5:55 p.m.
Author: smumford
Date: 2011-10-04 18:55:28 -0400 (Tue, 04 Oct 2011)
New Revision: 7656
Modified:
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
Log:
GTNPORTAL-2130: Corrected SPNEGO web.xml sample
Modified:
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity/SSO.xml
===================================================================
---
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2011-10-04
18:57:00 UTC (rev 7655)
+++
portal/trunk/docs/reference-guide/en-US/modules/AuthenticationAndIdentity/SSO.xml 2011-10-04
22:55:28 UTC (rev 7656)
@@ -4,85 +4,85 @@
%BOOK_ENTITIES;
]>
<section id="chap-Reference_Guide-SSO_Single_Sign_On">
- <title>Single-Sign-On (SSO)</title>
- <section id="sect-Reference_Guide-Single_Sign_On-Overview">
- <title>Overview</title>
- <para>
- &PRODUCT; provides some form of Single Sign On
(<literal>SSO</literal>) as an integration and aggregation platform.
- </para>
- <para>
- When logging into the portal users gain access to many systems through portlets using
a single identity. In many cases, however, the portal infrastructure must be integrated
with other SSO enabled systems. There are many different Identity Management solutions
available. In most cases each SSO framework provides a unique way to plug into a Java EE
application.
- </para>
- <section id="sect-Reference_Guide-Overview_of_SSO-Prerequisite">
- <title>Prerequisites</title>
- <para>
- In this tutorial, the SSO server is installed in a Tomcat installation. Tomcat can be
obtained from <ulink type="http"
url="http://tomcat.apache.org">http://tomcat.apache.org</ulink>.
- </para>
- <para>
- All the packages required for setup can be found in a zip file located at: <ulink
type="http"
url="https://repository.jboss.org/nexus/content/groups/public/org/ga...;.
In this document we will call $GATEIN_SSO_HOME the directory where the file is extracted.
- </para>
- <para>
- Users are advised to not run any portal extensions that could override the data when
manipulating the <filename>gatein.ear</filename> file directly.
- </para>
- <para>
- Remove
<literal>$JBOSS_HOME/server/default/deploy/gatein-sample-extension.ear</literal>
and
<literal>$JBOSS_HOME/server/default/deploy/gatein-sample-portal.ear</literal>
which are packaged by default with &PRODUCT;.
- </para>
- </section>
+ <title>Single-Sign-On (SSO)</title>
+ <section id="sect-Reference_Guide-Single_Sign_On-Overview">
+ <title>Overview</title>
+ <para>
+ &PRODUCT; provides some form of Single Sign On
(<literal>SSO</literal>) as an integration and aggregation platform.
+ </para>
+ <para>
+ When logging into the portal users gain access to many systems through
portlets using a single identity. In many cases, however, the portal infrastructure must
be integrated with other SSO enabled systems. There are many different Identity Management
solutions available. In most cases each SSO framework provides a unique way to plug into a
Java EE application.
+ </para>
+ <section id="sect-Reference_Guide-Overview_of_SSO-Prerequisite">
+ <title>Prerequisites</title>
+ <para>
+ In this tutorial, the SSO server is installed in a Tomcat installation.
Tomcat can be obtained from <ulink type="http"
url="http://tomcat.apache.org">http://tomcat.apache.org</ulink>.
+ </para>
+ <para>
+ All the packages required for setup can be found in a zip file located
at: <ulink type="http"
url="https://repository.jboss.org/nexus/content/groups/public/org/ga...;.
In this document we will call $GATEIN_SSO_HOME the directory where the file is extracted.
+ </para>
+ <para>
+ Users are advised to not run any portal extensions that could override
the data when manipulating the <filename>gatein.ear</filename> file directly.
+ </para>
+ <para>
+ Remove
<literal>$JBOSS_HOME/server/default/deploy/gatein-sample-extension.ear</literal>
and
<literal>$JBOSS_HOME/server/default/deploy/gatein-sample-portal.ear</literal>
which are packaged by default with &PRODUCT;.
+ </para>
+ </section>
- </section>
-
- <section
id="sect-Reference_Guide-Single_Sign_On-CAS_Central_Authentication_Service">
- <title>Central Authentication Service (CAS)</title>
- <para>
- This Single Sign On plugin enables seamless integration between &PRODUCT; and the
CAS Single Sign On Framework. Details about CAS can be found <ulink
url="http://www.ja-sig.org/products/cas/">here</ulink>;.
- </para>
- <para>
- The integration consists of two parts; the first part consists of installing or
configuring a CAS server, the second part consists of setting up the portal to use the CAS
server.
- </para>
- <section
id="sect-Reference_Guide-CAS_Central_Authentication_Service-CAS_server">
- <title>CAS server</title>
- <para>
- First, set up the server to authenticate against the portal login module. In this
example the CAS server will be installed on Tomcat.
- </para>
- <section id="sect-Reference_Guide-CAS_server-Obtaining_CAS">
- <title>Obtaining CAS</title>
- <para>
- CAS can be downloaded from <ulink type="http"
url="http://www.jasig.org/cas/download">http://www.jasig.org...;.
- </para>
- <para>
- Extract the downloaded file into a suitable location. This location will be referred
to as <literal>$CAS_HOME</literal> in the following example.
- </para>
- </section>
-
- <section id="sect-Reference_Guide-CAS_server-Modifying_CAS_server">
- <title>Modifying the CAS server</title>
- <para>
- To configure the web archive as desired, the simplest way is to make the necessary
changes directly in CAS codebase.
- </para>
+ </section>
+
+ <section
id="sect-Reference_Guide-Single_Sign_On-CAS_Central_Authentication_Service">
+ <title>Central Authentication Service (CAS)</title>
+ <para>
+ This Single Sign On plugin enables seamless integration between &PRODUCT;
and the CAS Single Sign On Framework. Details about CAS can be found <ulink
url="http://www.ja-sig.org/products/cas/">here</ulink>;.
+ </para>
+ <para>
+ The integration consists of two parts; the first part consists of installing
or configuring a CAS server, the second part consists of setting up the portal to use the
CAS server.
+ </para>
+ <section
id="sect-Reference_Guide-CAS_Central_Authentication_Service-CAS_server">
+ <title>CAS server</title>
+ <para>
+ First, set up the server to authenticate against the portal login module.
In this example the CAS server will be installed on Tomcat.
+ </para>
+ <section id="sect-Reference_Guide-CAS_server-Obtaining_CAS">
+ <title>Obtaining CAS</title>
+ <para>
+ CAS can be downloaded from <ulink type="http"
url="http://www.jasig.org/cas/download">http://www.jasig.org...;.
