Author: bdaw Date: 2007-09-04 13:27:52 -0400 (Tue, 04 Sep 2007) New Revision: 8151 Added: modules/identity/trunk/sso/src/etc/cas/context.xml modules/identity/trunk/sso/src/etc/cas/deployerConfigContext.xml modules/identity/trunk/sso/src/etc/josso/context.xml modules/identity/trunk/sso/src/etc/josso/error.jsp modules/identity/trunk/sso/src/etc/josso/josso-agent-config.xml modules/identity/trunk/sso/src/etc/josso/josso-config.xml modules/identity/trunk/sso/src/etc/josso/josso-gateway-config.xml modules/identity/trunk/sso/src/etc/josso/login-config.xml modules/identity/trunk/sso/src/etc/josso/server.xml Removed: modules/identity/trunk/sso/src/etc/cas/cas_context.xml modules/identity/trunk/sso/src/etc/cas/cas_deployerConfigContext.xml modules/identity/trunk/sso/src/etc/josso/josso_context.xml modules/identity/trunk/sso/src/etc/josso/josso_error.jsp modules/identity/trunk/sso/src/etc/josso/josso_josso-agent-config.xml modules/identity/trunk/sso/src/etc/josso/josso_josso-config.xml modules/identity/trunk/sso/src/etc/josso/josso_josso-gateway-config.xml modules/identity/trunk/sso/src/etc/josso/josso_login-config.xml modules/identity/trunk/sso/src/etc/josso/josso_server.xml Log: change names Deleted: modules/identity/trunk/sso/src/etc/cas/cas_context.xml =================================================================== --- modules/identity/trunk/sso/src/etc/cas/cas_context.xml 2007-09-04 17:21:09 UTC (rev 8150) +++ modules/identity/trunk/sso/src/etc/cas/cas_context.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -1,9 +0,0 @@ -<?xml version="1.0"?> -<Context> - <Valve className="org.jboss.portal.identity.auth.CASAuthenticationValve" - casLogin="https://localhost:8080/cas/login" - casValidate="https://localhost:8080/cas/serviceValidate" - casServerName="localhost" - authType="FORM" - /> -</Context> Deleted: modules/identity/trunk/sso/src/etc/cas/cas_deployerConfigContext.xml =================================================================== --- modules/identity/trunk/sso/src/etc/cas/cas_deployerConfigContext.xml 2007-09-04 17:21:09 UTC (rev 8150) +++ modules/identity/trunk/sso/src/etc/cas/cas_deployerConfigContext.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -1,98 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> -<!-- - | deployerConfigContext.xml centralizes into one file some of the declarative configuration that - | all CAS deployers will need to modify. - | - | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. - | The beans declared in this file are instantiated at context initialization time by the Spring - | ContextLoaderListener declared in web.xml. It finds this file because this - | file is among those declared in the context parameter "contextConfigLocation". - | - | By far the most common change you will need to make in this file is to change the last bean - | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with - | one implementing your approach for authenticating usernames and passwords. - +--> -<beans> - <!-- - | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean - | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, - | "authenticationManager". Most deployers will be able to use the default AuthenticationManager - | implementation and so do not need to change the class of this bean. We include the whole - | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will - | need to change in context. - +--> - <bean id="authenticationManager" - class="org.jasig.cas.authentication.AuthenticationManagerImpl"> - <!-- - | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. - | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which - | supports the presented credentials. - | - | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal - | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver - | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace - | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are - | using. - | - | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. - | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. - | You will need to change this list if you are identifying services by something more or other than their callback URL. - +--> - <property name="credentialsToPrincipalResolvers"> - <list> - <!-- - | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login - | by default and produces SimplePrincipal instances conveying the username from the credentials. - | - | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also - | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the - | Credentials you are using. - +--> - <bean - class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> - <!-- - | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of - | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a - | SimpleService identified by that callback URL. - | - | If you are representing services by something more or other than an HTTPS URL whereat they are able to - | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). - +--> - <bean - class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> - </list> - </property> - - <!-- - | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, - | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that - | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn - | until it finds one that both supports the Credentials presented and succeeds in authenticating. - +--> - <property name="authenticationHandlers"> - <list> - <!-- - | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating - | a server side SSL certificate. - +--> - <bean - class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> - <property - name="httpClient" - ref="httpClient" /> - </bean> - - <!-- - | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS - | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials - | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your - | local authentication strategy. You might accomplish this by coding a new such handler and declaring - | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. - +--> - <bean - class="org.jboss.portal.identity.auth.CASAuthenticationHandler" /> - </list> - </property> - </bean> -</beans> Copied: modules/identity/trunk/sso/src/etc/cas/context.xml (from rev 8140, modules/identity/trunk/sso/src/etc/cas/cas_context.xml) =================================================================== --- modules/identity/trunk/sso/src/etc/cas/context.xml (rev 0) +++ modules/identity/trunk/sso/src/etc/cas/context.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -0,0 +1,9 @@ +<?xml version="1.0"?> +<Context> + <Valve className="org.jboss.portal.identity.sso.cas.CASAuthenticationValve" + casLogin="https://localhost/cas/login" + casValidate="https://localhost/cas/serviceValidate" + casServerName="localhost" + authType="FORM" + /> +</Context> Copied: modules/identity/trunk/sso/src/etc/cas/deployerConfigContext.xml (from rev 8140, modules/identity/trunk/sso/src/etc/cas/cas_deployerConfigContext.xml) =================================================================== --- modules/identity/trunk/sso/src/etc/cas/deployerConfigContext.xml (rev 0) +++ modules/identity/trunk/sso/src/etc/cas/deployerConfigContext.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -0,0 +1,98 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> +<!-- + | deployerConfigContext.xml centralizes into one file some of the declarative configuration that + | all CAS deployers will need to modify. + | + | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. + | The beans declared in this file are instantiated at context initialization time by the Spring + | ContextLoaderListener declared in web.xml. It finds this file because this + | file is among those declared in the context parameter "contextConfigLocation". + | + | By far the most common change you will need to make in this file is to change the last bean + | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with + | one implementing your approach for authenticating usernames and passwords. + +--> +<beans> + <!-- + | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean + | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, + | "authenticationManager". Most deployers will be able to use the default AuthenticationManager + | implementation and so do not need to change the class of this bean. We include the whole + | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will + | need to change in context. + +--> + <bean id="authenticationManager" + class="org.jasig.cas.authentication.AuthenticationManagerImpl"> + <!-- + | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. + | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which + | supports the presented credentials. + | + | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal + | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver + | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace + | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are + | using. + | + | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. + | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. + | You will need to change this list if you are identifying services by something more or other than their callback URL. + +--> + <property name="credentialsToPrincipalResolvers"> + <list> + <!-- + | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login + | by default and produces SimplePrincipal instances conveying the username from the credentials. + | + | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also + | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the + | Credentials you are using. + +--> + <bean + class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> + <!-- + | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of + | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a + | SimpleService identified by that callback URL. + | + | If you are representing services by something more or other than an HTTPS URL whereat they are able to + | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). + +--> + <bean + class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> + </list> + </property> + + <!-- + | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, + | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that + | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn + | until it finds one that both supports the Credentials presented and succeeds in authenticating. + +--> + <property name="authenticationHandlers"> + <list> + <!-- + | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating + | a server side SSL certificate. + +--> + <bean + class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> + <property + name="httpClient" + ref="httpClient" /> + </bean> + + <!-- + | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS + | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials + | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your + | local authentication strategy. You might accomplish this by coding a new such handler and declaring + | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. + +--> + <bean + class="org.jboss.portal.identity.sso.cas.CASAuthenticationHandler" /> + </list> + </property> + </bean> +</beans> Copied: modules/identity/trunk/sso/src/etc/josso/context.xml (from rev 8140, modules/identity/trunk/sso/src/etc/josso/josso_context.xml) =================================================================== --- modules/identity/trunk/sso/src/etc/josso/context.xml (rev 0) +++ modules/identity/trunk/sso/src/etc/josso/context.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -0,0 +1,4 @@ +<?xml version="1.0"?> +<Context> + <Valve className="org.jboss.portal.identity.sso.cas.JOSSOLogoutValve"/> +</Context> Copied: modules/identity/trunk/sso/src/etc/josso/error.jsp (from rev 8140, modules/identity/trunk/sso/src/etc/josso/josso_error.jsp) =================================================================== --- modules/identity/trunk/sso/src/etc/josso/error.jsp (rev 0) +++ modules/identity/trunk/sso/src/etc/josso/error.jsp 2007-09-04 17:27:52 UTC (rev 8151) @@ -0,0 +1,41 @@ +<%-- + ~ Copyright (c) 2004-2006, Novascope S.A. and the JOSSO team + ~ All rights reserved. + ~ Redistribution and use in source and binary forms, with or + ~ without modification, are permitted provided that the following + ~ conditions are met: + ~ + ~ * Redistributions of source code must retain the above copyright + ~ notice, this list of conditions and the following disclaimer. + ~ + ~ * Redistributions in binary form must reproduce the above copyright + ~ notice, this list of conditions and the following disclaimer in + ~ the documentation and/or other materials provided with the + ~ distribution. + ~ + ~ * Neither the name of the JOSSO team nor the names of its + ~ contributors may be used to endorse or promote products derived + ~ from this software without specific prior written permission. + ~ + ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + ~ CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + ~ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + ~ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + ~ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS + ~ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + ~ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + ~ TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + ~ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + ~ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + ~ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + ~ POSSIBILITY OF SUCH DAMAGE. + --%> + +<%@page contentType="text/html; charset=iso-8859-1" language="java" session="true" %> +<!-- +Redirects the user to the propper login page. Configured as the login url the web.xml for this application. +--> +<% + response.sendRedirect(request.getContextPath() + "/josso_login/"); +%> Copied: modules/identity/trunk/sso/src/etc/josso/josso-agent-config.xml (from rev 8140, modules/identity/trunk/sso/src/etc/josso/josso_josso-agent-config.xml) =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso-agent-config.xml (rev 0) +++ modules/identity/trunk/sso/src/etc/josso/josso-agent-config.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="ISO-8859-1" ?> +<agent> + <class>org.josso.jb4.agent.JBossCatalinaSSOAgent</class> + <gatewayLoginUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginUrl> + <gatewayLogoutUrl>http://localhost:8080/josso/signon/logout.do</gatewayLogoutUrl> + <service-locator> + <class>org.josso.gateway.WebserviceGatewayServiceLocator</class> + <endpoint>localhost:8080</endpoint> + </service-locator> + <partner-apps> + <partner-app> + <context>/portal</context> + </partner-app> + <!-- used for testing purposes --> + <partner-app> + <context>/portal2</context> + </partner-app> + </partner-apps> +</agent> Copied: modules/identity/trunk/sso/src/etc/josso/josso-config.xml (from rev 8140, modules/identity/trunk/sso/src/etc/josso/josso_josso-config.xml) =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso-config.xml (rev 0) +++ modules/identity/trunk/sso/src/etc/josso/josso-config.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -0,0 +1,4 @@ +<?xml version="1.0" encoding="ISO-8859-1" ?