribute)
+ &PRODUCT; User interface properties fields are persistent in JBoss Identity
IDM using the attributes names:
</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <parameter>firstName</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>lastName</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>email</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>createdDate</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>lastLoginTime</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>organizationId</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>password</parameter> (if password is configured to be
stored as attribute)
+ </para>
+ </listitem>
+ </itemizedlist>
</listitem>
<listitem>
<para>
- &PRODUCT; Group interface properties fields are persisted in JBoss Identity
IDM using those attributes names: label, description
+ &PRODUCT; Group interface properties fields are persistent in JBoss Identity
IDM using the attributes names:
</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <parameter>label</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>description</parameter>
+ </para>
+ </listitem>
+ </itemizedlist>
</listitem>
<listitem>
<para>
- &PRODUCT; MembershipType interface properties fields are persisted in JBoss
Identity IDM using those RoleType properties: description, owner, create_date,
modified_date
+ &PRODUCT; <literal>MembershipType</literal> interface properties
fields are persistent in JBoss Identity IDM using those
<literal>RoleType</literal> properties:
</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <parameter>description</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>owner</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>create_date</parameter>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <parameter>modified_date</parameter>
+ </para>
+ </listitem>
+ </itemizedlist>
</listitem>
</itemizedlist>
</callout>
@@ -306,80 +376,79 @@
A sample <emphasis role="bold">PicketLink IDM</emphasis>
configuration file is shown below. To understand all the options it contains, please refer
to the PicketLink IDM Reference Guide
</para>
-<programlisting role="XML"><jboss-identity
xmlns="urn:jboss:identity:idm:config:v1_0_beta"
+<programlisting language="XML"
role="XML"><![CDATA[<jboss-identity
xmlns="urn:jboss:identity:idm:config:v1_0_beta"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:jboss:identity:idm:config:v1_0_alpha
identity-config.xsd">
- <realms>
- <realm>
- <id>PortalRealm</id>
-
<repository-id-ref>PortalRepository</repository-id-ref>
- <identity-type-mappings>
- <user-mapping>USER</user-mapping>
- </identity-type-mappings>
- </realm>
- </realms>
- <repositories>
- <repository>
- <id>PortalRepository</id>
-
<class>org.jboss.identity.idm.impl.repository.WrapperIdentityStoreRepository</class>
- <external-config/>
-
<default-identity-store-id>HibernateStore</default-identity-store-id>
-
<default-attribute-store-id>HibernateStore</default-attribute-store-id>
- </repository>
- </repositories>
- <stores>
- <attribute-stores/>
- <identity-stores>
- <identity-store>
- <id>HibernateStore</id>
-
<class>org.jboss.identity.idm.impl.store.hibernate.HibernateIdentityStoreImpl</class>
- <external-config/>
- <supported-relationship-types>
-
<relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
-
<relationship-type>JBOSS_IDENTITY_ROLE</relationship-type>
- </supported-relationship-types>
- <supported-identity-object-types>
- <identity-object-type>
- <name>USER</name>
- <relationships/>
- <credentials>
-
<credential-type>PASSWORD</credential-type>
- </credentials>
- <attributes/>
- <options/>
- </identity-object-type>
- </supported-identity-object-types>
- <options>
- <option>
-
<name>hibernateSessionFactoryRegistryName</name>
-
<value>hibernateSessionFactory</value>
- </option>
- <option>
-
<name>allowNotDefinedIdentityObjectTypes</name>
- <value>true</value>
- </option>
- <option>
-
<name>populateRelationshipTypes</name>
- <value>true</value>
- </option>
- <option>
-
<name>populateIdentityObjectTypes</name>
- <value>true</value>
- </option>
- <option>
-
<name>allowNotDefinedAttributes</name>
- <value>true</value>
- </option>
- <option>
- <name>isRealmAware</name>
- <value>true</value>
- </option>
- </options>
- </identity-store>
- </identity-stores>
- </stores>
-</jboss-identity>
-</programlisting>
+ xsi:schemaLocation="urn:jboss:identity:idm:config:v1_0_alpha
identity-config.xsd">
+ <realms>
+ <realm>
+ <id>PortalRealm</id>
+ <repository-id-ref>PortalRepository</repository-id-ref>
+ <identity-type-mappings>
+ <user-mapping>USER</user-mapping>
+ </identity-type-mappings>
+ </realm>
+ </realms>
+ <repositories>
+ <repository>
+ <id>PortalRepository</id>
+
<class>org.jboss.identity.idm.impl.repository.WrapperIdentityStoreRepository</class>
+ <external-config/>
+
<default-identity-store-id>HibernateStore</default-identity-store-id>
+
<default-attribute-store-id>HibernateStore</default-attribute-store-id>
+ </repository>
+ </repositories>
+ <stores>
+ <attribute-stores/>
+ <identity-stores>
+ <identity-store>
+ <id>HibernateStore</id>
+
<class>org.jboss.identity.idm.impl.store.hibernate.HibernateIdentityStoreImpl</class>
+ <external-config/>
+ <supported-relationship-types>
+
<relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type>
+
<relationship-type>JBOSS_IDENTITY_ROLE</relationship-type>
+ </supported-relationship-types>
+ <supported-identity-object-types>
+ <identity-object-type>
+ <name>USER</name>
+ <relationships/>
+ <credentials>
+ <credential-type>PASSWORD</credential-type>
+ </credentials>
+ <attributes/>
+ <options/>
+ </identity-object-type>
+ </supported-identity-object-types>
+ <options>
+ <option>
+ <name>hibernateSessionFactoryRegistryName</name>
+ <value>hibernateSessionFactory</value>
+ </option>
+ <option>
+ <name>allowNotDefinedIdentityObjectTypes</name>
+ <value>true</value>
+ </option>
+ <option>
+ <name>populateRelationshipTypes</name>
+ <value>true</value>
+ </option>
+ <option>
+ <name>populateIdentityObjectTypes</name>
+ <value>true</value>
+ </option>
+ <option>
+ <name>allowNotDefinedAttributes</name>
+ <value>true</value>
+ </option>
+ <option>
+ <name>isRealmAware</name>
+ <value>true</value>
+ </option>
+ </options>
+ </identity-store>
+ </identity-stores>
+ </stores>
+</jboss-identity>]]></programlisting>
</section>
</section>
Modified:
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/OrganizationAPI.xml
===================================================================
---
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/OrganizationAPI.xml 2010-05-12
02:49:29 UTC (rev 3060)
+++
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/OrganizationAPI.xml 2010-05-12
06:22:13 UTC (rev 3061)
@@ -6,9 +6,58 @@
<section id="sect-Reference_Guide-Organization_API">
<title>Organization API</title>
<para>
- The <literal>exo.platform.services.organization</literal> package has five
main components: user, user profile, group, membership type and membership. There is an
additional component that serves as an entry point into Organization API -
<literal>OrganizationService</literal> component, that provides handling
functionality for the five components.
+ The <literal>exo.platform.services.organization</literal> package has five
main components:
</para>
+ <variablelist>
+ <varlistentry>
+ <term>User</term>
+ <listitem>
+ <para>
+ The <literal>User</literal> component contains basic information about a
user; such as username, password, first name, last name, and email address.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>User Profile</term>
+ <listitem>
+ <para>
+ The <literal>User Profile</literal> component contains extra information
about a user, such as user's personal information, and business information. You can
also add additional information about a user if your application requires it.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Group</term>
+ <listitem>
+ <para>
+ The <literal>Group</literal> component contains a group graph.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Membership Type</term>
+ <listitem>
+ <para>
+ The <literal>Membership Type</literal> component contains a list of
predefined membership types.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Membership</term>
+ <listitem>
+ <para>
+ The <literal>Membership</literal> component connects a User, a Group and
a Membership Type.
+ </para>
+ <para>
+ A user can have one or more memberships within a group. For example: <emphasis
role="bold">User A</emphasis> can have the
'<emphasis>member</emphasis>' and
'<emphasis>admin</emphasis>' memberships in group <emphasis
role="bold">/user</emphasis>. A user belongs to a group if he has at
least one membership in that group.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
<para>
+ The <literal>OrganizationService</literal> component is an additional
component that serves as an entry point into the Organization API. It provides handling
functionality for the five components.
+ </para>
+ <para>
<mediaobject>
<imageobject role="html">
<imagedata align="center"
fileref="images/AuthenticationAndIdentity/OrganizationServiceClassDiagram.png"
format="PNG" width="444" />
@@ -18,21 +67,43 @@
</imageobject>
</mediaobject>
</para>
+
<para>
- The <literal>User</literal> component contains basic information about a
user - such as username, password, first name, last name, and email. The
<literal>User Profile</literal> component contains extra information about a
user, such as user's personal information, and business information. You can also add
additional information about a user if your application requires it. The
<literal>Group</literal> component contains a group graph. The
<literal>Membership Type</literal> component contains a list of predefined
membership types. Finally, the <literal>Membership</literal> component
connects a User, a Group and a Membership Type.
+ By exposing the Organization API, the
<literal>OrganizationService</literal> component provides developers with
access to handler objects for managing each of the five components:
</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ UserHandler
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ UserProfileHandler
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ GroupHandler
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ MembershipTypeHandler
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ MembershipHandler
+ </para>
+ </listitem>
+ </itemizedlist>
<para>
- A user can have one or more memberships within a group, for example: user A can have
the 'member' and 'admin' memberships in group /user. A user belongs to a
group if he has at least one membership in that group.
+ The five central API components are designed to be similar to persistent entities and
handlers are specified similarly to data access objects (DAO).
</para>
<para>
- Exposing the Organization API to developers the OrganizationService component provides
developers with access to handler objects for managing each of the five components -
UserHandler, UserProfileHandler, GroupHandler, MembershipTypeHandler, and
MembershipHandler.
+ <emphasis>Organization API</emphasis> simply describes a contract, meaning
it is not a concrete implementation. The described components are interfaces, allowing for
different concrete implementations. In practial terms the existing implementation can be
replaced with a different one.
</para>
- <para>
- The five central API components are really designed like persistent entities, and
handlers are really specified like data access objects (DAO).
- </para>
- <para>
- Organization API simply describes a contract, meaning it is not a concrete
implementation. The described components are interfaces, allowing for different concrete
implementations. In practial terms that means, you can replace the existing implementation
with a different one.
- </para>
</section>
Modified:
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
---
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2010-05-12
02:49:29 UTC (rev 3060)
+++
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2010-05-12
06:22:13 UTC (rev 3061)
@@ -8,393 +8,404 @@
<section id="sect-Reference_Guide-SSO_Single_Sign_On-Overview">
<title>Overview</title>
<para>
- &PRODUCT; provides some form of Single Sign On
(<literal>SSO</literal>) as an integration and aggregation platform.
+ &PRODUCT; provides an implementation of Single Sign On
(<literal>SSO</literal>) as an integration and aggregation platform.
</para>
<para>
- When logging into the portal users gain access to many systems through portlets using
a single identity. In many cases, however, the portal infrastructure must be integrated
with other SSO enabled systems. There are many different Identity Management solutions
available. In most cases each SSO framework provides a unique way to plug into a Java EE
application.
+ When logging into the portal users can access many systems through portlets using a
single identity. In many cases, however, the portal infrastructure must be integrated with
other SSO enabled systems.
</para>
- <section id="sect-Reference_Guide-Overview-Prerequisites">
+ <para>
+ There are many different Identity Management solutions available. In most cases each
SSO framework provides a unique way to plug into a Java EE application.