+ </para>
+ <para>
+ Extract the downloaded file into a suitable location. This location
will be referred to as <literal>$CAS_HOME</literal> in the following example.
+ </para>
+ </section>
+
+ <section
id="sect-Reference_Guide-CAS_server-Modifying_CAS_server">
+ <title>Modifying the CAS server</title>
+ <para>
+ To configure the web archive as desired, the simplest way is to make
the necessary changes directly in CAS codebase.
+ </para>
<note>
<para>
To complete these instructions, and perform the final build step, you
will need the Apache Maven 2.
You can get it <ulink type="http"
url="http://maven.apache.org/download.html">here</ulink>;.
</para>
</note>
- <para>
- First, we need to change the default authentication handler with the one provided by
&PRODUCT;.
- </para>
- <para>
- The CAS Server Plugin makes secure authentication callbacks to a RESTful service
installed on the remote GateIn server in order to authenticate a user.
- </para>
- <para>
- In order for the plugin to function correctly, it needs to be properly configured to
connect to this service. This configuration is done via the
<filename>cas.war/WEB-INF/deployerConfigContext.xml </filename> file.
- </para>
- <procedure>
- <step>
- <para>
- Open
<filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml</filename>
- </para>
- </step>
- <step>
- <para>
- Replace:
+ <para>
+ First, we need to change the default authentication handler with the
one provided by &PRODUCT;.
+ </para>
+ <para>
+ The CAS Server Plugin makes secure authentication callbacks to a
RESTful service installed on the remote GateIn server in order to authenticate a user.
+ </para>
+ <para>
+ In order for the plugin to function correctly, it needs to be
properly configured to connect to this service. This configuration is done via the
<filename>cas.war/WEB-INF/deployerConfigContext.xml </filename> file.
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Open
<filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml</filename>
+ </para>
+ </step>
+ <step>
+ <para>
+ Replace:
<programlisting> <!--
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might
authenticate,
| AuthenticationHandlers actually authenticate credentials. Here e declare the
AuthenticationHandlers that
@@ -109,13 +109,13 @@
</list>
</property>
</programlisting>
- </para>
- </step>
- <step>
- <para>
- With the following (Make sure to set the host, port and context with the values
corresponding to your portal). Also available in
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/deployerConfigContext.xml</filename>.
- </para>
- <para>
+ </para>
+ </step>
+ <step>
+ <para>
+ With the following (Make sure to set the host, port and
context with the values corresponding to your portal). Also available in
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/deployerConfigContext.xml</filename>.
+ </para>
+ <para>
<programlisting><!--
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might
authenticate,
@@ -151,49 +151,49 @@
</list>
</property>
</programlisting>
- </para>
- </step>
- <step>
- <para>
- Copy
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/sso-cas-plugin-<VERSION>.jar</filename>
and
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>
into the
<filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/lib</filename>
created directory.
- </para>
- </step>
- <step>
- <para>
- Get an installation of Tomcat and extract it into a suitable location (which will
be called <filename>TOMCAT_HOME</filename> for these instructions).
- </para>
- <para>
- Change the default port to avoid a conflict with the default &PRODUCT; (for
testing purposes). Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and
replace the 8080 port to 8888.
- <note>
- <para>
- If &PRODUCT; is running on the same machine as Tomcat, other ports need to
be changed in addition to 8080 in order to avoid port conflicts.
+ </para>
+ </step>
+ <step>
+ <para>
+ Copy
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/sso-cas-plugin-<VERSION>.jar</filename>
and
<filename>GATEIN_SSO_HOME/cas/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>
into the
<filename>CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/lib</filename>
created directory.
+ </para>
+ </step>
+ <step>
+ <para>
+ Get an installation of Tomcat and extract it into a suitable
location (which will be called <filename>TOMCAT_HOME</filename> for these
instructions).
+ </para>
+ <para>
+ Change the default port to avoid a conflict with the default
&PRODUCT; (for testing purposes). Edit
<filename>TOMCAT_HOME/conf/server.xml</filename> and replace the 8080 port to
8888.
+ <note>
+ <para>
+ If &PRODUCT; is running on the same machine as
Tomcat, other ports need to be changed in addition to 8080 in order to avoid port
conflicts.
They can be changed to any free port. For example, you can
change admin port from 8005 to 8805, and AJP port from 8009 to 8809.
- </para>
- </note>
- </para>
- </step>
- <step>
- <para>
- Go to <filename>CAS_HOME/cas-server-webapp</filename> and execute the
command:
+ </para>
+ </note>
+ </para>
+ </step>
+ <step>
+ <para>
+ Go to
<filename>CAS_HOME/cas-server-webapp</filename> and execute the command:
<programlisting>mvn install
</programlisting>
- </para>
- </step>
- <step>
- <para>
- Copy <filename>CAS_HOME/cas-server-webapp/target/cas.war</filename>
into <filename>TOMCAT_HOME/webapps</filename>.
- </para>
- <para>
- Tomcat should start and be accessible at <ulink type="http"
url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>. Note
that at this stage login won't be available.
- </para>
- <mediaobject>
- <imageobject>
- <imagedata fileref="images/AuthenticationAndIdentity/SSO/cas.png"
format="PNG" width="444" />
- </imageobject>
- </mediaobject>
- </step>
- </procedure>
- </section>
+ </para>
+ </step>
+ <step>
+ <para>
+ Copy
<filename>CAS_HOME/cas-server-webapp/target/cas.war</filename> into
<filename>TOMCAT_HOME/webapps</filename>.
+ </para>
+ <para>
+ Tomcat should start and be accessible at <ulink
type="http"
url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>. Note
that at this stage login won't be available.
+ </para>
+ <mediaobject>
+ <imageobject>
+ <imagedata
fileref="images/AuthenticationAndIdentity/SSO/cas.png" format="PNG"
width="444" />
+ </imageobject>
+ </mediaobject>
+ </step>
+ </procedure>
+ </section>
<note>
<para>
By default on logout the CAS server will display the CAS logout page with a link to
return to the portal. To make the CAS server redirect to the portal page after a logout,
modify the
@@ -235,50 +235,50 @@
</authentication>
</programlisting>
- </listitem>
- <listitem>
- <para>
- In Tomcat, edit <filename>GATEIN_HOME/conf/jaas.conf</filename> and
uncomment this section:
- </para>
+ </listitem>
+ <listitem>
+ <para>
+ In Tomcat, edit
<filename>GATEIN_HOME/conf/jaas.conf</filename> and uncomment this section:
+ </para>
<programlisting>org.gatein.sso.agent.login.SSOLoginModule required;
org.exoplatform.services.security.j2ee.TomcatLoginModule required
portalContainerName=portal
realmName=gatein-domain;
</programlisting>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- The installation can be tested at this point:
- </para>
- <procedure>
- <step>
- <para>
- Start (or restart) &PRODUCT;, and (assuming the CAS server on Tomcat is
running) direct your browser to <ulink type="http"
url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>.