> +<configuration> + <hierarchicalXml fileName="josso-agent-config.xml"/> +</configuration> Copied: modules/identity/trunk/sso/src/etc/josso/josso-gateway-config.xml (from rev 8140, modules/identity/trunk/sso/src/etc/josso/josso_josso-gateway-config.xml) =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso-gateway-config.xml (rev 0) +++ modules/identity/trunk/sso/src/etc/josso/josso-gateway-config.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -0,0 +1,569 @@ +<?xml version="1.0" encoding="ISO-8859-1" ?> +<!-- + ~ Copyright (c) 2004-2006, Novascope S.A. and the JOSSO team + ~ All rights reserved. + ~ Redistribution and use in source and binary forms, with or + ~ without modification, are permitted provided that the following + ~ conditions are met: + ~ + ~ * Redistributions of source code must retain the above copyright + ~ notice, this list of conditions and the following disclaimer. + ~ + ~ * Redistributions in binary form must reproduce the above copyright + ~ notice, this list of conditions and the following disclaimer in + ~ the documentation and/or other materials provided with the + ~ distribution. + ~ + ~ * Neither the name of the JOSSO team nor the names of its + ~ contributors may be used to endorse or promote products derived + ~ from this software without specific prior written permission. + ~ + ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + ~ CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + ~ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + ~ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + ~ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS + ~ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + ~ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + ~ TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + ~ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + ~ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + ~ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + ~ POSSIBILITY OF SUCH DAMAGE. + --> + +<domain> + <name>JOSSO</name> + <type>web</type> + + <!--sso-web-config--> + + <!-- Optional : The URL where the user will be redirected after a successfull login only if josso_back_to request parameter + is not present when accessing the login url + <loginBackToURL>http://localhost:8080/partnerapp/protected/</loginBackToURL> + --> + + <!-- Optional : The URL where the user will be redirected after a logout only if josso_back_to is not present + when accessing the logout url + <logoutBackToURL>http://localhost:8080/partnerapp/protected/</logoutBackToURL> + --> + + <!-- Session token properties --> + <!--session-token--> + + <!-- Optional : Use a secure session token, a secure channel like SSL must be available for this to work + <secure>false</secure> + --> + + + <!--/session-token--> + + <!--/sso-web-config--> + + <authenticator> + <class>org.josso.auth.AuthenticatorImpl</class> + <authentication-schemes> + <!-- Basic Authentication Scheme --> + <authentication-scheme> + <name>basic-authentication</name> + <class>org.josso.auth.scheme.BindUsernamePasswordAuthScheme</class> + + <!-- + The message digest algorithm to be used when hashing passwords. + This must be an algorithm supported by the java.security.MessageDigest class + on your platform. + + In J2SE 1.4.2 you can check : + Java Cryptography Architecture API Specification & Reference - Apendix B : Algorithms + Values are : MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512,etc. + + To provide LDAP support, also CRYPT is available. + --> + <!-- + <hashAlgorithm>MD5</hashAlgorithm> + --> + + <!-- Supported values are HEX, BASE64. Mandatory if hashAlgorithm was specified --> + <!-- + <hashEncoding>HEX</hashEncoding> + --> + + <!-- Some hash algorithms, like CRYPT, use this property. The default value is 2. + <saltLength>2</saltLength> + --> + + <!-- + <ignorePasswordCase>false</ignorePasswordCase> + <ignoreUserCase>false</ignoreUserCase> + --> + <!-- ========================================================= --> + <!-- JDBC Credential Store --> + <!-- --> + <!-- Always scape comma chars [,] in queries because --> + <!-- jakarta commons-configuration uses them to define arrays. --> + <!-- ========================================================= --> + <!-- + <credential-store> + <class>org.josso.gateway.identity.service.store.db.JDBCIdentityStore</class> + + <credentialsQueryString> + + SELECT login AS username , password AS password FROM josso_user WHERE login = ? + + </credentialsQueryString> + <connectionName>josso</connectionName> + <connectionPassword>josso</connectionPassword> + <connectionURL>jdbc:oracle:thin:@localhost:1521:josso_db</connectionURL> + <driverName>oracle.jdbc.driver.OracleDriver</driverName> + </credential-store> + <credential-store> + <class>org.josso.gateway.identity.service.store.db.DataSourceIdentityStore</class> + + <credentialsQueryString>SELECT login AS username , password AS password FROM josso_user WHERE login = ?</credentialsQueryString> + <dsJndiName>java:jdbc/JossoSamplesDB</dsJndiName> + </credential-store> + --> + + <!-- =============================================================== --> + <!