+ </para>
+ <para>
+ This section will cover the implemenation of four different SSO plugins with
&PRODUCT;:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <xref
linkend="sect-Reference_Guide-SSO_Single_Sign_On-CAS_Central_Authentication_Service"/>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
linkend="sect-Reference_Guide-SSO_Single_Sign_On-JOSSO_Java_Open_Single_Sign-On_Project"/>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
linkend="sect-Reference_Guide-SSO_Single_Sign_On-OpenSSO_The_Open_Web_SSO_project"/>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <xref
linkend="sect-Reference_Guide-SSO_Single_Sign_On-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism"/>
+ </para>
+ </listitem>
+ </itemizedlist>
+ <note>
<title>Prerequisites</title>
<para>
- In this tutorial, the SSO server is installed in a Tomcat installation. Tomcat can be
obtained from <ulink type="http"
url="http://tomcat.apache.org">http://tomcat.apache.org</ulink>.
+ In this tutorial, the SSO server is being installed in a Tomcat environment. Tomcat
can be obtained from <ulink type="http"
url="http://tomcat.apache.org">http://tomcat.apache.org</ulink>.
</para>
+ </note>
<para>
- All the packages required for setup can be found in a zip file located in the binary
package of &PRODUCT; in the directory:
<literal>jboss-epp-5.0/gatein-sso</literal>. In this document we will call
this directory $GATEIN_SSO_HOME.
+ All the packages required for SSO setup can be found in a zip file located in the
<filename>jboss-epp-5.0/gatein-sso</filename> directory of the &PRODUCT;
binary package.
</para>
<para>
- Users are advised to not run any portal extensions that could override the data when
manipulating the <filename>gatein.ear</filename> file directly.
+ In the following scenarios this directory will be referred to as
<literal>$GATEIN_SSO_HOME</literal>.
</para>
- </section>
-
+ <warning>
+ <para>
+ Users are advised to not run any portal extensions that could override the data when
manipulating the <filename>gatein.ear</filename> file directly.
+ </para>
+ </warning>
</section>
<section
id="sect-Reference_Guide-SSO_Single_Sign_On-CAS_Central_Authentication_Service">
<title>CAS - Central Authentication Service</title>
<para>
- This Single Sign On plugin enables seamless integration between &PRODUCT; and the
CAS Single Sign On Framework. Details about CAS can be found <ulink
url="http://www.ja-sig.org/products/cas/">here</ulink>.
+ This Single Sign On plugin enables seamless integration between &PRODUCT; and the
Central Authentication Service (<emphasis
role="bold">CAS</emphasis>) Single Sign On Framework. Details about CAS
can be found <ulink
url="http://www.ja-sig.org/products/cas/">here</ulink>.
</para>
+ <procedure
id="proc-Reference_Guide-CAS_Central_Authentication_Service-CAS_server">
+ <title>CAS server</title>
+ <step>
+ <para>
+ Set up the server to authenticate against the portal login module.
+ </para>
+ </step>
+ <step>
+ <para>
+ Downloaded CAS from <ulink type="http"
url="http://www.jasig.org/cas/download">http://www.jasig.org...;.
+ </para>
+ </step>
+ <step>
+ <para>
+ Extract the downloaded file into a suitable location. This location will be
referred to as <literal>$CAS_HOME</literal> in the following example.
+ </para>
+ </step>
+ </procedure>
+
<para>
- The integration consists of two parts; the first part consists of installing or
configuring a CAS server, the second part consists of setting up the portal to use the CAS
server.
+ The simplest way to configure the web archive is to make the necessary changes
directly into the CAS codebase.
</para>
- <section
id="sect-Reference_Guide-CAS_Central_Authentication_Service-CAS_server">
- <title>CAS server</title>
+ <note>
<para>
- First, set up the server to authenticate against the portal login module. In this
example the CAS server will be installed on Tomcat.
+ To perform the final build step and complete these instructions you will need the
Apache Maven 2. Download it from <ulink type="http"
url="http://maven.apache.org/download.html">here</ulink>.
</para>
- <section id="sect-Reference_Guide-CAS_server-Obtaining_CAS">
- <title>Obtaining CAS</title>
- <para>
- CAS can be downloaded from <ulink type="http"
url="http://www.jasig.org/cas/download">http://www.jasig.org...;.
- </para>
- <para>
- Extract the downloaded file into a suitable location. This location will be referred
to as <literal>$CAS_HOME</literal> in the following example.
- </para>
- </section>
-
- <section id="sect-Reference_Guide-CAS_server-Modifying_CAS_server">
- <title>Modifying CAS server</title>
- <para>
- To configure the web archive as desired, the simplest way is to make the necessary
changes directly in CAS codebase.
- </para>
- <note>
+ </note>
+ <para>
+ The CAS Server Plugin makes secure callbacks to a RESTful service installed on the
remote &PRODUCT; server to authenticate a user.
+ </para>
+ <para>
+ In order for the plugin to function correctly, it needs to be properly configured to
connect to this service. This configuration is controlled by the
<filename>cas.war/WEB-INF/deployerConfigContext.xml </filename> file.
+ </para>
+
+ <procedure
id="proc-Reference_Guide-CAS_Central_Authentication_Service-Modifying_CAS_server">
+ <title>Modifying CAS server</title>
+ <step>
<para>
- To complete these instructions, and perform the final build step, you will need the
Apache Maven 2. You can get it <ulink type="http"
url="http://maven.apache.org/download.html">here</ulink>.
+ Open
<filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml</filename>
</para>
- </note>
- <para>
- First, we need to change the default authentication handler with the one provided by
&PRODUCT;.
- </para>
- <para>
- The CAS Server Plugin makes secure authentication callbacks to a RESTful service
installed on the remote GateIn server in order to authenticate a user.
- </para>
- <para>
- In order for the plugin to function correctly, it needs to be properly configured to
connect to this service. This configuration is done via the
<filename>cas.war/WEB-INF/deployerConfigContext.xml </filename> file.
- </para>
- <procedure>
- <step>
- <para>
- Open
<filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml</filename>
- </para>
- </step>
- <step>
- <para>
- Replace:
-<programlisting> <!--
+ </step>
+ <step>
+ <para>
+ Replace this code:
+ </para>
+<programlisting language="XML" role="XML"><![CDATA[<!--
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might
authenticate,
| AuthenticationHandlers actually authenticate credentials. Here e declare the
AuthenticationHandlers that
| authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS
will try these handlers in turn
| until it finds one that both supports the Credentials presented and succeeds in
authenticating.
- +-->
- <property name="authenticationHandlers">
- <list>
- <!--
+ +-->
+ <property name="authenticationHandlers">
+ <list>
+ <!--
| This is the authentication handler that authenticates services by means of
callback via SSL, thereby validating
| a server side SSL certificate.
- +-->
- <bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
- p:httpClient-ref="httpClient" />
- <!--
+ +-->
+ <bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
+ p:httpClient-ref="httpClient" />
+ <!--
| This is the authentication handler declaration that every CAS deployer will need
to change before deploying CAS
| into production. The default SimpleTestUsernamePasswordAuthenticationHandler
authenticates UsernamePasswordCredentials
| where the username equals the password. You will need to replace this with an
AuthenticationHandler that implements your
| local authentication strategy. You might accomplish this by coding a new such
handler and declaring
| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the
handlers provided in the adaptors modules.
- +-->
- <bean
-
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"
/>
- </list>
- </property>
-</programlisting>
- </para>
- </step>
- <step>
- <para>
- With the following (Make sure to set the host, port and context with the values
corresponding to your portal). Also available in
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/deployerConfigContext.xml</filename>.
- </para>
- <para>
-
-<programlisting><!--
+ +-->
+ <bean
+
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"
/>
+ </list>
+ </property>]]></programlisting>
+ <para>
+ ...with the following:
+ </para>
+<programlisting language="XML" role="XML"><![CDATA[<!--
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might
authenticate,
| AuthenticationHandlers actually authenticate credentials. Here we declare the
AuthenticationHandlers that
| authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS
will try these handlers in turn
| until it finds one that both supports the Credentials presented and succeeds in
authenticating.
- +-->
- <property name="authenticationHandlers">
- <list>
- <!--
+ +-->
+ <property name="authenticationHandlers">
+ <list>
+ <!--
| This is the authentication handler that authenticates services by means of
callback via SSL, thereby validating
| a server side SSL certificate.
- +-->
- <bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
- p:httpClient-ref="httpClient" />
- <!--
+ +-->
+ <bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
+ p:httpClient-ref="httpClient" />
+ <!--
| This is the authentication handler declaration that every CAS deployer will need
to change before deploying CAS
| into production. The default SimpleTestUsernamePasswordAuthenticationHandler
authenticates UsernamePasswordCredentials
| where the username equals the password. You will need to replace this with an
AuthenticationHandler that implements your
| local authentication strategy. You might accomplish this by coding a new such
handler and declaring
| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the
handlers provided in the adaptors modules.
- +-->
- <!-- Integrates with the Gatein Authentication Service to perform
authentication -->
- <!--
+ +-->
+ <!-- Integrates with the Gatein Authentication Service to perform authentication
-->
+ <!--
| Note: Modify the Plugin Configuration based on the actual information of a GateIn
instance.
| The instance can be anywhere on the internet...Not necessarily on localhost where
CAS is running
- +-->
- <bean
class="org.gatein.sso.cas.plugin.AuthenticationPlugin">
- <property
name="gateInHost"><value>localhost</value></property>
- <property
name="gateInPort"><value>8080</value></property>
- <property
name="gateInContext"><value>portal</value></property>
- </bean>
- </list>
- </property>
-</programlisting>
- </para>
- </step>
- <step>
+ +-->
+ <bean class="org.gatein.sso.cas.plugin.AuthenticationPlugin">
+ <property
name="gateInHost"><value>localhost</value></property>
+ <property
name="gateInPort"><value>8080</value></property>
+ <property
name="gateInContext"><value>portal</value></property>
+ </bean>
+ </list>
+ </property>]]></programlisting>
+ <para>
+ Make sure to set the <emphasis>host</emphasis>,
<emphasis>port</emphasis> and <emphasis>context</emphasis> with
the values corresponding to your portal (also available in
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/deployerConfigContext.xml</filename>).
+ </para>
+ </step>
+ <step>
+ <para>
+ Copy
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/sso-cas-plugin-<VERSION>.jar</filename>
and
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>
into the
<filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/lib</filename>
created directory.
+ </para>
+ </step>
+ <step>
+ <para>
+ If you have not already done so, download an instance of Tomcat and extract it into
a suitable location (which will be called <filename>TOMCAT_HOME</filename> for
these instructions).
+ </para>
+ </step>
+ <step>
+ <para>
+ Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and change the
8080 port to 8888 to avoid a conflict with the default &PRODUCT; .
+ </para>
+ <note>
<para>
- Copy
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/sso-cas-plugin-<VERSION>.jar</filename>
and
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>
into the
<filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/lib</filename>
created directory.
+ If &PRODUCT; is running on the same machine as Tomcat other ports will need to
be changed in addition to 8080 in order to avoid conflicts. They can be changed to any
free port. For example; you can change the admin port from 8005 to 8805 and the AJP port
from 8009 to 8809.
</para>
- </step>
- <step>
- <para>
- Get an installation of Tomcat and extract it into a suitable location (which will
be called <filename>TOMCAT_HOME</filename> for these instructions).
- </para>
- <para>
- Change the default port to avoid a conflict with the default &PRODUCT; (for
testing purposes). Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and
replace the 8080 port to 8888.
- <note>
- <para>
- If &PRODUCT; is running on the same machine as Tomcat, other ports need to
be changed in addition to 8080 in order to avoid port conflicts. They can be changed to
any free port. For example, you can change admin port from 8005 to 8805, and AJP port from
8009 to 8809.
- </para>
- </note>
- </para>
- </step>
- <step>
- <para>
- Go to <filename>CAS_HOME/cas-server-webapp</filename> and execute the
command:
+ </note>
+ </step>
+ <step>
+ <para>
+ Navigate locally to the <filename>CAS_HOME/cas-server-webapp</filename>
directory and execute the following command:
+ </para>
<programlisting>mvn install
</programlisting>
- </para>
- </step>
- <step>
+ </step>
+ <step>
+ <para>
+ Copy the <filename>CAS_HOME/cas-server-webapp/target/cas.war</filename>
file into the <filename>TOMCAT_HOME/webapps</filename> directory.