- </para>
- </step>
- <step>
- <para>
- Login with the username <literal>root</literal> and the password
<literal>gtn</literal> (or any account created through the portal).
- </para>
- </step>
- </procedure>
- </step>
- </procedure>
- </section>
-
- <section
id="sect-Reference_Guide-CAS_Central_Authentication_Service-Redirect_to_CAS">
- <title>Redirect to CAS</title>
- <para>
- To utilize the Central Authentication Service, &PRODUCT; needs to redirect all
user authentication to the CAS server.
- </para>
- <para>
- Information about where the CAS is hosted must be properly configured within the
&PRODUCT; instance. The required configuration is done by modifying three files:
- <itemizedlist>
- <listitem>
- <para>
- In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
+ </listitem>
+ </itemizedlist>
+ </step>
+ <step>
+ <para>
+ The installation can be tested at this point:
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Start (or restart) &PRODUCT;, and (assuming the CAS
server on Tomcat is running) direct your browser to <ulink type="http"
url="http://localhost:8888/cas">http://localhost:8888/cas</ulink>.
+ </para>
+ </step>
+ <step>
+ <para>
+ Login with the username
<literal>root</literal> and the password <literal>gtn</literal>
(or any account created through the portal).
+ </para>
+ </step>
+ </procedure>
+ </step>
+ </procedure>
+ </section>
+
+ <section
id="sect-Reference_Guide-CAS_Central_Authentication_Service-Redirect_to_CAS">
+ <title>Redirect to CAS</title>
+ <para>
+ To utilize the Central Authentication Service, &PRODUCT; needs to
redirect all user authentication to the CAS server.
+ </para>
+ <para>
+ Information about where the CAS is hosted must be properly configured
within the &PRODUCT; instance. The required configuration is done by modifying three
files:
+ <itemizedlist>
+ <listitem>
+ <para>
+ In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
<programlisting>
<![CDATA[
<!--
@@ -287,11 +287,11 @@
<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
]]>
</programlisting>
- </para>
- </listitem>
- <listitem>
- <para>
- In the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file modify the 'Sign In' link as follows:
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ In the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file modify the 'Sign In' link as follows:
<programlisting>
<![CDATA[
<!--
@@ -300,12 +300,12 @@
<a
href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
]]>
</programlisting>
- </para>
- </listitem>
- <listitem>
- <para>
- Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
- </para>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
+ </para>
<programlisting><html>
<head>
<script type="text/javascript">
@@ -316,10 +316,10 @@
</body>
</html>
</programlisting>
- </listitem>
- <listitem>
- <para>
- Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
+ </listitem>
+ <listitem>
+ <para>
+ Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
<programlisting>
@@ -398,116 +398,116 @@
</para>
</section>
- </section>
-
- <section id="sect-Reference_Guide-Single_Sign_On-JOSSO">
- <title>JOSSO</title>
- <para>
- This Single Sign On plugin enables seamless integration between &PRODUCT; and the
JOSSO Single Sign On Framework. Details about JOSSO can be found <ulink
url="http://www.josso.org">here</ulink>.
- </para>
- <para>
- Setting up this integration involves two steps. The first step is to install or
configure a JOSSO server, and the second is to set up the portal to use the JOSSO server.
- </para>
- <section id="sect-Reference_Guide-JOSSO-JOSSO_server">
- <title>JOSSO server</title>
- <para>
- This section details setting up the JOSSO server to authenticate against the
&PRODUCT; login module.
- </para>
- <para>
- In this example the JOSSO server will be installed on Tomcat.
- </para>
- <section id="sect-Reference_Guide-JOSSO_server-Obtaining_JOSSO">
- <title>Obtaining JOSSO</title>
- <para>
- JOSSO can be downloaded from <ulink type="http"
url="http://sourceforge.net/projects/josso/files/">http://so...;.
Use the package that embeds Apache Tomcat.
- </para>
- <para>
- Once downloaded, extract the package into what will be called
<filename>JOSSO_HOME</filename> in this example.
- </para>
+ </section>
+
+ <section id="sect-Reference_Guide-Single_Sign_On-JOSSO">
+ <title>JOSSO</title>
+ <para>
+ This Single Sign On plugin enables seamless integration between &PRODUCT;
and the JOSSO Single Sign On Framework. Details about JOSSO can be found <ulink
url="http://www.josso.org">here</ulink>.
+ </para>
+ <para>
+ Setting up this integration involves two steps. The first step is to install
or configure a JOSSO server, and the second is to set up the portal to use the JOSSO
server.
+ </para>
+ <section id="sect-Reference_Guide-JOSSO-JOSSO_server">
+ <title>JOSSO server</title>
+ <para>
+ This section details setting up the JOSSO server to authenticate against
the &PRODUCT; login module.
+ </para>
+ <para>
+ In this example the JOSSO server will be installed on Tomcat.
+ </para>
+ <section
id="sect-Reference_Guide-JOSSO_server-Obtaining_JOSSO">
+ <title>Obtaining JOSSO</title>
+ <para>
+ JOSSO can be downloaded from <ulink type="http"
url="http://sourceforge.net/projects/josso/files/">http://so...;.
Use the package that embeds Apache Tomcat.
+ </para>
+ <para>
+ Once downloaded, extract the package into what will be called
<filename>JOSSO_HOME</filename> in this example.
+ </para>
<warning>
<para>The steps described later are only correct in case of JOSSO
v.1.8.1.</para>
</warning>
- </section>
-
- <section
id="sect-Reference_Guide-JOSSO_server-Modifying_JOSSO_server">
- <title>Modifying the JOSSO server</title>
- <procedure>
- <step>
- <para>
- Copy the files from <filename>GATEIN_SSO_HOME/josso/plugin</filename>
into the Tomcat directory (<filename>JOSSO_HOME</filename>).
- </para>
- <para>
- This action should replace or add the following files to the
<filename>JOSSO_HOME/webapps/josso/WEB-INF/lib</filename> directory:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <filename>JOSSO_HOME/lib/josso-gateway-config.xml</filename>
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>JOSSO_HOME/lib/josso-gateway-gatein-stores.xml</filename>
- </para>
- </listitem>
- </itemizedlist>
- <para>
- and
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <filename>JOSSO_HOME/webapps/josso/WEB-INF/classes/gatein.properties</filename>
- </para>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- Edit <filename>TOMCAT_HOME/conf/server.xml</filename> and replace the
8080 port to 8888 to change the default Tomcat port and avoid a conflict with the default
&PRODUCT; port (for testing purposes).