-- LDAP Credential Store --> + <!-- --> + <!-- Chcek javadoc for configuration details : --> + <!-- org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore --> + <!-- =============================================================== --> + <!-- + <credential-store> + <class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class> + <initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory> + <providerUrl>ldap://ldaphost</providerUrl> + <securityPrincipal>cn=Manager,dc=my-domain,dc=com</securityPrincipal> + <securityCredential>secret</securityCredential> + <securityAuthentication>simple</securityAuthentication> + <ldapSearchScope>SUBTREE</ldapSearchScope> + <usersCtxDN>ou=People,dc=my-domain,dc=com</usersCtxDN> + <principalUidAttributeID>uid</principalUidAttributeID> + <rolesCtxDN>ou=Roles,dc=my-domain,dc=com</rolesCtxDN> + <uidAttributeID>uniquemember</uidAttributeID> + <roleAttributeID>cn</roleAttributeID> + <credentialQueryString>uid=username,userPassword=password</credentialQueryString> + <userPropertiesQueryString>mail=mail,cn=description</userPropertiesQueryString> + </credential-store> + --> + + <!-- ================================================= --> + <!-- Memory Credential Store --> + <!-- ================================================= --> + <!-- + <credential-store> + <class>org.josso.gateway.identity.service.store.MemoryIdentityStore</class> + <credentialsFileName>josso-credentials.xml</credentialsFileName> + </credential-store> + --> + + <!-- ================================================= --> + <!-- JBoss Portal Credential Store --> + <!-- ================================================= --> + <credential-store> + <class>org.jboss.portal.identity.sso.josso.JOSSOIdentityStore</class> + </credential-store> + + + + <!-- ================================================= --> + <!-- Credential Store Key adapter --> + <!-- ================================================= --> + <credential-store-key-adapter> + <class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter</class> + </credential-store-key-adapter> + + </authentication-scheme> + + <!-- Strong Authentication Scheme --> + <authentication-scheme> + <name>strong-authentication</name> + <class>org.josso.auth.scheme.X509CertificateAuthScheme</class> + + <!-- ========================================================= --> + <!-- JDBC Credential Store --> + <!-- --> + <!-- Always scape comma chars [,] in queries because --> + <!-- jakarta commons-configuration uses them to define arrays. --> + <!-- ========================================================= --> + <!-- + <credential-store> + <class>org.josso.gateway.identity.service.store.db.JDBCIdentityStore</class> + + <credentialsQueryString> + + SELECT login AS username , password AS password FROM josso_user WHERE login = ? + + </credentialsQueryString> + <connectionName>josso</connectionName> + <connectionPassword>josso</connectionPassword> + <connectionURL>jdbc:oracle:thin:@localhost:1521:josso_db</connectionURL> + <driverName>oracle.jdbc.driver.OracleDriver</driverName> + </credential-store> + --> + + <!-- =============================================================== --> + <!-- LDAP Credential Store --> + <!-- --> + <!-- Chcek javadoc for configuration details : --> + <!-- org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore --> + <!-- =============================================================== --> + <!-- + <credential-store> + <class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class> + <initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory> + <providerUrl>ldap://ldaphost</providerUrl> + <securityPrincipal>cn=Manager,dc=my-domain,dc=com</securityPrincipal> + <securityCredential>secret</securityCredential> + <securityAuthentication>simple</securityAuthentication> + <ldapSearchScope>SUBTREE</ldapSearchScope> + <usersCtxDN>ou=People,dc=my-domain,dc=com</usersCtxDN> + <principalUidAttributeID>uid</principalUidAttributeID> + <rolesCtxDN>ou=Roles,dc=my-domain,dc=com</rolesCtxDN> + <uidAttributeID>uniquemember</uidAttributeID> + <roleAttributeID>cn</roleAttributeID> + <credentialQueryString>uid=username,userCertificate;binary=userCertificate</credentialQueryString> + <userPropertiesQueryString>mail=mail,cn=description</userPropertiesQueryString> + </credential-store> + --> + + <!-- ================================================= --> + <!-- Memory Credential Store --> + <!-- ================================================= --> + <credential-store> + <class>org.josso.gateway.identity.service.store.MemoryIdentityStore</class> + <credentialsFileName>josso-credentials.xml</credentialsFileName> + </credential-store> + + <!-- ================================================= --> + <!-- Credential Store Key adapter --> + <!-- ================================================= --> + <credential-store-key-adapter> + <class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter</class> + </credential-store-key-adapter> + + </authentication-scheme> + </authentication-schemes> + </authenticator> + + <sso-identity-manager> + + <class>org.josso.gateway.identity.service.SSOIdentityManagerImpl</class> + + <!