[Security & JAAS/JBoss] - Re: federated SSO framework and http cookies
by sohil.shahï¼ jboss.com
Kenyee-
>Quick question for you: can the federated SSO framework retrieve and
>inject http cookies as part of user validation?
Kenyee, the JBoss SSO Framework does not dictate what type of authentication method is used by the web application. Examples being JAAS based modules, completely proprietary form based approach etc. The SSO Framework kicks in once an authentication is actually performed by the web application. Once that happens, the SSO Framework generates/injects the necessary secure SAML token as a domain cookie that will be passed around within the federation of websites, so that the user will not be asked to login when going to a partner site in that session.
At this moment, this SSO token management is closely integrated with the JAAS based authentication approach. But, based on community feedback, I think I will be adding integration with non-JAAS based/proprietary authentication methods very soon by updating the LoginProvider interface.
>1) a "remember me" checkbox next to the username/password field that
>lets users hit that site for a while after logging in once
The remember me cookie can be easily used by the web application to set the cookie on the browser and authenticate using whatever authentication mechanism the web application wishes. Once the authentication is completed successfully, the SSO Framework will kick in and perform the necessary SSO token management etc. Think of it as, the SSO Framework hooks on top of your web application. But, you don't need to change the authentication usecase of your web application like remember me cookies, etc.
Just to clarify, the LoginProvider is an abstraction to Identity Stores that should be used by your authentication mechanism to pull Identity data from the store in a Store agnostic manner (LDAP, SiteMinder, JDBC etc).
I have gotten community feedback that besides the username, and password parameters, there needs to be provision for sending in more information as criteria to perform a successful login. This will be addressed so that the LoginProvider interface can be made more generic
>2) another web server on the same domain that puts in a session cookie
>of a logged in user (i.e., you log into that web server, the cookie is
>generated for your domain, then you go to the jboss federated server
>and autologin)
What you are referring here it seems is a session cookie for a logged in user for that web application. This is perfectly fine and is independent of the SSO token that is generated to perform autologin via the Federation Server. The Federation Server does not process any proprietary app server specific login sessions. It uses the SAML token to perform the single sign on which is generated by the SSO framework when a user successfully authenticates on a partner web application.
For some clarifications on some of the SSO architecture questions, also look at the following forum thread:
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=93785
I hope this answers your questions.
Thanks
Sohil
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3983554#3983554
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3983554
19Â years, 6Â months
[Installation, Configuration & Deployment] - XML transformer classloader issue
by norsay
I'm doing some XSL transformation. As it seems each child node of the XML I'm trying to render is beeing duplicated and copied to the upper level.
example:
| <a>
| <b name="..."/>
| </a>
|
| after transformation:
| output of a
| output of b
| output of b
|
| expected output:
| output of a
| output of b
|
If the transformation is done as standalone application, everything works as expected. If the transformation is done within JBoss, the transformation failes...
I read about a classloader issue for javax.xml.transform.TransformerFactory and I tried to fix it as discussed there (removing javax.xml from xml-apis.jar, setting XML stuff with -Djavax... property). However this didn't solve the problem.
I'm pretty sure this is a problem of classloaders. But I don't know which class is really responsible for the mess :-(
Any ideas?
BTW: I'm using JDK 1.5.0_06B05 with JBoss 3.2.8SP1
Thanks for your help!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3983553#3983553
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3983553
19Â years, 6Â months
[Security & JAAS/JBoss] - federated SSO framework and http cookies
by sohil.shahï¼ jboss.com
-----Original Message-----
From: kenyee(a)keysolutions.com [mailto:kenyee@keysolutions.com]
Sent: Monday, November 06, 2006 1:46 PM
To: Sohil Shah
Subject: federated SSO framework and http cookies
Hi Sohil,
You guys really need to let people comment on the JBoss blog :-)
Quick question for you: can the federated SSO framework
retrieve and inject http cookies as part of user validation?
I looked at the wiki entries and the api for the LoginProvider
class doesn't seem to let you do this.
Two use cases I'm thinking of:
1) a "remember me" checkbox next to the username/password field
that lets users hit that site for a while after logging in once
2) another web server on the same domain that puts in a
session cookie of a logged in user (i.e., you log into that web
server, the cookie is generated for your domain, then you go
to the jboss federated server and autologin)
thanks,
ken
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3983552#3983552
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3983552
19Â years, 6Â months
[JBoss Seam] - Design question/ Best Practices
by ccanning
I am in the process of designing a new application based on Seam and EJB3 and I want to get some design help/best practices since it has been a while since I developed a web-based app. My application will be accessed by the web-tier and through other mechanisms (possibly RMI or webservices). So, I was wondering what is the best approach to my design. Traditionally, I would probably design my business tier and provide light-weight facades for each other tier to access those business objects. Does this apply here? Based on the examples that I have seen (and I haven't been through all of them), the beans being used by seem have web/display knowledge incorporated (like the @DataModel and @DataModelSelection). To me, this wouldn't really play well if I was accessing the data through something like RMI. So, I guess my question is:
Should I design my app to have my business logic in stateful/stateless beans (based off of the seam paradigm) and then have the web-based access layer (ie. the seam actions paradigm) in separate beans that manage the creation/selection/etc.. of the display based knowledge. If not, can someone give me some pointers. I am trying to quickly get an application off the ground and I don't want to make a lot of "newbie" design mistakes that I have to redesign/fix in a few months. Your expertise in this area would be greatly appreciated.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3983546#3983546
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3983546
19Â years, 6Â months