- <note>
- <title>Port Conflicts</title>
- <para>
+ </section>
+
+ <section
id="sect-Reference_Guide-JOSSO_server-Modifying_JOSSO_server">
+ <title>Modifying the JOSSO server</title>
+ <procedure>
+ <step>
+ <para>
+ Copy the files from
<filename>GATEIN_SSO_HOME/josso/plugin</filename> into the Tomcat directory
(<filename>JOSSO_HOME</filename>).
+ </para>
+ <para>
+ This action should replace or add the following files to the
<filename>JOSSO_HOME/webapps/josso/WEB-INF/lib</filename> directory:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+
<filename>JOSSO_HOME/lib/josso-gateway-config.xml</filename>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+
<filename>JOSSO_HOME/lib/josso-gateway-gatein-stores.xml</filename>
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ and
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+
<filename>JOSSO_HOME/webapps/josso/WEB-INF/classes/gatein.properties</filename>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+ <step>
+ <para>
+ Edit
<filename>TOMCAT_HOME/conf/server.xml</filename> and replace the 8080 port to
8888 to change the default Tomcat port and avoid a conflict with the default &PRODUCT;
port (for testing purposes).
+ <note>
+ <title>Port Conflicts</title>
+ <para>
If &PRODUCT; is running on the same machine as Tomcat,
other ports need to be changed in addition to 8080 in order to avoid port conflicts.
They can be changed to any free port. For example, you can
change admin port from 8005 to 8805, and AJP port from 8009 to 8809.
- </para>
- </note>
- </para>
- </step>
- <step>
- <para>
- Tomcat should now start and allow access to <ulink type="http"
url="http://localhost:8888/josso/signon/login.do">http://localhost:8888/josso/signon/login.do</ulink>
but at this stage login will not be available.
- </para>
- <mediaobject>
- <imageobject>
- <imagedata
fileref="images/AuthenticationAndIdentity/SSO/opensso.png"
format="PNG" width="444" />
- </imageobject>
- </mediaobject>
- </step>
- </procedure>
- </section>
+ </para>
+ </note>
+ </para>
+ </step>
+ <step>
+ <para>
+ Tomcat should now start and allow access to <ulink
type="http"
url="http://localhost:8888/josso/signon/login.do">http://localhost:8888/josso/signon/login.do</ulink>
but at this stage login will not be available.
+ </para>
+ <mediaobject>
+ <imageobject>
+ <imagedata
fileref="images/AuthenticationAndIdentity/SSO/opensso.png"
format="PNG" width="444" />
+ </imageobject>
+ </mediaobject>
+ </step>
+ </procedure>
+ </section>
- </section>
-
- <section id="sect-Reference_Guide-JOSSO-Setup_the_JOSSO_client">
- <title>Setup the JOSSO client</title>
- <procedure>
- <step>
- <para>
- Copy the library files from
<filename>GATEIN_SSO_HOME/josso/gatein.ear/lib</filename> into
<filename>gatein.ear/lib</filename> (or into
<filename>GATEIN_HOME/lib</filename> if &PRODUCT; is running in Tomcat)
- </para>
- </step>
+ </section>
+
+ <section id="sect-Reference_Guide-JOSSO-Setup_the_JOSSO_client">
+ <title>Setup the JOSSO client</title>
+ <procedure>
+ <step>
+ <para>
+ Copy the library files from
<filename>GATEIN_SSO_HOME/josso/gatein.ear/lib</filename> into
<filename>gatein.ear/lib</filename> (or into
<filename>GATEIN_HOME/lib</filename> if &PRODUCT; is running in Tomcat)
+ </para>
+ </step>
<step>
<para>
Copy the file
<filename>GATEIN_SSO_HOME/josso/gatein.ear/portal.war/WEB-INF/classes/josso-agent-config.xml</filename>
into <filename>gatein.ear/02portal.war/WEB-INF/classes</filename> (or into
<filename>GATEIN_HOME/webapps/portal.war/WEB-INF/classes</filename>, or
<filename>GATEIN_HOME/conf</filename> if &PRODUCT; is running in Tomcat)
</para>
</step>
- <step>
- <itemizedlist>
- <listitem>
- <para>
- In JBoss AS, edit
<filename>gatein.ear/META-INF/gatein-jboss-beans.xml</filename> and uncomment
this section:
- </para>
+ <step>
+ <itemizedlist>
+ <listitem>
+ <para>
+ In JBoss AS, edit
<filename>gatein.ear/META-INF/gatein-jboss-beans.xml</filename> and uncomment
this section:
+ </para>
<programlisting><authentication>
<login-module code="org.gatein.sso.agent.login.SSOLoginModule"
flag="required">
</login-module>
@@ -517,50 +517,50 @@
</login-module>
</authentication>
</programlisting>
- </listitem>
- <listitem>
- <para>
- In Tomcat, edit <filename>GATEIN_HOME/conf/jaas.conf</filename> and
uncomment this section:
- </para>
+ </listitem>
+ <listitem>
+ <para>
+ In Tomcat, edit
<filename>GATEIN_HOME/conf/jaas.conf</filename> and uncomment this section:
+ </para>
<programlisting>org.gatein.sso.agent.login.SSOLoginModule required;
-org.exoplatform.services.security.j2ee.TomcatLoginModule requiredtm
+org.exoplatform.services.security.j2ee.TomcatLoginModule requiredtm
portalContainerName=portal
realmName=gatein-domain;
</programlisting>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- The installation can be tested at this point.
- </para>
- <procedure>
- <step>
- <para>
- Start (or restart) &PRODUCT;, and (assuming the JOSSO server on Tomcat is
running) direct your browser to <ulink type="http"
url="http://localhost:8888/josso/signon/login.do">http://localhost:8888/josso/signon/login.do</ulink>.
- </para>
- </step>
- <step>
- <para>
- Login with the username <literal>root</literal> and the password
<literal>gtn</literal> or any account created through the portal.
- </para>
- </step>
- </procedure>
- </step>
- </procedure>
- </section>
-
- <section
id="sect-Reference_Guide-JOSSO-Setup_the_portal_to_redirect_to_JOSSO">
- <title>Setup the portal to redirect to JOSSO</title>
- <para>
- The next part of the process is to redirect all user authentication to the JOSSO
server.
- </para>
- <para>
- Information about where the JOSSO server is hosted must be properly configured within
the &PRODUCT; instance. The required configuration is done by modifying four files:
- <itemizedlist>
- <listitem>
- <para>
- In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
+ </listitem>
+ </itemizedlist>
+ </step>
+ <step>
+ <para>
+ The installation can be tested at this point.