-- ========================================================= --> + <!-- DataSource Identity Store --> + <!-- --> + <!-- Always scape comma chars [,] in queries because --> + <!-- jakarta commons-configuration uses them to define arrays. --> + <!-- ========================================================= --> + <!-- + <sso-identity-store> + <class>org.josso.gateway.identity.service.store.db.DataSourceIdentityStore</class> + + <userQueryString> + SELECT login FROM josso_user WHERE login = ? + </userQueryString> + + <userPropertiesQueryString> + SELECT 'user.description' AS name , description AS value FROM josso_user WHERE login = ? + UNION + SELECT name AS name , value AS value FROM josso_user_property WHERE login = ? + </userPropertiesQueryString> + + <rolesQueryString> + SELECT josso_role.name FROM josso_role , josso_user_role , josso_user WHERE josso_user.login = ? AND josso_user.login = josso_user_role.login AND josso_role.name = josso_user_role.name + </rolesQueryString> + + <dsJndiName>java:jdbc/JossoSamplesDB</dsJndiName> + </sso-identity-store> + --> + <!-- ========================================================= --> + <!-- JDBC Identity Store --> + <!-- --> + <!-- Always scape comma chars [,] in queries because --> + <!-- jakarta commons-configuration uses them to define arrays. --> + <!-- ========================================================= --> + + <!--sso-identity-store> + <class>org.josso.gateway.identity.service.store.db.JDBCIdentityStore</class> + + <userQueryString> + SELECT login FROM josso_user WHERE login = ? + </userQueryString> + + You could use a UNION to select properties from different tables/columns : + SELECT 'user.lastName' AS name , lastName AS value FROM josso_user WHERE login = ? + UNION + SELECT 'user.name' AS name , name AS value FROM josso_user WHERE login = ? + UNION + SELECT name AS name , value AS value FROM josso_user_properties WHERE login = ? + + <userPropertiesQueryString> + SELECT 'user.description' AS name , description AS value FROM josso_user WHERE login = ? + UNION + SELECT name AS name , value AS value FROM josso_user_property WHERE login = ? + </userPropertiesQueryString> + <rolesQueryString> + SELECT josso_role.name FROM josso_role , josso_user_role , josso_user WHERE josso_user.login = ? AND josso_user.login = josso_user_role.login AND josso_role.name = josso_user_role.name + </rolesQueryString> + <connectionName>josso</connectionName> + <connectionPassword>josso</connectionPassword> + <connectionURL>jdbc:oracle:thin:@localhost:1521:josso_db</connectionURL> + <driverName>oracle.jdbc.driver.OracleDriver</driverName> + </sso-identity-store--> + + <!-- =============================================================== --> + <!-- LDAP Identity Store --> + <!-- --> + <!-- Chcek javadoc for configuration details : --> + <!-- org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore --> + <!-- ================================================= --> + <!-- + <sso-identity-store> + <class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class> + <initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory> + <providerUrl>ldap://ldaphost</providerUrl> + <securityPrincipal>cn=Manager,dc=my-domain,dc=com</securityPrincipal> + <securityCredential>secret</securityCredential> + <securityAuthentication>simple</securityAuthentication> + <ldapSearchScope>SUBTREE</ldapSearchScope> + <usersCtxDN>ou=People,dc=my-domain,dc=com</usersCtxDN> + <principalUidAttributeID>uid</principalUidAttributeID> + <rolesCtxDN>ou=Roles,dc=my-domain,dc=com</rolesCtxDN> + <uidAttributeID>uniquemember</uidAttributeID> + <roleAttributeID>cn</roleAttributeID> + <credentialQueryString>uid=username,userPassword=password</credentialQueryString> + <userPropertiesQueryString>mail=mail,cn=description</userPropertiesQueryString> + </sso-identity-store> + --> + + <!-- ================================================= --> + <!-- Memory Identity Store --> + <!-- ================================================= --> + <!-- + <sso-identity-store> + <class>org.josso.gateway.identity.service.store.MemoryIdentityStore</class> + <usersFileName>josso-users.xml</usersFileName> + </sso-identity-store> + --> + + <!-- ================================================= --> + <!-- JBoss Portal Credential Store --> + <!-- ================================================= --> + <sso-identity-store> + <class>org.jboss.portal.identity.sso.josso.JOSSOIdentityStore</class> + </sso-identity-store> + + <!-- ================================================= --> + <!-- Identity Store Key adapter --> + <!-- ================================================= --> + <sso-identity-store-key-adapter> + <class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter</class> + </sso-identity-store-key-adapter> + + </sso-identity-manager> + + <sso-session-manager> + + <class>org.josso.gateway.session.service.SSOSessionManagerImpl</class> + + <!