+ </para>
+ <para>
+ Tomcat should start without issue and should be accessible at <ulink
type="http"
url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>.
+ </para>
+ <note>
<para>
- Copy <filename>CAS_HOME/cas-server-webapp/target/cas.war</filename>
into <filename>TOMCAT_HOME/webapps</filename>.
+ At this stage the login functionality won't be available.
</para>
- <para>
- Tomcat should start and be accessible at <ulink type="http"
url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>. Note
that at this stage login won't be available.
- </para>
- <mediaobject>
- <imageobject>
- <imagedata fileref="images/AuthenticationAndIdentity/SSO/cas.png"
format="PNG" width="444" />
- </imageobject>
- </mediaobject>
- </step>
- </procedure>
+ </note>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="images/AuthenticationAndIdentity/SSO/cas.png"
format="PNG" scale="100" />
+ </imageobject>
+ </mediaobject>
+ </step>
+ </procedure>
- </section>
-
- </section>
-
- <section
id="sect-Reference_Guide-CAS_Central_Authentication_Service-Setup_the_CAS_client">
+ <procedure
id="proc-Reference_Guide-CAS_Central_Authentication_Service-Setup_the_CAS_client">
<title>Setup the CAS client</title>
- <procedure>
<step>
<para>
- Copy all libraries from
<filename>GATEIN_SSO_HOME/cas/gatein.ear/lib</filename> into
<filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename>)
+ Copy all the libraries from the
<filename>GATEIN_SSO_HOME/cas/gatein.ear/lib</filename> directory into the
<filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename>)
directory.
</para>
</step>
<step>
- <itemizedlist>
- <listitem>
- <para>
- In JBoss AS, edit
<filename>gatein.ear/META-INF/gatein-jboss-beans.xml</filename> and uncomment
this section:
- </para>
+ <para>
+ Edit the
<filename>jboss-as/server/<SERVER-TYPE>/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</filename>
and uncomment this section:
+ </para>
-<programlisting><authentication>
- <login-module code="org.gatein.sso.agent.login.SSOLoginModule"
flag="required">
- </login-module>
- <login-module
code="org.exoplatform.services.security.j2ee.JbossLoginModule"
flag="required">
- <module-option
name="portalContainerName">portal</module-option>
- <module-option
name="realmName">gatein-domain</module-option>
- </login-module>
-</authentication>
-</programlisting>
- </listitem>
- </itemizedlist>
+<programlisting language="XML"
role="XML"><![CDATA[<authentication>
+ <login-module code="org.gatein.sso.agent.login.SSOLoginModule"
flag="required">
+ </login-module>
+ <login-module
code="org.exoplatform.services.security.j2ee.JbossLoginModule"
flag="required">
+ <module-option
name="portalContainerName">portal</module-option>
+ <module-option name="realmName">gatein-domain</module-option>
+ </login-module>
+</authentication>]]></programlisting>
+ <para>
+ There's a line comment already in this source file to assist you.
+ </para>
</step>
<step>
<para>
- The installation can be tested at this point:
+ The installation can be tested at this point (assuming the CAS server on Tomcat is
running):
</para>
<procedure>
<step>
<para>
- Start (or restart) &PRODUCT;, and (assuming the CAS server on Tomcat is
running) direct your browser to <ulink type="http"
url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>.
+ Start (or restart) &PRODUCT; and direct your web browser to <ulink
type="http"
url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>.
</para>
</step>
<step>
<para>
- Login with the username <literal>root</literal> and the password
<literal>gtn</literal> (or any account created through the portal).
+ Login with the username <literal>root</literal> and the password
<literal>gtn</literal> (or any other account created through the portal).
</para>
</step>
</procedure>
-
</step>
</procedure>
- </section>
-
- <section
id="sect-Reference_Guide-CAS_Central_Authentication_Service-Redirect_to_CAS">
- <title>Redirect to CAS</title>
<para>
To utilize the Central Authentication Service, &PRODUCT; needs to redirect all
user authentication to the CAS server.
</para>
<para>
- Information about where the CAS is hosted must be properly configured within the
&PRODUCT; instance. The required configuration is done by modifying three files:
- <itemizedlist>
- <listitem>
- <para>
- In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
-<programlisting>
+ Information about where the CAS is hosted must be properly configured within the
&PRODUCT; instance. The required configuration is done by modifying three files.
+ </para>
-<!--
-<a class="Login"
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
--->
-<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-</programlisting>
- </para>
- </listitem>
- <listitem>
- <para>
- In the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file modify the 'Sign In' link as follows:
-<programlisting>
-
-<!--
-<a
onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
--->
-<a
href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
-</programlisting>
- </para>
- </listitem>
- <listitem>
- <para>
- Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
- </para>
-
-<programlisting><html>
- <head>
- <script type="text/javascript">
+ <procedure
id="proc-Reference_Guide-CAS_Central_Authentication_Service-Redirect_to_CAS">
+ <title>Redirect to CAS</title>
+ <step>
+ <para>
+ Modify the '<emphasis role="bold">Sign In</emphasis>'
link in the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file as follows:
+ </para>
+<programlisting language="HTML"
role="HTML"><![CDATA[<!--
+<a class="Login"
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
+-->
+<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>]]></programlisting>
+ </step>
+ <step>
+ <para>
+ Modify the '<emphasis role="bold">Sign In</emphasis>'
link in the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file as follows:
+ </para>
+<programlisting language="HTML"
role="HTML"><![CDATA[<!--
+<a
onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
+-->
+<a
href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>]]></programlisting>
+ </step>
+ <step>
+ <para>
+ Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
+ </para>
+<programlisting language="HTML"
role="HTML"><![CDATA[<html>
+ <head>
+ <script type="text/javascript">
window.location = '/portal/sso';
- </script>
- </head>
- <body>
- </body>
-</html>
-</programlisting>
- </listitem>
- <listitem>
- <para>
- Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
-<programlisting>
-
- <filter>
- <filter-name>LoginRedirectFilter</filter-name>
- <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
- <init-param>
- <!-- This should point to your SSO authentication server -->
- <param-name>LOGIN_URL</param-name>
- <!--
+ </script>
+ </head>
+ <body>
+ </body>
+</html>]]></programlisting>
+ </step>
+ <step>
+ <para>
+ Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
+ </para>
+<programlisting language="XML"
role="XML"><![CDATA[ <filter>
+ <filter-name>LoginRedirectFilter</filter-name>
+ <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
+ <init-param>
+ <!-- This should point to your SSO authentication server -->
+ <param-name>LOGIN_URL</param-name>
+ <!--
If casRenewTicket param value of InitiateLoginServlet is: not specified or
false
- -->
-
<param-value>http://localhost:8888/cas/login?service=http://localhost:8080/portal/private/classic</param-value>
- <!--
+ -->
+
<param-value>http://localhost:8888/cas/login?service=http://localhost:8080/portal/private/classic</param-value>
+ <!--
If casRenewTicket param value of InitiateLoginServlet is : true
- -->
- <!--
-
<param-value>http://localhost:8888/cas/login?service=http://localhost:8080/portal/private
- /classic&renew=true</param-value>
- -->
- </init-param>
- </filter>
- <filter>
- <filter-name>CASLogoutFilter</filter-name>
- <filter-class>org.gatein.sso.agent.filter.CASLogoutFilter</filter-class>
- <init-param>
- <!-- This should point to your JOSSO authentication server -->
- <param-name>LOGOUT_URL</param-name>
-
<param-value>http://localhost:8888/cas/logout</param-value>
- </init-param>
- </filter>
+ -->
+ <!--
+
<param-value>http://localhost:8888/cas/login?service=http://localhost:8080/portal/private
+ /classic&renew=true</param-value>
+ -->
+ </init-param>
+ </filter>
+ <filter>
+ <filter-name>CASLogoutFilter</filter-name>
+ <filter-class>org.gatein.sso.agent.filter.CASLogoutFilter</filter-class>
+ <init-param>
+ <!-- This should point to your JOSSO authentication server -->
+ <param-name>LOGOUT_URL</param-name>
+ <param-value>http://localhost:8888/cas/logout</param-value>
+ </init-param>
+ </filter>
- <!-- Mapping the filters at the very top of the filter chain -->
- <filter-mapping>
- <filter-name>LoginRedirectFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>CASLogoutFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-</programlisting>
- </para>
- </listitem>
- <listitem>
- <para>
- Replace the <literal>InitiateLoginServlet</literal> declaration in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename> with:
-<programlisting><servlet>
- <servlet-name>InitiateLoginServlet</servlet-name>
-
<servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
- <init-param>
- <param-name>ssoServerUrl</param-name>
- <param-value>http://localhost:8888/cas</param-value>
- </init-param>
- <init-param>
- <param-name>casRenewTicket</param-name>
- <param-value>false</param-value>
- </init-param>
-</servlet>
-</programlisting>
- </para>
- </listitem>
- </itemizedlist>
- </para>
- <para>
- Once these changes have been made, all links to the user authentication pages will
redirect to the CAS centralized authentication form.
- </para>
- </section>
+ <!-- Mapping the filters at the very top of the filter chain -->
+ <filter-mapping>
+ <filter-name>LoginRedirectFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>CASLogoutFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>]]></programlisting>
+ </step>
+ <step>
+ <para>
+ Replace the <literal>InitiateLoginServlet</literal> declaration in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename> with:
+ </para>
+<programlisting language="XML"
role="XML"><![CDATA[<servlet>
+ <servlet-name>InitiateLoginServlet</servlet-name>
+ <servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
+ <init-param>
+ <param-name>ssoServerUrl</param-name>
+ <param-value>http://localhost:8888/cas</param-value>
+ </init-param>
+ <init-param>
+ <param-name>casRenewTicket</param-name>
+ <param-value>false</param-value>
+ </init-param>
+</servlet>]]></programlisting>
+ </step>
+ </procedure>
+ <para>
+ Once these changes have been made, all links to the user authentication pages will
redirect to the CAS centralized authentication form and CAS can be used as an SSO
implementation in your portal.
+ </para>
</section>
- <section id="sect-Reference_Guide-SSO_Single_Sign_On-JOSSO">
- <title>JOSSO</title>
+ <section
id="sect-Reference_Guide-SSO_Single_Sign_On-JOSSO_Java_Open_Single_Sign-On_Project">
+ <title>JOSSO - Java Open Single Sign-On Project</title>
<para>
- This Single Sign On plugin enables seamless integration between &PRODUCT; and the
JOSSO Single Sign On Framework. Details about JOSSO can be found <ulink
url="http://www.josso.org">here</ulink>.
+ This Single Sign On plugin enables seamless integration between &PRODUCT; and the
Java Open Single Sign-On Project (<emphasis
role="bold">JOSSO</emphasis>) Single Sign On Framework. Details about
JOSSO can be found at <ulink
url="http://www.josso.org">www.josso.org</ulink>.
</para>
<para>
- Setting up this integration involves two steps. The first step is to install or
configure a JOSSO server, and the second is to set up the portal to use the JOSSO server.
+ This section details setting up the JOSSO server to authenticate against the
&PRODUCT; login module.
</para>
- <section id="sect-Reference_Guide-JOSSO-JOSSO_server">
+
+ <procedure
id="proc-Reference_Guide-JOSSO_Java_Open_Single_Sign-On_Project-JOSSO_server">
<title>JOSSO server</title>
- <para>
- This section details setting up the JOSSO server to authenticate against the
&PRODUCT; login module.
- </para>
- <para>
- In this example the JOSSO server will be installed on Tomcat.
- </para>
- <section id="sect-Reference_Guide-JOSSO_server-Obtaining_JOSSO">
- <title>Obtaining JOSSO</title>
- <para>
- JOSSO can be downloaded from <ulink type="http"
url="http://sourceforge.net/projects/josso/files/">http://so...;.