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Start (or restart) &PRODUCT;, and (assuming the JOSSO
server on Tomcat is running) direct your browser to <ulink type="http"
url="http://localhost:8888/josso/signon/login.do">http://localhost:8888/josso/signon/login.do</ulink>.
+ </para>
+ </step>
+ <step>
+ <para>
+ Login with the username
<literal>root</literal> and the password <literal>gtn</literal> or
any account created through the portal.
+ </para>
+ </step>
+ </procedure>
+ </step>
+ </procedure>
+ </section>
+
+ <section
id="sect-Reference_Guide-JOSSO-Setup_the_portal_to_redirect_to_JOSSO">
+ <title>Setup the portal to redirect to JOSSO</title>
+ <para>
+ The next part of the process is to redirect all user authentication to
the JOSSO server.
+ </para>
+ <para>
+ Information about where the JOSSO server is hosted must be properly
configured within the &PRODUCT; instance. The required configuration is done by
modifying four files:
+ <itemizedlist>
+ <listitem>
+ <para>
+ In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
<programlisting>
<![CDATA[
<!--
@@ -569,11 +569,11 @@
<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
]]>
</programlisting>
- </para>
- </listitem>
- <listitem>
- <para>
- In the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file modify the 'Sign In' link as follows:
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ In the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file modify the 'Sign In' link as follows:
<programlisting>
<![CDATA[
<!--
@@ -582,12 +582,12 @@
<a
href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
]]>
</programlisting>
- </para>
- </listitem>
- <listitem>
- <para>
- Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
- </para>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
+ </para>
<programlisting><html>
<head>
<script type="text/javascript">
@@ -598,10 +598,10 @@
</body>
</html>
</programlisting>
- </listitem>
- <listitem>
- <para>
- Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
+ </listitem>
+ <listitem>
+ <para>
+ Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
<programlisting>
@@ -640,9 +640,9 @@
<!-- filters should be placed at the very top of the filter chain -->
<filter-mapping>
- <filter-name>LoginRedirectFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
+ <filter-name>LoginRedirectFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter-mapping>
<filter-name>JOSSOLogoutFilter</filter-name>
<url-pattern>/*</url-pattern>
@@ -662,68 +662,68 @@
</para>
</section>
- </section>
-
- <section
id="sect-Reference_Guide-Single_Sign_On-OpenSSO_The_Open_Web_SSO_project">
- <title>OpenSSO - The Open Web SSO project</title>
- <para>
- This Single Sign On plugin enables seamless integration between &PRODUCT; and the
OpenSSO Single Sign On Framework. Details about OpenSSO can be found <ulink
url="https://opensso.dev.java.net/">here</ulink>;.
- </para>
- <para>
- Setting up this integration involves two steps. The first step is to install or
configure an OpenSSO server, and the second is to set up the portal to use the OpenSSO
server.
- </para>
- <section
id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-OpenSSO_server">
- <title>OpenSSO server</title>
- <para>
- This section details the setting up of OpenSSO server to authenticate against the
&PRODUCT; login module.
- </para>
- <para>
- In this example the OpenSSO server will be installed on Tomcat.
- </para>
- <section id="sect-Reference_Guide-OpenSSO_server-Obtaining_OpenSSO">
- <title>Obtaining OpenSSO</title>
- <para>
- OpenSSO can be downloaded from <ulink type="http"
url="http://download.oracle.com/otn/nt/middleware/11g/oracle_opensso...;.
- </para>
- <para>
- Once downloaded, extract the package into a suitable location. This location will be
referred to as <filename>OPENSSO_HOME</filename> in this example.
- </para>
- </section>
-
- <section
id="sect-Reference_Guide-OpenSSO_server-Modifying_OpenSSO_server">
- <title>Modifying OpenSSO server</title>
- <para>
- To configure the web server as desired, it is simpler to directly modify the
sources.
- </para>
- <para>
- The first step is to add the &PRODUCT; Authentication Plugin:
- </para>
- <para>
- The plugin makes secure authentication callbacks to a RESTful service installed on
the remote &PRODUCT; server in order to authenticate a user.
- </para>
- <para>
- In order for the plugin to function correctly, it needs to be properly configured to
connect to this service. This configuration is done via the
<filename>opensso.war/config/auth/default/AuthenticationPlugin.xml</filename>
file.
- </para>
- <procedure>
- <step>
- <para>
- Obtain a copy of Tomcat and extract it into a suitable location (this location
will be referred to as <filename>TOMCAT_HOME</filename> in this example).
- </para>
- </step>
- <step>
- <para>
- Change the default port to avoid a conflict with the default &PRODUCT; port
(for testing purposes). Do this by editing
<filename>TOMCAT_HOME/conf/server.xml</filename> and replacing the 8080 port
to 8888.
- <note>
- <para>
+ </section>
+
+ <section
id="sect-Reference_Guide-Single_Sign_On-OpenSSO_The_Open_Web_SSO_project">
+ <title>OpenSSO - The Open Web SSO project</title>
+ <para>
+ This Single Sign On plugin enables seamless integration between &PRODUCT;
and the OpenSSO Single Sign On Framework. Details about OpenSSO can be found <ulink
url="https://opensso.dev.java.net/">here</ulink>;.
+ </para>
+ <para>
+ Setting up this integration involves two steps. The first step is to install
or configure an OpenSSO server, and the second is to set up the portal to use the OpenSSO
server.
+ </para>
+ <section
id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-OpenSSO_server">
+ <title>OpenSSO server</title>
+ <para>
+ This section details the setting up of OpenSSO server to authenticate
against the &PRODUCT; login module.
+ </para>
+ <para>
+ In this example the OpenSSO server will be installed on Tomcat.
+ </para>
+ <section
id="sect-Reference_Guide-OpenSSO_server-Obtaining_OpenSSO">
+ <title>Obtaining OpenSSO</title>
+ <para>
+ OpenSSO can be downloaded from <ulink type="http"
url="http://download.oracle.com/otn/nt/middleware/11g/oracle_opensso...;.
+ </para>
+ <para>
+ Once downloaded, extract the package into a suitable location. This
location will be referred to as <filename>OPENSSO_HOME</filename> in this
example.
+ </para>
+ </section>
+
+ <section
id="sect-Reference_Guide-OpenSSO_server-Modifying_OpenSSO_server">
+ <title>Modifying OpenSSO server</title>
+ <para>
+ To configure the web server as desired, it is simpler to directly
modify the sources.
+ </para>
+ <para>
+ The first step is to add the &PRODUCT; Authentication Plugin:
+ </para>
+ <para>
+ The plugin makes secure authentication callbacks to a RESTful service
installed on the remote &PRODUCT; server in order to authenticate a user.
