Author: bdaw Date: 2010-01-21 13:40:09 -0500 (Thu, 21 Jan 2010) New Revision: 1408 Added: portal/trunk/component/web/src/main/java/org/exoplatform/web/login/ClusteredSSOFilter.java Modified: portal/trunk/component/web/pom.xml portal/trunk/component/web/src/main/java/org/exoplatform/web/security/Credentials.java portal/trunk/component/web/src/main/java/org/exoplatform/web/security/PortalLoginModule.java portal/trunk/server/jboss/patch-ear/src/main/jboss/server/default/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml portal/trunk/web/portal/src/main/webapp/WEB-INF/web.xml Log: - Workaround for identity propagation problems in clustered configuration Modified: portal/trunk/component/web/pom.xml =================================================================== --- portal/trunk/component/web/pom.xml 2010-01-21 18:39:28 UTC (rev 1407) +++ portal/trunk/component/web/pom.xml 2010-01-21 18:40:09 UTC (rev 1408) @@ -97,5 +97,18 @@ <artifactId>json</artifactId> <type>jar</type> </dependency> + + <dependency> + <groupId>javax.security</groupId> + <artifactId>jacc</artifactId> + <version>1.0</version> + </dependency> + + <dependency> + <groupId>org.jboss.jbossas</groupId> + <artifactId>jboss-as-tomcat</artifactId> + <version>5.1.0.GA</version> + <scope>provided</scope> + </dependency> </dependencies> </project> Added: portal/trunk/component/web/src/main/java/org/exoplatform/web/login/ClusteredSSOFilter.java =================================================================== --- portal/trunk/component/web/src/main/java/org/exoplatform/web/login/ClusteredSSOFilter.java (rev 0) +++ portal/trunk/component/web/src/main/java/org/exoplatform/web/login/ClusteredSSOFilter.java 2010-01-21 18:40:09 UTC (rev 1408) @@ -0,0 +1,73 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2010, Red Hat Middleware, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ + + +package org.exoplatform.web.login; + +import org.exoplatform.container.web.AbstractFilter; +import org.exoplatform.services.security.IdentityRegistry; +import org.exoplatform.web.security.Credentials; +import org.exoplatform.web.security.PortalLoginModule; + +import org.jboss.web.tomcat.security.login.WebAuthentication; + +import javax.security.auth.login.LoginException; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; + +public class ClusteredSSOFilter extends AbstractFilter +{ + + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException + { + + HttpServletRequest httpRequest = (HttpServletRequest)request; + + Credentials credentials = (Credentials)httpRequest.getSession().getAttribute(PortalLoginModule.AUTHENTICATED_CREDENTIALS); + + // Make programatic login if authenticated credentials are present in session - they were set in another cluster node + if (credentials != null && httpRequest.getRemoteUser() == null) + { + WebAuthentication pwl = new WebAuthentication(); + pwl.login(credentials.getUsername(), credentials.getPassword()); + + } + + chain.doFilter(request, response); + + // TODO: + // This is a workaround... without this code this attr will vanish from session after first request - don't ask... + if (credentials != null && httpRequest.getSession(false) != null) + { + httpRequest.getSession(false).setAttribute(PortalLoginModule.AUTHENTICATED_CREDENTIALS, credentials); + } + } + + public void destroy() + { + //To change body of implemented methods use File | Settings | File Templates. + } +} Modified: portal/trunk/component/web/src/main/java/org/exoplatform/web/security/Credentials.java =================================================================== --- portal/trunk/component/web/src/main/java/org/exoplatform/web/security/Credentials.java 2010-01-21 18:39:28 UTC (rev 1407) +++ portal/trunk/component/web/src/main/java/org/exoplatform/web/security/Credentials.java 2010-01-21 18:40:09 UTC (rev 1408) @@ -19,13 +19,15 @@ package org.exoplatform.web.security; +import java.io.Serializable; + /** * An immutable object that contains a username and a password. * * @author <a href="mailto:julien.viet@exoplatform.com">Julien Viet</a> * @version $Revision$ */ -public class Credentials +public class Credentials implements Serializable { Modified: portal/trunk/component/web/src/main/java/org/exoplatform/web/security/PortalLoginModule.java =================================================================== --- portal/trunk/component/web/src/main/java/org/exoplatform/web/security/PortalLoginModule.java 2010-01-21 18:39:28 UTC (rev 1407) +++ portal/trunk/component/web/src/main/java/org/exoplatform/web/security/PortalLoginModule.java 2010-01-21 18:40:09 UTC (rev 1408) @@ -23,6 +23,7 @@ import org.exoplatform.services.log.ExoLogger; import org.exoplatform.services.log.Log; import org.exoplatform.services.security.jaas.AbstractLoginModule; +import org.exoplatform.web.login.InitiateLoginServlet; import org.exoplatform.web.security.security.CookieTokenService; import org.exoplatform.web.security.security.TransientTokenService; @@ -30,6 +31,8 @@ import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.login.LoginException; +import