Use the package that embeds Apache Tomcat. The integration was tested with JOSSO-1.8.1.
- </para>
- <para>
- Once downloaded, extract the package into what will be called
<filename>JOSSO_HOME</filename> in this example.
- </para>
- </section>
+ <step>
+ <para>
+ Download JOSSO from <ulink type="http"
url="http://sourceforge.net/projects/josso/files/">http://so...;.
+ </para>
+ <note>
+ <para>
+ Use the package that embeds Apache Tomcat. The integration was tested with
JOSSO-1.8.1.
+ </para>
+ </note>
+ </step>
+ <step>
+ <para>
+ Extract the package into what will be called
<filename>JOSSO_HOME</filename> in this example.
+ </para>
+ </step>
+ </procedure>
- <section
id="sect-Reference_Guide-JOSSO_server-Modifying_JOSSO_server">
+ <procedure
id="proc-Reference_Guide-JOSSO_Java_Open_Single_Sign-On_Project-Modifying_JOSSO_server">
<title>Modifying JOSSO server</title>
- <procedure>
<step>
<para>
- Copy the files from <filename>GATEIN_SSO_HOME/josso/plugin</filename>
into the Tomcat directory (<filename>JOSSO_HOME</filename>).
+ Copy the files from <filename>GATEIN_SSO_HOME/josso/plugin</filename>
into the <filename>JOSSO_HOME</filename> directory created in the last step.
</para>
<para>
This action should replace or add the following files to the
<filename>JOSSO_HOME/webapps/josso/WEB-INF/lib</filename> directory:
@@ -410,11 +421,6 @@
<filename>JOSSO_HOME/lib/josso-gateway-gatein-stores.xml</filename>
</para>
</listitem>
- </itemizedlist>
- <para>
- and
- </para>
- <itemizedlist>
<listitem>
<para>
<filename>JOSSO_HOME/webapps/josso/WEB-INF/classes/gatein.properties</filename>
@@ -424,7 +430,7 @@
</step>
<step>
<para>
- Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and replace the
8080 port to 8888 to change the default Tomcat port and avoid a conflict with the default
&PRODUCT; port (for testing purposes).
+ Edit <filename>TOMCAT_HOME/conf/server.xml</filename> file and change
the 8080 port to 8888 to avoid a conflict with the default &PRODUCT; port.
<note>
<title>Port Conflicts</title>
<para>
@@ -443,289 +449,283 @@
</imageobject>
</mediaobject>
</step>
- </procedure>
-
- </section>
-
- </section>
+ </procedure>
- <section id="sect-Reference_Guide-JOSSO-Setup_the_JOSSO_client">
- <title>Setup the JOSSO client</title>
- <procedure>
- <step>
- <para>
- Copy the library files from
<filename>GATEIN_SSO_HOME/josso/gatein.ear/lib</filename> into
<filename>gatein.ear/lib</filename>
- </para>
- </step>
- <step>
- <para>
- Copy the file
<filename>GATEIN_SSO_HOME/josso/gatein.ear/portal.war/WEB-INF/classes/josso-agent-config.xml</filename>
into <filename>gatein.ear/02portal.war/WEB-INF/classes</filename>
- </para>
- </step>
- <step>
- <itemizedlist>
- <listitem>
- <para>
- In JBoss AS, edit
<filename>gatein.ear/META-INF/gatein-jboss-beans.xml</filename> and uncomment
this section:
- </para>
-
-<programlisting><authentication>
- <login-module code="org.gatein.sso.agent.login.SSOLoginModule"
flag="required">
- </login-module>
- <login-module
code="org.exoplatform.services.security.j2ee.JbossLoginModule"
flag="required">
- <module-option
name="portalContainerName">portal</module-option>
- <module-option
name="realmName">gatein-domain</module-option>
- </login-module>
-</authentication>
-</programlisting>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- The installation can be tested at this point.
- </para>
- <procedure>
- <step>
- <para>
- Start (or restart) &PRODUCT;, and (assuming the JOSSO server on Tomcat is
running) direct your browser to <ulink type="http"
url="http://localhost:8888/josso/signon/login.do">http://localhost:8888/josso/signon/login.do</ulink>.
- </para>
- </step>
- <step>
- <para>
- Login with the username <literal>root</literal> and the password
<literal>gtn</literal> or any account created through the portal.
- </para>
- </step>
- </procedure>
-
- </step>
+ <procedure
id="proc-Reference_Guide-JOSSO_Java_Open_Single_Sign-On_Project-Setup_the_JOSSO_client">
+ <title>Setup the JOSSO client</title>
+ <step>
+ <para>
+ Copy the library files from
<filename>GATEIN_SSO_HOME/josso/gatein.ear/lib</filename> into
<filename>gatein.ear/lib</filename>
+ </para>
+ </step>
+ <step>
+ <para>
+ Copy the
<filename>GATEIN_SSO_HOME/josso/gatein.ear/portal.war/WEB-INF/classes/josso-agent-config.xml</filename>
file into the <filename>gatein.ear/02portal.war/WEB-INF/classes</filename>
directory.
+ </para>
+ </step>
+ <step>
+ <para>
+ Edit
<filename>jboss-as/server/<SERVER-TYPE>/gatein.ear/META-INF/gatein-jboss-beans.xml</filename>
and uncomment this section:
+ </para>
+<programlisting language="XML"
role="XML"><![CDATA[<authentication>
+ <login-module code="org.gatein.sso.agent.login.SSOLoginModule"
flag="required">
+ </login-module>
+ <login-module
code="org.exoplatform.services.security.j2ee.JbossLoginModule"
flag="required">
+ <module-option
name="portalContainerName">portal</module-option>
+ <module-option name="realmName">gatein-domain</module-option>
+ </login-module>
+</authentication>]]></programlisting>
+ </step>
+ <step>
+ <para>
+ The installation can be tested at this point.
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Start (or restart) &PRODUCT;, and (assuming the JOSSO server on Tomcat is
running) direct your browser to <ulink type="http"
url="http://localhost:8888/josso/signon/login.do">http://localhost:8888/josso/signon/login.do</ulink>.
+ </para>
+ </step>
+ <step>
+ <para>
+ Login with the username <literal>root</literal> and the password
<literal>gtn</literal> or any account created through the portal.
+ </para>
+ </step>
+ </procedure>
+ </step>
</procedure>
-
- </section>
-
- <section
id="sect-Reference_Guide-JOSSO-Setup_the_portal_to_redirect_to_JOSSO">
- <title>Setup the portal to redirect to JOSSO</title>
<para>
The next part of the process is to redirect all user authentication to the JOSSO
server.
</para>
<para>
Information about where the JOSSO server is hosted must be properly configured within
the &PRODUCT; instance. The required configuration is done by modifying four files:
- <itemizedlist>
- <listitem>
+ </para>
+
+ <procedure
id="proc-Reference_Guide-JOSSO_Java_Open_Single_Sign-On_Project-Setup_the_portal_to_redirect_to_JOSSO">
+ <title>Setup the portal to redirect to JOSSO</title>
+ <step>
<para>
- In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
-<programlisting>
-
-<!--
-<a class="Login"
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
--->
-<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-</programlisting>
+ In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
</para>
- </listitem>
- <listitem>
+<programlisting language="HTML" role="HTML"><![CDATA[
+<!--
+<a class="Login"
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
+-->
+<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>]]></programlisting>
+ </step>
+ <step>
<para>
- In the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file modify the 'Sign In' link as follows:
-<programlisting>
-
-<!--
-<a
onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
--->
-<a
href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
-</programlisting>
+ modify the '<emphasis role="bold">Sign
In</emphasis>' link in the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file as follows:
</para>
- </listitem>
- <listitem>
+<programlisting language="HTML" role="HTML"><![CDATA[
+<!--
+<a
onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
+-->
+<a
href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>]]></programlisting>
+ </step>
+ <step>
<para>
Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
</para>
-<programlisting><html>
- <head>
- <script type="text/javascript">
+<programlisting language="Java"
role="JAVA"><![CDATA[<html>
+ <head>
+ <script type="text/javascript">
window.location = '/portal/sso';
- </script>
- </head>
- <body>
- </body>
-</html>
-</programlisting>
- </listitem>
- <listitem>
+ </script>
+ </head>
+ <body>
+ </body>
+</html>]]></programlisting>
+ </step>
+ <step>
<para>
- Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
-<programlisting>
-
- <filter>
- <filter-name>LoginRedirectFilter</filter-name>
-
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
- <init-param>
- <!-- This should point to your SSO authentication server -->
- <param-name>LOGIN_URL</param-name>
- <param-value>http://localhost:8888/josso/signon/login.do?josso_back_to=http://localhost:8080/portal
- /private/classic</param-value>
- </init-param>
- </filter>
- <filter>
- <filter-name>JOSSOLogoutFilter</filter-name>
-
<filter-class>org.gatein.sso.agent.filter.JOSSOLogoutFilter</filter-class>
- <init-param>
- <!-- This should point to your JOSSO authentication server -->
- <param-name>LOGOUT_URL</param-name>
-
<param-value>http://localhost:8888/josso/signon/logout.do</param-value>
- </init-param>
- </filter>
+ Add the following Filters to the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
+ </para>
+<programlisting language="XML" role="XML"><![CDATA[
+ <filter>
+ <filter-name>LoginRedirectFilter</filter-name>
+
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
+ <init-param>
+ <!-- This should point to your SSO authentication server -->
+ <param-name>LOGIN_URL</param-name>
+ <param-value>http://localhost:8888/josso/signon/login.do?josso_back_to=http://localhost:8080/portal
+ /private/classic</param-value>
+ </init-param>
+ </filter>
+ <filter>
+ <filter-name>JOSSOLogoutFilter</filter-name>
+
<filter-class>org.gatein.sso.agent.filter.JOSSOLogoutFilter</filter-class>
+ <init-param>
+ <!-- This should point to your JOSSO authentication server -->
+ <param-name>LOGOUT_URL</param-name>
+
<param-value>http://localhost:8888/josso/signon/logout.do</param-value>
+ </init-param>
+ </filter>
- <!-- filters should be placed at the very top of the filter chain -->
- <filter-mapping>
- <filter-name>LoginRedirectFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>JOSSOLogoutFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-</programlisting>
- </para>
- </listitem>
- <listitem>
+ <!-- filters should be placed at the very top of the filter chain -->
+ <filter-mapping>
+ <filter-name>LoginRedirectFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>JOSSOLogoutFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+]]></programlisting>
+ </step>
+ <step>
<para>
Replace the <literal>InitiateLoginServlet</literal> declaration in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename> with:
</para>
-
-<programlisting><servlet>
- <servlet-name>InitiateLoginServlet</servlet-name>
-
<servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
- <init-param>
- <param-name>ssoServerUrl</param-name>
-
<param-value>http://localhost:8888/josso/signon/login.do</param-value>
- </init-param>
-</servlet>
-</programlisting>
- </listitem>
- <listitem>
+<programlisting language="XML"
role="XML"><![CDATA[<servlet>
+ <servlet-name>InitiateLoginServlet</servlet-name>
+ <servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
+ <init-param>
+ <param-name>ssoServerUrl</param-name>
+ <param-value>http://localhost:8888/josso/signon/login.do</param-value>
+ </init-param>
+</servlet>]]></programlisting>
+ </step>
+ <step>
<para>
Remove the <literal>PortalLoginController</literal> servlet
declaration and mapping in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>
</para>
- </listitem>
- </itemizedlist>
- </para>
+ </step>
+ </procedure>
<para>
From now on, all links redirecting to the user authentication pages will redirect to
the JOSSO centralized authentication form.