+ </para>
+ <para>
+ In order for the plugin to function correctly, it needs to be
properly configured to connect to this service. This configuration is done via the
<filename>opensso.war/config/auth/default/AuthenticationPlugin.xml</filename>
file.
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Obtain a copy of Tomcat and extract it into a suitable
location (this location will be referred to as
<filename>TOMCAT_HOME</filename> in this example).
+ </para>
+ </step>
+ <step>
+ <para>
+ Change the default port to avoid a conflict with the default
&PRODUCT; port (for testing purposes). Do this by editing
<filename>TOMCAT_HOME/conf/server.xml</filename> and replacing the 8080 port
to 8888.
+ <note>
+ <para>
If &PRODUCT; is running on the same machine as Tomcat,
other ports need to be changed in addition to 8080 in order to avoid port conflicts.
They can be changed to any free port. For example, you can
change admin port from 8005 to 8805, and AJP port from 8009 to 8809.
- </para>
- </note>
- </para>
- </step>
- <step>
- <para>
- Ensure the
<filename>TOMCAT_HOME/webapps/opensso/config/auth/default/AuthenticationPlugin.xml</filename>
file looks like this:
+ </para>
+ </note>
+ </para>
+ </step>
+ <step>
+ <para>
+ Ensure the
<filename>TOMCAT_HOME/webapps/opensso/config/auth/default/AuthenticationPlugin.xml</filename>
file looks like this:
<programlisting>
<?xml version='1.0' encoding="UTF-8"?>
@@ -735,40 +735,40 @@
header="GateIn OpenSSO Login" >
<NameCallback>
<Prompt>
- Username
+ Username
</Prompt>
</NameCallback>
<PasswordCallback echoPassword="false" >
<Prompt>
- Password
+ Password
</Prompt>
</PasswordCallback>
</Callbacks>
</ModuleProperties>
</programlisting>
- </para>
- </step>
- <step>
- <para>
- Copy
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/sso-opensso-plugin-<VERSION>.jar</filename>,
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>,
and
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-logging-<VERSION>.jar</filename>
into the Tomcat directory at
<filename>TOMCAT_HOME/webapps/opensso/WEB-INF/lib</filename>.
- </para>
- </step>
- <step>
- <para>
- Copy
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/classes/gatein.properties</filename>
into <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/classes</filename>
- </para>
- </step>
+ </para>
+ </step>
+ <step>
+ <para>
+ Copy
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/sso-opensso-plugin-<VERSION>.jar</filename>,
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar</filename>,
and
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-logging-<VERSION>.jar</filename>
into the Tomcat directory at
<filename>TOMCAT_HOME/webapps/opensso/WEB-INF/lib</filename>.
+ </para>
+ </step>
+ <step>
+ <para>
+ Copy
<filename>GATEIN_SSO_HOME/opensso/plugin/WEB-INF/classes/gatein.properties</filename>
into <filename>TOMCAT_HOME/webapps/opensso/WEB-INF/classes</filename>
+ </para>
+ </step>
- <step>
- <para>
- Tomcat should start and be able to access <ulink type="http"
url="http://localhost:8888/opensso/UI/Login?realm=gatein">http://localhost:8888/opensso/UI/Login?realm=gatein</ulink>.
Login will not be available at this point.
- </para>
- <mediaobject>
- <imageobject>
- <imagedata
fileref="images/AuthenticationAndIdentity/SSO/opensso-shot.png"
format="PNG" />
- </imageobject>
- </mediaobject>
- </step>
+ <step>
+ <para>
+ Tomcat should start and be able to access <ulink
type="http"
url="http://localhost:8888/opensso/UI/Login?realm=gatein">http://localhost:8888/opensso/UI/Login?realm=gatein</ulink>.
Login will not be available at this point.
+ </para>
+ <mediaobject>
+ <imageobject>
+ <imagedata
fileref="images/AuthenticationAndIdentity/SSO/opensso-shot.png"
format="PNG" />
+ </imageobject>
+ </mediaobject>
+ </step>
</procedure>
<para>Configure "gatein" realm:</para>
@@ -817,22 +817,22 @@
</procedure>
<para>Also, instead of configuring OpenSSO manually as above, you can
refer to the available configuration files <ulink
url="https://repository.jboss.org/nexus/content/groups/public/org/ga...
</section>
- </section>
-
- <section
id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-Setup_the_OpenSSO_client">
- <title>Setup the OpenSSO client</title>
- <procedure>
- <step>
- <para>
- Copy all libraries from
<filename>GATEIN_SSO_HOME/opensso/gatein.ear/lib</filename> into
<filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename> (Or, in
Tomcat, into <filename>GATEIN_HOME/lib</filename>)
- </para>
- </step>
- <step>
- <itemizedlist>
- <listitem>
- <para>
- In JBoss AS, edit gatein.ear/META-INF/gatein-jboss-beans.xml and uncomment this
section
- </para>
+ </section>
+
+ <section
id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-Setup_the_OpenSSO_client">
+ <title>Setup the OpenSSO client</title>
+ <procedure>
+ <step>
+ <para>
+ Copy all libraries from
<filename>GATEIN_SSO_HOME/opensso/gatein.ear/lib</filename> into
<filename>JBOSS_HOME/server/default/deploy/gatein.ear/lib</filename> (Or, in
Tomcat, into <filename>GATEIN_HOME/lib</filename>)
+ </para>
+ </step>
+ <step>
+ <itemizedlist>
+ <listitem>
+ <para>
+ In JBoss AS, edit
gatein.ear/META-INF/gatein-jboss-beans.xml and uncomment this section
+ </para>
<programlisting><authentication>
<login-module code="org.gatein.sso.agent.login.SSOLoginModule"
flag="required">
</login-module>
@@ -843,49 +843,49 @@
</authentication>
</programlisting>
- </listitem>
- <listitem>
- <para>
- If you are running &PRODUCT; in Tomcat, edit $GATEIN_HOME/conf/jaas.conf and
uncomment this section
- </para>
+ </listitem>
+ <listitem>
+ <para>
+ If you are running &PRODUCT; in Tomcat, edit
$GATEIN_HOME/conf/jaas.conf and uncomment this section
+ </para>
<programlisting>org.gatein.sso.agent.login.SSOLoginModule required;
org.exoplatform.services.security.j2ee.TomcatLoginModule required
portalContainerName=portal
realmName=gatein-domain;
</programlisting>
- </listitem>
- </itemizedlist>
- <para>
- At this point the installation can be tested:
- </para>
- <procedure>
- <step>
- <para>
- Access &PRODUCT; by going to <ulink type="http"
url="http://localhost:8888/opensso/UI/Login?realm=gatein">http://localhost:8888/opensso/UI/Login?realm=gatein</ulink>
(assuming that the OpenSSO server using Tomcat is still running).