javax.security.jacc.PolicyContext; +import javax.servlet.http.HttpServletRequest; /** * A login module implementation that relies on the token store to check the @@ -52,6 +55,10 @@ */ protected Log log = ExoLogger.getLogger(PortalLoginModule.class); + public static final String CLUSTERED_SSO = "clusteredSSO"; + + public static final String AUTHENTICATED_CREDENTIALS = "authenticatedCredentials"; + /** * @see javax.security.auth.spi.LoginModule#login() */ @@ -77,6 +84,28 @@ ((CookieTokenService)container.getComponentInstanceOfType(CookieTokenService.class)).validateToken( password, false); // + + // For clastered config check credentials stored and propagated in session. This won't work in tomcat because + // of lack of JACC PolicyContext so the code must be a bit defensive + if (o == null && isClusteredSSO() && password.startsWith(InitiateLoginServlet.COOKIE_NAME)) + { + HttpServletRequest request = null; + try + { + request = (HttpServletRequest)PolicyContext.getContext("javax.servlet.http.HttpServletRequest"); + + o = request.getSession().getAttribute(AUTHENTICATED_CREDENTIALS); + + } + catch(Throwable e) + { + log.error(this,e); + log.error("LoginModule error. Turn off session credentials checking with proper configuration option of " + + "LoginModule set to false: " + CLUSTERED_SSO); + } + + } + if (o instanceof Credentials) { Credentials wc = (Credentials)o; @@ -100,6 +129,31 @@ */ public boolean commit() throws LoginException { + + if (isClusteredSSO() && + sharedState.containsKey("javax.security.auth.login.name") && + sharedState.containsKey("javax.security.auth.login.password")) + { + String uid = (String)sharedState.get("javax.security.auth.login.name"); + String pass = (String)sharedState.get("javax.security.auth.login.password"); + + Credentials wc = new Credentials(uid, pass); + + HttpServletRequest request = null; + try + { + request = (HttpServletRequest)PolicyContext.getContext("javax.servlet.http.HttpServletRequest"); + + request.getSession().setAttribute(AUTHENTICATED_CREDENTIALS, wc); + + } + catch(Exception e) + { + log.error(this,e); + log.error("LoginModule error. Turn off session credentials checking with proper configuration option of " + + "LoginModule set to false: " + CLUSTERED_SSO); + } + } return true; } @@ -124,4 +178,18 @@ { return log; } + + protected boolean isClusteredSSO() + { + if (options != null) + { + String optionValue = (String)options.get(CLUSTERED_SSO); + if (optionValue != null && optionValue.length() > 0 && optionValue.equalsIgnoreCase("true")) + { + return true; + } + } + return false; + } + } Modified: portal/trunk/server/jboss/patch-ear/src/main/jboss/server/default/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml =================================================================== --- portal/trunk/server/jboss/patch-ear/src/main/jboss/server/default/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml 2010-01-21 18:39:28 UTC (rev 1407) +++ portal/trunk/server/jboss/patch-ear/src/main/jboss/server/default/deploy/gatein.ear/META-INF/gatein-jboss-beans.xml 2010-01-21 18:40:09 UTC (rev 1408) @@ -5,6 +5,10 @@ <login-module code="org.exoplatform.web.security.PortalLoginModule" flag="required"> <module-option name="portalContainerName">portal</module-option> <module-option name="realmName">gatein-domain</module-option> + <!--Uncomment in clustered setup--> + <!-- + <module-option name="clusteredSSO">true</module-option> + --> </login-module> <login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required"> <module-option name="portalContainerName">portal</module-option> Modified: portal/trunk/web/portal/src/main/webapp/WEB-INF/web.xml =================================================================== --- portal/trunk/web/portal/src/main/webapp/WEB-INF/web.xml 2010-01-21 18:39:28 UTC (rev 1407) +++ portal/trunk/web/portal/src/main/webapp/WEB-INF/web.xml 2010-01-21 18:40:09 UTC (rev 1408) @@ -24,8 +24,13 @@ <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> - <display-name>portal</display-name> - + <display-name>portal</display-name> + + <!--Uncomment for clustered setup--> + <!-- + <distributable/> + --> + <context-param> <param-name>org.exoplatform.frameworks.jcr.command.web.fckeditor.digitalAssetsWorkspace</param-name> <param-value>portal</param-value> @@ -59,6 +64,8 @@ <filter-name>SetCurrentIdentityFilter</filter-name> <filter-class>org.exoplatform.services.security.web.SetCurrentIdentityFilter</filter-class> </filter> + + <filter> <filter-name>RestEncodingFilter</filter-name> @@ -73,6 +80,19 @@ <filter-name>CacheUserProfileFilter</filter-name> <filter-class>org.exoplatform.web.CacheUserProfileFilter</filter-class> </filter> + + <!--Uncomment for clustered setup--> + <!-- + <filter> + <filter-name>ClusteredSSOFilter</filter-name> + <filter-class>org.exoplatform.web.login.ClusteredSSOFilter</filter-class> + </filter> + + <filter-mapping> + <filter-name>ClusteredSSOFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + --> <filter-mapping> <filter-name>GenericFilter</filter-name>