</para>
</section>
+
+ <section
id="sect-Reference_Guide-SSO_Single_Sign_On-OpenSSO_The_Open_Web_SSO_project">
+ <title>OpenSSO - The Open Web SSO project</title>
+ <para>
+ This Single Sign On plugin enables seamless integration between &PRODUCT; and
the Open Web SSO project (<emphasis role="bold">OpenSSO</emphasis>)
Single Sign On Framework. Details about OpenSSO can be found <ulink
url="https://opensso.dev.java.net/">here</ulink>.
+ </para>
+ <para>
+ This section details the setting up of OpenSSO server to authenticate against the
&PRODUCT; login module.
+ </para>
- </section>
-
- <section
id="sect-Reference_Guide-SSO_Single_Sign_On-OpenSSO_The_Open_Web_SSO_project">
- <title>OpenSSO - The Open Web SSO project</title>
- <para>
- This Single Sign On plugin enables seamless integration between &PRODUCT; and the
OpenSSO Single Sign On Framework. Details about OpenSSO can be found <ulink
url="https://opensso.dev.java.net/">here</ulink>.
- </para>
- <para>
- Setting up this integration involves two steps. The first step is to install or
configure an OpenSSO server, and the second is to set up the portal to use the OpenSSO
server.
- </para>
- <section
id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-OpenSSO_server">
- <title>OpenSSO server</title>
+ <procedure
id="proc-Reference_Guide-OpenSSO_server-Obtaining_OpenSSO">
+ <title>Obtaining OpenSSO</title>
+ <step>
+ <para>
+ Download OpenSSO from <ulink type="http"
url="https://opensso.dev.java.net/public/use/index.html">htt...;.
+ </para>
+ </step>
+ <step>
+ <para>
+ Extract the package into a suitable location. This location will be referred to as
<filename>OPENSSO_HOME</filename> in this example.
+ </para>
+ </step>
+ </procedure>
<para>
- This section details the setting up of OpenSSO server to authenticate against the
&PRODUCT; login module.
+ To configure the web server as required, it is simpler to directly modify the source
files.
</para>
<para>
- In this example the OpenSSO server will be installed on Tomcat.
+ The first step is to add the &PRODUCT; Authentication Plugin.
</para>
- <section id="sect-Reference_Guide-OpenSSO_server-Obtaining_OpenSSO">
- <title>Obtaining OpenSSO</title>
- <para>
- OpenSSO can be downloaded from <ulink type="http"
url="https://opensso.dev.java.net/public/use/index.html">htt...;.
- </para>
- <para>
- Once downloaded, extract the package into a suitable location. This location will be
referred to as <filename>OPENSSO_HOME</filename> in this example.
- </para>
- </section>
-
- <section
id="sect-Reference_Guide-OpenSSO_server-Modifying_OpenSSO_server">
+ <para>
+ The plugin makes secure callbacks to a RESTful service installed on the remote
&PRODUCT; server to authenticate a user.
+ </para>
+ <para>
+ In order for the plugin to function correctly, it needs to be properly configured to
connect to this service. This configuration is done via the
<filename>opensso.war/config/auth/default/AuthenticationPlugin.xml</filename>
file.
+ </para>
+
+ <procedure
id="proc-Reference_Guide-OpenSSO_server-Modifying_OpenSSO_server">
<title>Modifying OpenSSO server</title>
- <para>
- To configure the web server as desired, it is simpler to directly modify the
sources.
- </para>
- <para>
- The first step is to add the &PRODUCT; Authentication Plugin:
- </para>
- <para>
- The plugin makes secure authentication callbacks to a RESTful service installed on
the remote &PRODUCT; server in order to authenticate a user.
- </para>
- <para>
- In order for the plugin to function correctly, it needs to be properly configured to
connect to this service. This configuration is done via the
<filename>opensso.war/config/auth/default/AuthenticationPlugin.xml</filename>
file.
- </para>
- <procedure>
<step>
<para>
- Obtain a copy of Tomcat and extract it into a suitable location (this location
will be referred to as <filename>TOMCAT_HOME</filename> in this example).
+ Obtain a copy of Tomcat and extract it into a suitable location. This location
will be referred to as <filename>TOMCAT_HOME</filename> in this example.
</para>
</step>
<step>
<para>
- Change the default port to avoid a conflict with the default &PRODUCT; port
(for testing purposes). Do this by editing
<filename>TOMCAT_HOME/conf/server.xml</filename> and replacing the 8080 port
to 8888.
+ Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and change the
8080 port to 8888 to avoid a conflict with the default &PRODUCT; port.
<note>
<para>
- If &PRODUCT; is running on the same machine as Tomcat, other ports need to
be changed in addition to 8080 in order to avoid port conflicts. They can be changed to
any free port. For example, you can change admin port from 8005 to 8805, and AJP port from
8009 to 8809.
+ If &PRODUCT; is running on the same machine as Tomcat, other ports need to
be changed in addition to 8080 in order to avoid port conflicts. They can be changed to
any free port. For example, you can change the admin port from 8005 to 8805 and the AJP
port from 8009 to 8809.
</para>
</note>
</para>
</step>
<step>
<para>
- Ensure the
<filename>TOMCAT_HOME/webapps/opensso/config/auth/default/AuthenticationPlugin.xml</filename>
file looks like this:
-<programlisting>
-<?xml version='1.0' encoding="UTF-8"?>
+ Ensure the
<filename>TOMCAT_HOME/webapps/opensso/config/auth/default/AuthenticationPlugin.xml</filename>
file matches the following:
+ </para>
+<programlisting language="XML" role="XML"><![CDATA[<?xml
version='1.0' encoding="UTF-8"?>
-<!DOCTYPE ModuleProperties PUBLIC "=//iPlanet//Authentication Module
Properties XML Interface 1.0 DTD//EN"
-
"jar://com/sun/identity/authentication/Auth_Module_Properties.dtd">
+<!DOCTYPE ModuleProperties PUBLIC "=//iPlanet//Authentication Module Properties
XML Interface 1.0 DTD//EN"
+
"jar://com/sun/identity/authentication/Auth_Module_Properties.dtd">
-<ModuleProperties moduleName="AuthenticationPlugin"
version="1.0" >
- <Callbacks length="2" order="1" timeout="60"
- header="GateIn OpenSSO Login" >
- <NameCallback>
- <Prompt>
+<ModuleProperties moduleName="AuthenticationPlugin" version="1.0"
>
+ <Callbacks length="2" order="1" timeout="60"
+ header="GateIn OpenSSO Login" >
+ <NameCallback>
+ <Prompt>
Username
- </Prompt>
- </NameCallback>
- <PasswordCallback echoPassword="false" >
- <Prompt>
+ </Prompt>
+ </NameCallback>
+ <PasswordCallback echoPassword="false" >
+ <Prompt>
Password
- </Prompt>
- </PasswordCallback>
- </Callbacks>
-</ModuleProperties>
-</programlisting>
- </para>
+ </Prompt>
+ </PasswordCallback>
+ </Callbacks>
+</ModuleProperties>
+]]></programlisting>
</step>
<step>
<para>
- Copy
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/sso-opensso-plugin-<VERSION>.jar</filename>,
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>,
and
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-logging-<VERSION>.jar</filename>
into the Tomcat directory at
<filename>TOMCAT_HOME/webapps/opensso/WEB-INF/lib</filename>.
+ Copy the following files;
</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/sso-opensso-plugin-<VERSION>.jar</filename>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-logging-<VERSION>.jar</filename>
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ ...into the Tomcat directory at
<filename>TOMCAT_HOME/webapps/opensso/WEB-INF/lib</filename>.
+ </para>
+
</step>
<step>
<para>
- Copy
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/classes/gatein.properties</filename>
into <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/classes</filename>
+ Copy the
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/classes/gatein.properties</filename>
file into the <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/classes</filename>
directory.
</para>
</step>
<step>
<para>
- Tomcat should start and be able to access <ulink type="http"
url="http://localhost:8888/opensso/UI/Login?realm=gatein">http://localhost:8888/opensso/UI/Login?realm=gatein</ulink>.
Login will not be available at this point.
+ Tomcat should start and be able to access <ulink type="http"
url="http://localhost:8888/opensso/UI/Login?realm=gatein">http://localhost:8888/opensso/UI/Login?realm=gatein</ulink>.
</para>
<mediaobject>
<imageobject>
<imagedata
fileref="images/AuthenticationAndIdentity/SSO/opensso-shot.png"
format="PNG" width="444" />
</imageobject>
</mediaobject>
+ <note>
+ <para>
+ Login will not be available at this point.
+ </para>
+ </note>
</step>
</procedure>
-
- <para>
- Configure "gatein" realm:
- </para>
- <procedure>
+
+ <procedure
id="proc-Reference_Guide-OpenSSO_server-Configure_gatein_realm">
+ <title>Configure the "gatein" realm</title>
<step>
<para>
Direct your browser to <ulink type="http"
url="http://localhost:8888/opensso">http://localhost:8888/opensso</ulink>
@@ -733,49 +733,89 @@
</step>
<step>
<para>
- Create default configuration
+ Create a default configuration.
</para>
</step>
<step>
<para>
- Login as <literal>amadmin</literal> and then go to tab
"Configuration" -> tab "Authentication" -> link
"Core" -> add new value and fill in the class name
"org.gatein.sso.opensso.plugin.AuthenticationPlugin". This step is really
important. Without it AuthenticationPlugin is not available among other OpenSSO
authentication modules.
+ Login as <literal>amadmin</literal>.
</para>
+ <important>
+ <para>
+ Go to the "<emphasis
role="bold">Configuration</emphasis>" tab then to
"<emphasis role="bold">Authentication</emphasis>".
+ </para>
+ <para>
+ Follow the link to "<emphasis
role="bold">Core</emphasis>" and add a new value with the class
name
"<literal>org.gatein.sso.opensso.plugin.AuthenticationPlugin</literal>".
+ </para>
+ <para>
+ If this is not done <literal>AuthenticationPlugin</literal> is not
available among other OpenSSO authentication modules.
+ </para>
+ </important>
</step>
<step>
<para>
- Go to tab "Access control" and create new realm called
"gatein".
+ Go to the "<emphasis role="bold">Access
control</emphasis>" tab and create new realm called
"<literal>gatein</literal>".
</para>
</step>
<step>
+ <procedure>
+ <step>
+ <para>
+ Go to the new "<literal>gatein</literal>" realm and click
on the "<emphasis role="bold">Authentication</emphasis>"
tab.
+ </para>
+ </step>
+ <step>
+ <para>
+ Click on "<emphasis
role="bold">ldapService</emphasis>" (at the bottom in the
"Authentication chaining" section).
+ </para>
+ </step>
+ <step>
+ <para>
+ Change the selection from "<literal>Datastore</literal>",
which is the default module in the authentication chain, to
"<literal>AuthenticationPlugin</literal>".
+ </para>
+ </step>
+ </procedure>
<para>
- Go to "gatein" realm and click on "Authentication" tab. At the
bottom in the section "Authentication chaining" click on
"ldapService". Here change the selection from "Datastore", which is
the default module in the authentication chain, to "AuthenticationPlugin". This
enables authentication of "gatein" realm by using GateIn REST service instead of
the OpenSSO LDAP server.
+ These changes enable authentication of the
"<literal>gatein</literal>" realm using the <literal>GateIn
REST</literal> service instead of the OpenSSO LDAP server.
</para>
</step>
<step>
<para>
- Go to "Advanced properties" and change UserProfile from
"Required" to "Dynamic". This step is needed because &PRODUCT;
users are not in OpenSSO Datastore (LDAP server), so their profiles can't be obtained
if "Required" is active. By using "Dynamic" all new users are
automatically created in OpenSSO datastore after successful authentication.
+ Go to "<emphasis role="bold">Advanced
properties</emphasis>" and change <literal>UserProfile</literal>
from "<parameter>Required</parameter>" to
"<parameter>Dynamic</parameter>" to ensure all new users are
automatically created in the OpenSSO datastore after successful authentication.