- </para>
- </step>
- <step>
- <para>
- Login with the username <literal>root</literal> and the password
<literal>gtn</literal> or any account created through the portal.
- </para>
- </step>
- </procedure>
- </step>
- </procedure>
- </section>
-
- <section
id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-Setup_the_portal_to_redirect_to_OpenSSO">
- <title>Setup the portal to redirect to OpenSSO</title>
- <para>
- The next part of the process is to redirect all user authentication to the OpenSSO
server.
- </para>
- <para>
- Information about where the OpenSSO server is hosted must be properly configured
within the Enterprise Portal Platform instance. The required configuration is done by
modifying three files:
- <itemizedlist>
- <listitem>
- <para>
- In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
+ </listitem>
+ </itemizedlist>
+ <para>
+ At this point the installation can be tested:
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Access &PRODUCT; by going to <ulink
type="http"
url="http://localhost:8888/opensso/UI/Login?realm=gatein">http://localhost:8888/opensso/UI/Login?realm=gatein</ulink>
(assuming that the OpenSSO server using Tomcat is still running).
+ </para>
+ </step>
+ <step>
+ <para>
+ Login with the username
<literal>root</literal> and the password <literal>gtn</literal> or
any account created through the portal.
+ </para>
+ </step>
+ </procedure>
+ </step>
+ </procedure>
+ </section>
+
+ <section
id="sect-Reference_Guide-OpenSSO_The_Open_Web_SSO_project-Setup_the_portal_to_redirect_to_OpenSSO">
+ <title>Setup the portal to redirect to OpenSSO</title>
+ <para>
+ The next part of the process is to redirect all user authentication to
the OpenSSO server.
+ </para>
+ <para>
+ Information about where the OpenSSO server is hosted must be properly
configured within the Enterprise Portal Platform instance. The required configuration is
done by modifying three files:
+ <itemizedlist>
+ <listitem>
+ <para>
+ In the
<filename>gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtml</filename>
file modify the 'Sign In' link as follows:
<programlisting>
<![CDATA[
<!--
@@ -894,11 +894,11 @@
<a class="Login"
href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
]]>
</programlisting>
- </para>
- </listitem>
- <listitem>
- <para>
- In the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file modify the 'Sign In' link as follows:
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ In the
<filename>gatein.ear/web.war/groovy/portal/webui/component/UILogoPortlet.gtmpl</filename>
file modify the 'Sign In' link as follows:
<programlisting>
<![CDATA[
<!--
@@ -907,12 +907,12 @@
<a
href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
]]>
</programlisting>
- </para>
- </listitem>
- <listitem>
- <para>
- Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
- </para>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Replace the entire contents of
<filename>gatein.ear/02portal.war/login/jsp/login.jsp</filename> with:
+ </para>
<programlisting><html>
<head>
<script type="text/javascript">
@@ -923,10 +923,10 @@
</body>
</html>
</programlisting>
- </listitem>
- <listitem>
- <para>
- Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
+ </listitem>
+ <listitem>
+ <para>
+ Add the following Filters at the top of the filter chain in
<filename>gatein.ear/02portal.war/WEB-INF/web.xml</filename>:
<programlisting>
@@ -941,7 +941,7 @@
realm=gatein&goto=http://localhost:8080/portal/initiatessologin</param-value>
</init-param>
</filter>
- <filter>
+ <filter>
<filter-name>OpenSSOLogoutFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.OpenSSOLogoutFilter</filter-class>
<init-param>
@@ -969,8 +969,8 @@
<!-- place the filters at the top of the filter chain -->
<filter-mapping>
- <filter-name>LoginRedirectFilter</filter-name>
- <url-pattern>/*</url-pattern>
+ <filter-name>LoginRedirectFilter</filter-name>
+ <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>OpenSSOLogoutFilter</filter-name>
@@ -991,37 +991,37 @@
</para>
</section>
- </section>
+ </section>
- <section id="Single_Sign_On-SPNEGO">
- <title>SPNEGO</title>
- <para>SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is
- used to authenticate transparently through the web browser after the
- user has been authenticated when logging-in his session.</para>
- <para>A typical use case is the following:</para>
- <procedure>
- <step>
- <para>Users logs into his desktop (Such as a Windows machine).</para>
- </step>
- <step>
- <para>The desktop login is governed by Active Directory domain.</para>
- </step>
- <step>
- <para>User then uses his browser (IE/Firefox) to access a web
- application (that uses JBoss Negotiation) hosted on JBoss EPP.</para>
- </step>
- <step>
- <para>The Browser transfers the desktop sign on information to the
- web application.</para>
- </step>
- <step>
- <para>JBoss EAP/AS uses background GSS messages with the Active
- Directory (or any Kerberos Server) to validate the user.</para>
- </step>
- <step>
- <para>The User has seamless SSO into the web application.</para>
- </step>
- </procedure>
+ <section id="Single_Sign_On-SPNEGO">
+ <title>SPNEGO</title>
+ <para>SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is
+ used to authenticate transparently through the web browser after the
+ user has been authenticated when logging-in his session.</para>
+ <para>A typical use case is the following:</para>
+ <procedure>
+ <step>
+ <para>Users logs into his desktop (Such as a Windows
machine).</para>
+ </step>
+ <step>
+ <para>The desktop login is governed by Active Directory
domain.</para>
+ </step>
+ <step>
+ <para>User then uses his browser (IE/Firefox) to access a web
+ application (that uses JBoss Negotiation) hosted on JBoss
EPP.</para>
+ </step>
+ <step>
+ <para>The Browser transfers the desktop sign on information to the
+ web application.</para>
+ </step>
+ <step>
+ <para>JBoss EAP/AS uses background GSS messages with the Active
+ Directory (or any Kerberos Server) to validate the
user.</para>
+ </step>
+ <step>
+ <para>The User has seamless SSO into the web
application.</para>
+ </step>
+ </procedure>
<section id="SPNEGO_server_configuration">
<title>SPNEGO Server Configuration</title>
@@ -1204,19 +1204,19 @@
</procedure>
</section>
<section id="Single_Sign_On-SPNEGO-GateIn_Configuration">
- <title>&PRODUCT; Configuration</title>
+ <title>&PRODUCT; Configuration</title>
<para>&PRODUCT; uses JBoss Negotiation to enable SPNEGO-based desktop
- SSO for the portal. Here are the steps to integrate SPNEGO with
- &PRODUCT;.
+ SSO for the portal. Here are the steps to integrate SPNEGO with
+ &PRODUCT;.
</para>
- <procedure>
- <step>
- <para>
- Activate the Host authentication under the <emphasis
role="bold">conf/login-config.xml </emphasis> file adding the following
host login module:
+ <procedure>
+ <step>
+ <para>
+ Activate the Host authentication under the <emphasis
role="bold">conf/login-config.xml </emphasis> file adding the following
host login module:
</para>
-
- Under conf/login-config.xml, add the following host login module:
- <programlisting><![CDATA[<!-- SPNEGO domain -->
+
+ Under conf/login-config.xml, add the following host login
module:
+ <programlisting><![CDATA[<!-- SPNEGO domain -->
<application-policy name="host">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule"
@@ -1232,16 +1232,16 @@
</application-policy>
]]></programlisting>
- <para>The 'keyTab' value should point to the keytab file that was
- generated by the kadmin kerberos tool. See the <xref
linkend="SPNEGO_server_configuration"/> section for more details.
+ <para>The 'keyTab' value should point to the keytab
file that was
+ generated by the kadmin kerberos tool. See the <xref
linkend="SPNEGO_server_configuration"/> section for more details.
</para>
- </step>
-
+ </step>
+
<step>
- <para>
- Extend the core authentication mechanisms to support SPNEGO under
- <emphasis
role="bold">deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml</emphasis>
by
- adding the 'SPNEGO' authenticators property.
+ <para>
+ Extend the core authentication mechanisms to support SPNEGO
under
+ <emphasis
role="bold">deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml</emphasis>
by
+ adding the 'SPNEGO' authenticators property.
</para>
<programlisting language="xml">
@@ -1278,17 +1278,17 @@
</property>
]]>
</programlisting>
- </step>
- <step>
- <para>Add the GateIn SSO module binaries by copying <emphasis
role="bold">$GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-agent.jar</emphasis>,
and <emphasis
role="bold">$GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-spnego.jar</emphasis>
to the <emphasis role="bold">deploy/gatein.ear/lib</emphasis>
directory.
+ </step>
+ <step>
+ <para>Add the GateIn SSO module binaries by copying
<emphasis
role="bold">$GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-agent.jar</emphasis>,
and <emphasis
role="bold">$GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-spnego.jar</emphasis>
to the <emphasis role="bold">deploy/gatein.ear/lib</emphasis>
directory.
</para>
- </step>
- <step>
- <para>
- Modify the <emphasis
role="bold">deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</emphasis>
file as below, then comment on other parts.
+ </step>
+ <step>
+ <para>
+ Modify the <emphasis
role="bold">deploy/gatein.ear/META-INF/gatein-jboss-beans.xml</emphasis>
file as below, then comment on other parts.
</para>
- <programlisting language="xml"><![CDATA[
+ <programlisting language="xml"><![CDATA[
<login-module code="org.gatein.sso.spnego.SPNEGOLoginModule"
flag="required">
<module-option
name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
@@ -1299,12 +1299,12 @@
<module-option name="realmName">gatein-domain</module-option>
</login-module>]]>
</programlisting>
- </step>
- <step>
- <para>
- Modify <emphasis
role="bold">gatein.ear/02portal.war/WEB-INF/web.xml</emphasis> as
below.</para>
+ </step>
+ <step>
+ <para>
+ Modify <emphasis
role="bold">gatein.ear/02portal.war/WEB-INF/web.xml</emphasis> as
below.</para>
- <programlisting language="xml"><![CDATA[
+ <programlisting language="xml"><![CDATA[
<!--
<login-config>
<auth-method>FORM</auth-method>
@@ -1322,51 +1322,43 @@
</login-config>]]>
</programlisting>
<para>This integrates SPNEGO support into the Portal web archive by
switching the authentication mechanism from the default "FORM"-based to
"SPNEGO"-based authentication.</para>
- </step>
- <step>
- <para>Integrate the request pre-processing needed for SPNEGO via filters by
adding the following filters to the <emphasis role="bold">web.xml
</emphasis> at the top of the Filter chain.</para>
+ </step>
+ <step>
+ <para>Integrate the request pre-processing needed for SPNEGO
via filters by adding the following filters to the <emphasis
role="bold">web.xml </emphasis> at the top of the Filter
chain.</para>
<programlisting><![CDATA[
<filter>
<filter-name>LoginRedirectFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
<init-param>
- <!-- This should point to your SSO authentication server -->
+ <!-- This should point to your SSO authentication server -->
<param-name>LOGIN_URL</param-name>
<param-value>/portal/private/classic</param-value>
- </init-param>
+ </init-param>
</filter>
-<filter>
- <filter-name>SPNEGOFilter</filter-name>
- <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
-</filter>
<filter-mapping>
<filter-name>LoginRedirectFilter</filter-name>
<url-pattern>/*</url-pattern>
-</filter-mapping>
-<filter-mapping>
- <filter-name>SPNEGOFilter</filter-name>
- <url-pattern>/*</url-pattern>
</filter-mapping>]]>
</programlisting>
-
- </step>
- <step>
- <para>
- Start the &PRODUCT; portal using the command below.</para>
- <programlisting>sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK
-Djava.security.krb5.kdc=server.local.network -c PROFILE -b
server.local.network</programlisting>
+
+ </step>
+ <step>
+ <para>
+ Start the &PRODUCT; portal using the command
below.</para>
+ <programlisting>sudo ./run.sh
-Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c
PROFILE -b server.local.network</programlisting>
<para>The PROFILE parameter in the above command should be replaced with
the server profile modified in the above configuration. For example, if you are
configuring the default profile, your command will be.</para>
<programlisting>sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK
-Djava.security.krb5.kdc=server.local.network -c default -b
server.local.network</programlisting>
- </step>
- <step>
- <para>Login to Kerberos with the command.</para>
- <programlisting>kinit -A demo</programlisting>
- <para>You should be able to click the 'Sign In' link on the
&PRODUCT; portal
- and the 'demo' user from the &PRODUCT; portal should be automatically
- logged in.</para>
- </step>
- </procedure>
- </section>
+ </step>
+ <step>
+ <para>Login to Kerberos with the command.</para>
+ <programlisting>kinit -A demo</programlisting>
+ <para>You should be able to click the 'Sign In'
link on the &PRODUCT; portal
+ and the 'demo' user from the &PRODUCT; portal should
be automatically
+ logged in.</para>
+ </step>
+ </procedure>
+ </section>
<section id="Single_Sign_On-CAS_Central_Clients">
<title>Clients</title>
<para>After performing all configurations above, you need to enable the
<emphasis role="bold">Negotiate authentication </emphasis> of
Firefox in clients so that clients could be authenticated by &PRODUCT; as follows:
@@ -1387,6 +1379,6 @@
</step>
</procedure>
</section>
- </section>
+ </section>
</section>
4849
days inactive
4849
days old
gatein-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
do-not-reply@jboss.org