</para>
</step>
<step>
<para>
- Increase the user privileges to allow REST access. Go to "Access
control" -> Top level realm -> "Privileges" tab -> All
authenticated users, and check the last two checkboxes:
- <itemizedlist>
- <listitem>
- <para>
- Read and write access only for policy properties
- </para>
- </listitem>
- <listitem>
- <para>
- Read and write access to all realm and policy properties
- </para>
- </listitem>
- </itemizedlist>
+ Increase the user privileges to allow REST access with the following procedure:
</para>
+ <procedure>
+ <step>
+ <para>
+ Go to "<emphasis role="bold">Access
control</emphasis>", then <emphasis role="bold">Top level
realm</emphasis>, then click on the "<emphasis
role="bold">Privileges</emphasis>" tab and go to
"<emphasis role="bold">All authenticated
users</emphasis>".
+ </para>
+ </step>
+ <step>
+ <para>
+ Check the last two checkboxes:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Read and write access only for policy properties
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Read and write access to all realm and policy properties
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+ </procedure>
</step>
<step>
<para>
- Do the same for "gatein" realm.
+ Repeat the above process for the "<emphasis
role="bold">gatein</emphasis>" realm user privileges.
</para>
</step>
</procedure>
@@ -783,383 +823,375 @@
<!-- <para>
TODO: The above OpenSSO manual configuration could be replaced by configuration
files prepared in advance
</para> -->
- </section>
-
- </section>
- <section
id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-Setup_the_OpenSSO_client">
- <title>Setup the OpenSSO client</title>
- <procedure>
- <step>
- <para>
- Copy all libraries from
<filename>GATEIN_SSO_HOME/opensso/gatein.ear/lib</filename> into
<filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename> (Or, in
Tomcat, into <filename>GATEIN_HOME/lib</filename>)
- </para>
- </step>
- <step>
- <itemizedlist>
- <listitem>
- <para>
- In JBoss AS, edit gatein.ear/META-INF/gatein-jboss-beans.xml and uncomment this
section
- </para>
-
-<programlisting><authentication>
- <login-module code="org.gatein.sso.agent.login.SSOLoginModule"
flag="required">
- </login-module>
- <login-module
code="org.exoplatform.services.security.j2ee.JbossLoginModule"
flag="required">
- <module-option
name="portalContainerName">portal</module-option>
- <module-option
name="realmName">gatein-domain</module-option>
- </login-module>
-</authentication>
-</programlisting>
- </listitem>
- </itemizedlist>
- <para>
- At this point the installation can be tested:
- </para>
- <procedure>
- <step>
- <para>
- Access &PRODUCT; by going to <ulink type="http"
url="http://localhost:8888/opensso/UI/Login?realm=gatein">http://localhost:8888/opensso/UI/Login?realm=gatein</ulink>
(assuming that the OpenSSO server using Tomcat is still running).
- </para>
- </step>
- <step>
- <para>
- Login with the username <literal>root</literal> and the password
<literal>gtn</literal> or any account created through the portal.
- </para>
- </step>
- </procedure>
-
- </step>
- </procedure>
-
- </section>
-
- <section
id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-Setup_the_portal_to_redirect_to_OpenSSO">
- <title>Setup the portal to redirect to OpenSSO</title>
- <para>
- The next part of the process is to redirect all user authentication to the OpenSSO
server.
- </para>
- <para>
- Information about where the OpenSSO server is hosted must be properly configured
within the Enterprise Portal Platform instance. The required configuration is done by
modifying three files:
- <itemizedlist>
- <listitem>
+ <procedure
id="proc-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-Setup_the_OpenSSO_client">
+ <title>Setup the OpenSSO client</title>
+ <step>
<para>
- In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
-<programlisting>
-
-<!--
-<a class="Login"
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
--->
-<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-</programlisting>
+ Copy all libraries from the
<filename>GATEIN_SSO_HOME/opensso/gatein.ear/lib</filename> directory into the
<filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename>
directory.
</para>
- </listitem>
- <listitem>
<para>
- In the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file modify the 'Sign In' link as follows:
-<programlisting>
+ Alternatively, in a Tomcat environment, copy the libraries into the
<filename>GATEIN_HOME/lib</filename> directory.
+ </para>
+ </step>
+ <step>
+ <para>
+ Edit the
<filename>jboss-as/server/<SERVER-TYPE>/gatein.ear/META-INF/gatein-jboss-beans.xml</filename>
and uncomment this section:
+ </para>
+<programlisting language="XML"
role="XML"><![CDATA[<authentication>
+ <login-module code="org.gatein.sso.agent.login.SSOLoginModule"
flag="required">
+ </login-module>
+ <login-module
code="org.exoplatform.services.security.j2ee.JbossLoginModule"
flag="required">
+ <module-option
name="portalContainerName">portal</module-option>
+ <module-option name="realmName">gatein-domain</module-option>
+ </login-module>
+</authentication>]]></programlisting>
+ </step>
+ <step>
+ <para>
+ Test the installation:
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Access &PRODUCT; by going to <ulink type="http"
url="http://localhost:8888/opensso/UI/Login?realm=gatein">http://localhost:8888/opensso/UI/Login?realm=gatein</ulink>
(assuming that the OpenSSO server using Tomcat is still running).
+ </para>
+ </step>
+ <step>
+ <para>
+ Login with the username <literal>root</literal> and the password
<literal>gtn</literal> or any account created through the portal.
+ </para>
+ </step>
+ </procedure>
+ </step>
+ </procedure>
+ <para>
+ The next part of the process is to redirect all user authentication to the OpenSSO
server.
+ </para>
+ <para>
+ Information about where the OpenSSO server is hosted must be properly configured
within the Enterprise Portal Platform instance. The required configuration is done by
modifying three files:
+ </para>
-<!--
-<a
onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
--->
-<a
href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
-</programlisting>
+ <procedure
id="proc-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-Setup_the_portal_to_redirect_to_OpenSSO">
+ <title>Setup the portal to redirect to OpenSSO</title>
+ <step>
+ <para>
+ Modify the '<emphasis role="bold">Sign
In</emphasis>' link in the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file as follows:
</para>
- </listitem>
- <listitem>
+<programlisting language="HTML" role="HTML"><![CDATA[
+<!--
+<a class="Login"
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
+-->
+<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
+]]></programlisting>
+ </step>
+ <step>
<para>
+ Modify the '<emphasis role="bold">Sign
In</emphasis>' link in the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file as follows:
+ </para>
+<programlisting language="HTML" role="HTML"><![CDATA[
+<!--
+<a
onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
+-->
+<a
href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
+]]></programlisting>
+ </step>
+ <step>
+ <para>
Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
- </para>
-
-<programlisting><html>
- <head>
- <script type="text/javascript">
+ </para>
+<programlisting language="HTML"
role="HTML"><![CDATA[<html>
+ <head>
+ <script type="text/javascript">
window.location = '/portal/sso';
- </script>
- </head>
- <body>
- </body>
-</html>
-</programlisting>
- </listitem>
- <listitem>
+ </script>
+ </head>
+ <body>
+ </body>
+</html>]]></programlisting>
+ </step>
+ <step>
<para>
- Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
-<programlisting>
-
- <filter>
- <filter-name>LoginRedirectFilter</filter-name>
-
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
- <init-param>
- <!-- This should point to your SSO authentication server -->
- <param-name>LOGIN_URL</param-name>
- <param-value>http://localhost:8888/opensso/UI/Login?realm=gatein&goto=http://localhost:8080
- /portal/private/classic</param-value>
- </init-param>
- </filter>
- <filter>
- <filter-name>OpenSSOLogoutFilter</filter-name>
-
<filter-class>org.gatein.sso.agent.filter.OpenSSOLogoutFilter</filter-class>
- <init-param>
- <!-- This should point to your OpenSSO authentication server -->
- <param-name>LOGOUT_URL</param-name>
-
<param-value>http://localhost:8888/opensso/UI/Logout</param-value>
- </init-param>
- </filter>
+ Add the following Filters to the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
+ </para>
+<programlisting language="XML" role="XML"><![CDATA[
+ <filter>
+ <filter-name>LoginRedirectFilter</filter-name>
+
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
+ <init-param>
+ <!-- This should point to your SSO authentication server -->
+ <param-name>LOGIN_URL</param-name>
+ <param-value>http://localhost:8888/opensso/UI/Login?realm=gatein&goto=http://localhost:8080
+ /portal/private/classic</param-value>
+ </init-param>
+ </filter>
+ <filter>
+ <filter-name>OpenSSOLogoutFilter</filter-name>
+
<filter-class>org.gatein.sso.agent.filter.OpenSSOLogoutFilter</filter-class>
+ <init-param>
+ <!-- This should point to your OpenSSO authentication server -->
+ <param-name>LOGOUT_URL</param-name>
+ <param-value>http://localhost:8888/opensso/UI/Logout</param-value>
+ </init-param>
+ </filter>
- <!-- place the filters at the top of the filter chain -->
- <filter-mapping>
- <filter-name>LoginRedirectFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>OpenSSOLogoutFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-</programlisting>
- </para>
- </listitem>
- <listitem>
+ <!-- place the filters at the top of the filter chain -->
+ <filter-mapping>
+ <filter-name>LoginRedirectFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>OpenSSOLogoutFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+]]></programlisting>
+ </step>
+ <step>
<para>
Replace the <literal>InitiateLoginServlet</literal> declaration in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename> with:
- </para>
-
-<programlisting><servlet>
- <servlet-name>InitiateLoginServlet</servlet-name>
-
<servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
- <init-param>
- <param-name>ssoServerUrl</param-name>
- <param-value>http://localhost:8888/opensso</param-value>
- </init-param>
- <init-param>
- <param-name>ssoCookieName</param-name>
- <param-value>iPlanetDirectoryPro</param-value>
- </init-param>
-</servlet>
-</programlisting>
- </listitem>
- </itemizedlist>
- </para>
- <para>
- From now on, all links redirecting to the user authentication pages will redirect to
the OpenSSO centralized authentication form.
- </para>
- </section>
-
+ </para>
+<programlisting language="XML"
role="XML"><![CDATA[<servlet>
+ <servlet-name>InitiateLoginServlet</servlet-name>
+ <servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
+ <init-param>
+ <param-name>ssoServerUrl</param-name>
+ <param-value>http://localhost:8888/opensso</param-value>
+ </init-param>
+ <init-param>
+ <param-name>ssoCookieName</param-name>
+ <param-value>iPlanetDirectoryPro</param-value>
+ </init-param>
+</servlet>]]></programlisting>
+ </step>
+ </procedure>
+ <para>
+ From now on, all links redirecting to the user authentication pages will redirect to
the OpenSSO centralized authentication form.
+ </para>
</section>
- <section id="sect-Reference_Guide-SSO_Single_Sign_On-SPNEGO">
- <title>SPNEGO</title>
+ <section
id="sect-Reference_Guide-SSO_Single_Sign_On-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism">
+ <title>SPNEGO - Simple and Protected GSSAPI Negotiation Mechanism</title>
<para>
- SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is used to authenticate
transparently through the web browser after the user has been authenticated when
logging-in his session.
+ The Simple and Protected GSSAPI Negotiation Mechanism (<emphasis
role="bold">SPNEGO</emphasis>) uses desktop credentials provided during
a desktop login to transparently authenticate a portal user through a web browser.
</para>
<para>
- A typical use case is the following:
+ For illustrative purposes; a typical use case would be:
</para>
<procedure>
<step>
<para>
- Users logs into his desktop (Such as a Windows machine).
+ A user logs into their desktop computer with a login that is governed by an Active
Directory domain.
</para>
</step>
<step>
<para>
- The desktop login is governed by Active Directory domain.
+ The user then launches a web browser to access a web application (that uses JBoss
Negotiation) hosted on JBoss EPP.
</para>
</step>
<step>
<para>
- User then uses his browser (IE/Firefox) to access a web application (that uses JBoss
Negotiation) hosted on JBoss EPP.
+ The browser transfers the desktop credentials to the web application.
</para>
</step>
<step>
<para>
- The Browser transfers the desktop sign on information to the web application.
- </para>
- </step>
- <step>
- <para>
JBoss EAP/AS uses background GSS messages with the Active Directory (or any Kerberos
Server) to validate the user.
</para>
</step>
<step>
<para>
- The User has seamless SSO into the web application.
+ The user experiences a seamless single sign on (SSO) into the web application.
</para>
</step>
</procedure>
-
- <section id="sect-Reference_Guide-SPNEGO-Configuration">
- <title>Configuration</title>
- <para>
- GateIn uses JBoss Negotiation to enable SPNEGO based desktop SSO for the Portal. Here
are the steps to integrate SPNEGO with GateIn.
- </para>
- <procedure>
+
+ <para>
+ &PRODUCT; uses JBoss Negotiation to enable SPNEGO-based desktop SSO.
+ </para>
+ <para>
+ The following procedure outlines how to integrate SPNEGO with the &PRODUCT;.
+ </para>
+
+ <procedure
id="sect-Reference_Guide-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism-SPNEGO_Configuration">
+ <title>SPNEGO Configuration</title>
<step>
<para>
- Activate the Host authentication Under conf/login-config.xml, add the following
host login module:
-<programlisting><!-- SPNEGO domain -->
- <application-policy name="host">
- <authentication>
- <login-module code="com.sun.security.auth.module.Krb5LoginModule"
- flag="required">
- <module-option
name="storeKey">true</module-option>
- <module-option
name="useKeyTab">true</module-option>
- <module-option
name="principal"&gt;HTTP/server.local.network(a)LOCAL.NETWORK&lt;/module-option&gt;
- <module-option
name="keyTab">/home/user/krb5keytabs/jboss.keytab</module-option>
- <module-option
name="doNotPrompt">true</module-option>
- <module-option
name="debug">true</module-option>
- </login-module>
- </authentication>
- </application-policy>
-</programlisting>
- the 'keyTab' value should point to the keytab file that was generated by
the kadmin kerberos tool. See the Setting up your Kerberos Development Environment guide
for more details.
+ Activate the Host authentication. Add the following host login module to the
<filename>conf.xml</filename> or
<filename>login-config.xml</filename> file (whichever your system uses):
</para>
+<programlisting language="XML" role="XML"><![CDATA[<!--
SPNEGO domain -->
+ <application-policy name="host">
+ <authentication>
+ <login-module code="com.sun.security.auth.module.Krb5LoginModule"
+ flag="required">
+ <module-option name="storeKey">true</module-option>
+ <module-option name="useKeyTab">true</module-option>
+ <module-option
name="principal">HTTP/server.local.network(a)LOCAL.NETWORK</module-option>
+ <module-option
name="keyTab">/home/user/krb5keytabs/jboss.keytab</module-option>
+ <module-option name="doNotPrompt">true</module-option>
+ <module-option name="debug">true</module-option>
+ </login-module>
+ </authentication>
+ </application-policy>]]></programlisting>
+ <para>
+ The '<literal>keyTab</literal>' value should point to the
keytab file that was generated by the <literal>kadmin</literal> Kerberos tool.
See the <citetitle>Setting up your Kerberos Development
Environment</citetitle> guide for more details.
+ </para>
</step>
<step>
<para>
- Extend the core authentication mechanisms to support SPNEGO Under
deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml, add 'SPNEGO'
authenticators property
-<programlisting><property name="authenticators">
- <map keyClass="java.lang.String"
valueClass="java.lang.String">
- <entry>
- <key>BASIC</key>
-
<value>org.apache.catalina.authenticator.BasicAuthenticator</value>
- </entry>
- <entry>
- <key>CLIENT-CERT</key>
-
<value>org.apache.catalina.authenticator.SSLAuthenticator</value>
- </entry>
- <entry>
- <key>DIGEST</key>
-
<value>org.apache.catalina.authenticator.DigestAuthenticator</value>
- </entry>
- <entry>
- <key>FORM</key>
-
<value>org.apache.catalina.authenticator.FormAuthenticator</value>
- </entry>
- <entry>
- <key>NONE</key>
-
<value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
- </entry>
+ Extend the core authentication mechanisms to support SPNEGO Under
<filename>deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml</filename>,
add a '<literal>SPNEGO</literal>' authenticators property
+ </para>
+<programlisting language="XML"
role="XML"><![CDATA[<property name="authenticators">
+ <map keyClass="java.lang.String"
valueClass="java.lang.String">
+ <entry>
+ <key>BASIC</key>
+
<value>org.apache.catalina.authenticator.BasicAuthenticator</value>
+ </entry>
+ <entry>
+ <key>CLIENT-CERT</key>
+
<value>org.apache.catalina.authenticator.SSLAuthenticator</value>
+ </entry>
+ <entry>
+ <key>DIGEST</key>
+
<value>org.apache.catalina.authenticator.DigestAuthenticator</value>
+ </entry>
+ <entry>
+ <key>FORM</key>
+
<value>org.apache.catalina.authenticator.FormAuthenticator</value>
+ </entry>
+ <entry>
+ <key>NONE</key>
+
<value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
+ </entry>
- <!-- Add this entry -->
- <entry>
- <key>SPNEGO</key>
-
<value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
- </entry>
- </map>
- </property>
-</programlisting>
- </para>
+ <!-- Add this entry -->
+ <entry>
+ <key>SPNEGO</key>
+
<value>org.jboss.security.negotiation.NegotiationAuthenticator</value>
+ </entry>
+ </map>
+ </property>]]></programlisting>
</step>
<step>
<para>
- Add the JBoss Negotiation binary copy
$GATEIN_SSO_HOME/spnego/jboss-negotiation-2.0.3.GA.jar to lib
+ Add the JBoss Negotiation binary by copying
<filename>$GATEIN_SSO_HOME/spnego/jboss-negotiation-2.0.3.GA.jar</filename> to
lib. DOC TODO <-- Which directory is meant by 'lib'??
(deploy/gatein.ear/lib?)
</para>
</step>
<step>
<para>
- Add the Gatein SSO module binaries Add
$GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-agent.jar, and
$GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-spnego.jar to deploy/gatein.ear/lib
+ Add the Gatein SSO module binaries by adding
<filename>$GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-agent.jar</filename> and
<filename>$GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-spnego.jar</filename> to
<filename>deploy/gatein.ear/lib</filename>.
</para>
</step>
<step>
<para>
- Activate SPNEGO LoginModule for GateIn Modify
deploy/gatein.ear/META-INF/gatein-jboss-beans.xml, so that it looks like this:
-<programlisting><deployment
xmlns="urn:jboss:bean-deployer:2.0">
- <application-policy xmlns="urn:jboss:security-beans:1.0"
name="gatein-domain">
- <!-- Uncomment this for Kerberos based SSO integration -->
- <authentication>
- <login-module
+ Modifying
<filename>deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</filename> to
match the following:
+ </para>
+<programlisting language="XML"
role="XML"><![CDATA[<deployment
xmlns="urn:jboss:bean-deployer:2.0">
+ <application-policy xmlns="urn:jboss:security-beans:1.0"
name="gatein-domain">
+ <!-- Uncomment this for Kerberos based SSO integration -->
+ <authentication>
+ <login-module
code="org.gatein.sso.spnego.SPNEGOLoginModule"
- flag="requisite">
- <module-option
name="password-stacking">useFirstPass</module-option>
- <module-option
name="serverSecurityDomain">host</module-option>
- </login-module>
- <login-module
+ flag="requisite">
+ <module-option
name="password-stacking">useFirstPass</module-option>
+ <module-option
name="serverSecurityDomain">host</module-option>
+ </login-module>
+ <login-module
code="org.gatein.sso.agent.login.SPNEGORolesModule"
- flag="required">
- <module-option
name="password-stacking">useFirstPass</module-option>
- <module-option
name="portalContainerName">portal</module-option>
- <module-option
name="realmName">gatein-domain</module-option>
- </login-module>
- </authentication>
- </application-policy>
-</deployment>
-</programlisting>
+ flag="required">
+ <module-option
name="password-stacking">useFirstPass</module-option>
+ <module-option
name="portalContainerName">portal</module-option>
+ <module-option
name="realmName">gatein-domain</module-option>
+ </login-module>
+ </authentication>
+ </application-policy>
+</deployment>]]></programlisting>
+ <para>
+ This activate the SPNEGO <literal>LoginModule</literal> for use with
&PRODUCT;.
</para>
</step>
<step>
<para>
- Integrate SPNEGO support into the Portal web archive Switch GateIn authentication
mechanism from the default "FORM" based to "SPNEGO" based
authentication as follows: Modify gatein.ear/02portal.war/WEB-INF/web.xml
-<programlisting> <!--
- <login-config>
- <auth-method>FORM</auth-method>
- <realm-name>gatein-domain</realm-name>
- <form-login-config>
- <form-login-page>/initiatelogin</form-login-page>
- <form-error-page>/errorlogin</form-error-page>
- </form-login-config>
- </login-config>
- -->
- <login-config>
- <auth-method>SPNEGO</auth-method>
- <realm-name>SPNEGO</realm-name>
- </login-config>
-</programlisting>
- Integrate request pre-processing needed for SPNEGO via filters. Add the following
filters to the web.xml at the top of the Filter chain:
-<programlisting> <filter>
- <filter-name>LoginRedirectFilter</filter-name>
-
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
- <init-param>
- <!-- This should point to your SSO authentication server -->
- <param-name>LOGIN_URL</param-name>
- <param-value>/portal/private/classic</param-value>
- </init-param>
- </filter>
- <filter>
- <filter-name>SPNEGOFilter</filter-name>
-
<filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
- </filter>
+ Modify <filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename> to
match:
+ </para>
+<programlisting language="XML" role="XML"><![CDATA[
<!--
+ <login-config>
+ <auth-method>FORM</auth-method>
+ <realm-name>gatein-domain</realm-name>
+ <form-login-config>
+ <form-login-page>/initiatelogin</form-login-page>
+ <form-error-page>/errorlogin</form-error-page>
+ </form-login-config>
+ </login-config>
+ -->
+ <login-config>
+ <auth-method>SPNEGO</auth-method>
+ <realm-name>SPNEGO</realm-name>
+ </login-config>]]></programlisting>
+ <para>
+ This integrates SPNEGO support into the Portal web archive by switching
authentication mechanism from the default
"<literal>FORM</literal>"-based to
"<literal>SPNEGO</literal>"-based authentication.
+ </para>
+ </step>
+ <step>
+ <para>
+ Add the following filters to the top of the Filter chain in the
<filename>web.xml</filename> file:
+ </para>
+<programlisting language="XML" role="XML"><![CDATA[
<filter>
+ <filter-name>LoginRedirectFilter</filter-name>
+
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
+ <init-param>
+ <!-- This should point to your SSO authentication server -->
+ <param-name>LOGIN_URL</param-name>
+ <param-value>/portal/private/classic</param-value>
+ </init-param>
+ </filter>
+ <filter>
+ <filter-name>SPNEGOFilter</filter-name>
+
<filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
+ </filter>
- <filter-mapping>
- <filter-name>LoginRedirectFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>SPNEGOFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-</programlisting>
+ <filter-mapping>
+ <filter-name>LoginRedirectFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>SPNEGOFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>]]></programlisting>
+ <para>
+ This integrates request pre-processing needed for SPNEGO.
</para>
</step>
<step>
<para>
- Modify the Portal's 'Sign In' link to perform SPNEGO authentication
Modify the 'Sign In' link on
gatein.war/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl as follows:
+ Edit the '<emphasis role="bold">Sign In</emphasis>'
link in
<filename>gatein.war/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl</filename>
to match the following:
<programlisting><!--
<a
onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-->
<a
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
</programlisting>
</para>
+ <para>
+ This modifies the Portal's '<emphasis role="bold">Sign
In</emphasis>' link to perform SPNEGO authentication.
+ </para>
</step>
<step>
<para>
- Start the GateIn Portal
+ Start the &PRODUCT;;
<programlisting>sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK
-Djava.security.krb5.kdc=server.local.network -c spnego -b server.local.network
</programlisting>
</para>
</step>
<step>
<para>
- Login to Kerberos
+ Login to Kerberos:
+ </para>
<programlisting>kinit -A demo
</programlisting>
- You should be able to click the 'Sign In' link on the GateIn Portal and
the 'demo' user from the GateIn portal should be automatically logged in
- </para>
</step>
</procedure>
-
- </section>
-
+ <para>
+ Clicking the 'Sign In' link on the &PRODUCT; should automatically sign
the 'demo' user into the portal.
+ </para>
</section>
</section>
Modified:
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/WSRP.xml
===================================================================
---
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/WSRP.xml 2010-05-12
02:49:29 UTC (rev 3060)
+++
portal/branches/EPP_5_0_0_Branch_Docs/Enterprise_Portal_Platform_Reference_Guide/en-US/modules/WSRP.xml 2010-05-12
06:22:13 UTC (rev 3061)
@@ -8,9 +8,12 @@
<section
id="sect-Reference_Guide-Web_Services_for_Remote_Portlets_WSRP-Introduction">
<title>Introduction</title>
<para>
- The Web Services for Remote Portlets specification defines a web service interface for
accessing and interacting with interactive presentation-oriented web services. It has been
produced through the efforts of the Web Services for Remote Portlets (WSRP) OASIS
Technical Committee. It is based on the requirements gathered and on the concrete
proposals made to the committee.
+ The Web Services for Remote Portlets (WSRP) specification defines a web service
interface for accessing and interacting with interactive presentation-oriented web
services.
</para>
<para>
+ It has been produced through the efforts of the Web Services for Remote Portlets (WSRP)
OASIS Technical Committee. It is based on the requirements gathered and on the concrete
proposals made to the committee.
+ </para>
+ <para>
Scenarios that motivate WSRP functionality include:
<itemizedlist>
<listitem>
@@ -26,25 +29,31 @@
</itemizedlist>
</para>
<para>
- More information on WSRP can be found on the <ulink
url="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsrp...
website for WSRP</ulink>. We suggest reading the <ulink
url="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsrp...
for a good, albeit technical, overview of WSRP.
+ More information on WSRP can be found on the official <ulink
url="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsrp...;.
</para>
+ <para>
+ We suggest reading the <ulink
url="http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsrp...
for a comprehensive overview of WSRP.
+ </para>
</section>
<section
id="sect-Reference_Guide-Web_Services_for_Remote_Portlets_WSRP-Level_of_support_in_PRODUCT">
<title>Level of support in &PRODUCT;</title>
<para>
- The WSRP Technical Committee defined <ulink
url="http://www.oasis-open.org/committees/download.php/3073">... Use
Profiles</ulink> to help with WSRP interoperability. We will refer to terms defined
in that document in this section.
+ The WSRP Technical Committee defined <ulink
url="http://www.oasis-open.org/committees/download.php/3073">... Use
Profiles</ulink> to help with WSRP interoperability. Terms defined in that document
will be used in this section.
</para>
<para>
- &PRODUCT_NAME; provides a Simple level of support for our WSRP Producer except that
out-of-band registration is not currently handled. We support in-band registration and
persistent local state (which are defined at the Complex level).
+ &PRODUCT_NAME; provides a <emphasis>Simple</emphasis> level of support
for our WSRP Producer except that out-of-band registration is not currently handled. We
support in-band registration and persistent local state (which are defined at the
<emphasis>Complex</emphasis> level).
</para>
<para>
- On the Consumer side, &PRODUCT_NAME; provides a Medium level of support for WSRP,
except that we only handle HTML markup (as &PRODUCT_NAME; itself doesn't handle
other markup types). We do support explicit portlet cloning and we fully support the
PortletManagement interface.
+ On the Consumer side, &PRODUCT_NAME; provides a
<emphasis>Medium</emphasis> level of support for WSRP, except that we only
handle HTML markup (as &PRODUCT_NAME; itself doesn't handle other markup types).
We do support explicit portlet cloning and we fully support the
<literal>PortletManagement</literal> interface.
</para>
<para>
- As far as caching goes, we have Level 1 Producer and Consumer. We support Cookie
handling properly on the Consumer and our Producer requires initialization of cookies (as
we have found that it improved interoperabilty with some consumers). We don't support
custom window states or modes, as Portal doesn't either. We do, however, support CSS
on both the Producer (though it's more a function of the portlets than inherent
Producer capability) and Consumer.
+ We has Level 1 Producer and Consumer caching. Cookie handling is supported properly on
the Consumer and our Producer requires initialization of cookies (this improves
interoperabilty with some consumers).
</para>
<para>
+ We don't support custom window states or modes, as Portal doesn't either. We
do, however, support CSS on both the Producer (though it's more a function of the
portlets than inherent Producer capability) and Consumer.
+ </para>
+ <para>
While we provide a complete implementation of WSRP 1.0, we do need to go through the
<ulink
url="http://www.oasis-open.org/committees/download.php/6018">...
statements</ulink> and perform more interoperability testing (an area that needs to
be better supported by the WSRP Technical Committee and Community at large).
</para>
<note>
@@ -52,59 +61,101 @@
As of version &PRODUCT_VERSION; of &PRODUCT_NAME;, WSRP is only activated and
supported when &PRODUCT_NAME; is deployed on JBoss Application Server.
</para>
</note>
+ <warning>
+ <title>DOC TODO</title>
+ <para>
+ Who or What is the <emphasis role="bold">WE</emphasis> referred
to in these paragraphs? Red Hat, &PRODUCT; or the developers of WSRP?
+ </para>
+ </warning>
</section>
<section
id="sect-Reference_Guide-Web_Services_for_Remote_Portlets_WSRP-Deploying_PRODUCT_NAMEs_WSRP_services">
<title>Deploying &PRODUCT_NAME;'s WSRP services</title>
<para>
- &PRODUCT_NAME; provides a complete support of WSRP 1.0 standard interfaces and
offers both consumer and producer services. WSRP support is provided by the following
files, assuming <code>$GATEIN_HOME</code> is where &PRODUCT_NAME; has been
installed, <code>$WSRP_VERSION</code> (at the time of the writing, it was
&WSRP_VERSION;) is the version of the WSRP component and
<code>$PORTAL_VERSION</code> (at the time of the writing, it was
&PORTAL_VERSION;) is the current &PRODUCT_NAME; version:
- <itemizedlist>
- <listitem>
- <para>
- <filename>$GATEIN_HOME/wsrp-admin-gui.war</filename>, which contains the
WSRP Configuration portlet with which you can configure consumers to access remote servers
and how the WSRP producer is configured.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>$GATEIN_HOME/wsrp-producer.war</filename>, which contains the
WSRP producer web application.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>$GATEIN_HOME/lib/wsrp-common-$WSRP_VERSION.jar</filename>,
which contains common classes needed by the different WSRP libraries.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>$GATEIN_HOME/lib/wsrp-consumer-$WSRP_VERSION.jar</filename>,
which contains the WSRP consumer.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>$GATEIN_HOME/lib/wsrp-integration-api-$WSRP_VERSION.jar</filename>,
which contains the API classes needed to integrate the WSRP component into portals.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>$GATEIN_HOME/lib/wsrp-producer-lib-$WSRP_VERSION.jar</filename>,
which contains the classes needed by the WSRP producer.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>$GATEIN_HOME/lib/wsrp-wsrp1-ws-$WSRP_VERSION.jar</filename>,
which contains the generated JAX-WS classes for WSRP version 1.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>$GATEIN_HOME/lib/gatein.portal.component.wsrp-$PORTAL_VERSION.jar</filename>,
which contains the code to integrate the WSRP service into &PRODUCT_NAME;.
- </para>
- </listitem>
- </itemizedlist>
- If you're not going to use WSRP in &PRODUCT_NAME;, you can remove
<filename>$GATEIN_HOME/lib/gatein.portal.component.wsrp-$PORTAL_VERSION.jar</filename>
from your &PRODUCT_NAME; distribution to easily deactivate WSRP support. Of course, if
you want to trim your installation, you can also remove all the files mentioned above.
+ &PRODUCT_NAME; provides a complete support of WSRP 1.0 standard interfaces and
offers both consumer and producer services.
</para>
- <section
id="sect-Reference_Guide-Deploying_PRODUCT_NAMEs_WSRP_services-Considerations_to_use_WSRP_when_running_PRODUCT_NAME_on_a_non_default_port_or_hostname">
- <title>Considerations to use WSRP when running &PRODUCT_NAME; on a
non-default port or hostname</title>
+
+ <note>
+ <title>Assumptions</title>
<para>
+ The following list asumes that <code>$GATEIN_HOME</code> is where
&PRODUCT_NAME; has been installed, that <code>$WSRP_VERSION</code> is the
version of the WSRP component (at the time of the writing, it was &WSRP_VERSION;) and
that <code>$PORTAL_VERSION</code> is the current &PRODUCT_NAME; version
(at the time of the writing, it was &PORTAL_VERSION;).
+ </para>
+ </note>
+ <para>
+ WSRP support is provided by the following files:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>$GATEIN_HOME/wsrp-admin-gui.war</term>
+ <listitem>
+ <para>
+ This file contains the WSRP Configuration portlet with which you can configure
consumers to access remote servers and how the WSRP producer is configured.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>$GATEIN_HOME/wsrp-producer.war</term>
+ <listitem>
+ <para>
+ This file contains the WSRP producer web application.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>$GATEIN_HOME/lib/wsrp-common-$WSRP_VERSION.jar</term>
+ <listitem>
+ <para>
+ This file contains common classes needed by the different WSRP libraries.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>$GATEIN_HOME/lib/wsrp-consumer-$WSRP_VERSION.jar</term>
+ <listitem>
+ <para>
+ This file contains the WSRP consumer.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>$GATEIN_HOME/lib/wsrp-integration-api-$WSRP_VERSION.jar</term>
+ <listitem>
+ <para>
+ This file contains the API classes needed to integrate the WSRP component into
portals.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>$GATEIN_HOME/lib/wsrp-producer-lib-$WSRP_VERSION.jar</term>
+ <listitem>
+ <para>
+ This file contains the classes needed by the WSRP producer.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>$GATEIN_HOME/lib/wsrp-wsrp1-ws-$WSRP_VERSION.jar</term>
+ <listitem>
+ <para>
+ This file contains the generated JAX-WS classes for WSRP version 1.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>$GATEIN_HOME/lib/gatein.portal.component.wsrp-$PORTAL_VERSION.jar</term>
+ <listitem>
+ <para>
+ This file contains the code to integrate the WSRP service into &PRODUCT_NAME;.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <para>
+ If you are not going to use WSRP in &PRODUCT_NAME;, you can remove
<filename>$GATEIN_HOME/lib/gatein.portal.component.wsrp-$PORTAL_VERSION.jar</filename>
from your &PRODUCT_NAME; distribution to deactivate WSRP support.
+ </para>
+ <section
id="sect-Reference_Guide-Deploying_PRODUCT_NAMEs_WSRP_services-Considerations_for_use_with_non-default_port_or_hostname">
+ <title>Considerations for use with non-default port or hostname</title>
+ <para>
JBoss WS (the web service stack that &PRODUCT_NAME; uses) should take care of the
details of updating the port and host name used in WSDL. See the <ulink
url="http://community.jboss.org/wiki/JBossWS-UserGuide#Configuration...
WS user guide on that subject </ulink> for more details.
</para>
<para>