-- + Set the maximum time interval, in minutes, between client requests before the SSO Service will invalidate + the session. A negative time indicates that the session should never time out. + --> + <maxInactiveInterval>30</maxInactiveInterval> + + <!-- Max number of sessions per user, default 1 + A negative value indicates that an unlimited number of sessions per user is allowed. + --> + <maxSessionsPerUser>-1</maxSessionsPerUser> + <!-- + If true, when the max number of sessions per user is exceeded, + an already existing session will be invalidated to create a new one. + If false, when the max number of sessions per user is exceeded, + an exception is thrown and the new session is not created. + --> + <invalidateExceedingSessions>false</invalidateExceedingSessions> + + + <!-- + Time interval, in milliseconds, between exired sessions cleanup. + --> + <sessionMonitorInterval>10000</sessionMonitorInterval> + + <!-- =================================================================== --> + <!-- Serialized Session Store --> + <!-- --> + <!-- Session Store implementation which uses Java Serialization to --> + <!-- persist Single Sign-On user sessions. --> + <!-- It allows to reconstruct the session state after a system shutdown. --> + <!-- =================================================================== --> + <!-- + <sso-session-store> + <class>org.josso.gateway.session.service.store.SerializedSessionStore</class> + file where serialized sessions will be stored (optional) + <serializedFile>/tmp/josso_sessions.ser</serializedFile> + </sso-session-store> + --> + + + <!-- =============================================================== --> + <!-- DataSource Session Store --> + <!-- --> + <!-- This store persists SSO sessions in a RDBMS, it's usefull for --> + <!-- example when multiple SSO servers must share session information--> + <!-- like in a cluster. --> + <!-- --> + <!-- NOTE :Remember to escape spetial chars like < with &lt; , etc --> + <!-- --> + <!-- --> + <!-- Chcek javadoc for configuration details : --> + <!-- org.josso.gateway.session.service.store.db.DataSourceSessionStore --> + <!-- =============================================================== --> + <!-- + <sso-session-store> + + <class>org.josso.gateway.session.service.store.db.DataSourceSessionStore</class> + + <dsJndiName>java:jdbc/JossoSamplesDB</dsJndiName> + + <sizeQuery>SELECT COUNT(*) FROM JOSSO_SESSION</sizeQuery> + <keysQuery>SELECT session_id FROM JOSSO_SESSION</keysQuery> + <loadAllQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION</loadAllQuery> + <loadQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE session_id = ?</loadQuery> + <loadByUserNameQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE username = ?</loadByUserNameQuery> + + <loadByLastAccessTimeQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE last_access_time &lt; ?</loadByLastAccessTimeQuery> + <loadByValidQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE valid = ?</loadByValidQuery> + <deleteDml>DELETE FROM JOSSO_SESSION WHERE session_id = ?</deleteDml> + <deleteAllDml>DELETE FROM JOSSO_SESSION</deleteAllDml> + <insertDml>INSERT INTO JOSSO_SESSION (session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid) VALUES (?, ?, ?, ?, ?, ?, ?) </insertDml> + + <dsJndiName>java:jdbc/JossoSamplesDB</dsJndiName> + + </sso-session-store> + --> + + <!-- =============================================================== --> + <!-- Jdbc Session Store --> + <!-- --> + <!-- This store persists SSO sessions in a RDBMS, it's usefull for --> + <!-- example when multiple SSO servers must share session information--> + <!-- like in a cluster. --> + <!-- --> + <!-- NOTE :Remember to escape spetial chars like < with &lt; , etc --> + <!-- --> + <!-- Chcek javadoc for configuration details : --> + <!-- org.josso.gateway.session.service.store.db.JdbcSessionStore --> + <!-- =============================================================== --> + <!-- + <sso-session-store> + + <class>org.josso.gateway.session.service.store.db.JdbcSessionStore</class> + + <connectionName>josso</connectionName> + <connectionPassword>josso</connectionPassword> + <connectionURL>jdbc:oracle:thin:@localhost:1521:josso_db</connectionURL> + <driverName>oracle.jdbc.driver.OracleDriver</driverName> + + <sizeQuery>SELECT COUNT(*) FROM JOSSO_SESSION</sizeQuery> + <keysQuery>SELECT session_id FROM JOSSO_SESSION</keysQuery> + <loadAllQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION</loadAllQuery> + <loadQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE session_id = ?</loadQuery> + <loadByUserNameQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE username = ?</loadByUserNameQuery> + + <loadByLastAccessTimeQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE last_access_time &lt; ?</loadByLastAccessTimeQuery> + <loadByValidQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE valid = ?</loadByValidQuery> + <deleteDml>DELETE FROM JOSSO_SESSION WHERE session_id = ?</deleteDml> + <deleteAllDml>DELETE FROM JOSSO_SESSION</deleteAllDml> + <insertDml>INSERT INTO JOSSO_SESSION (session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid) VALUES (?, ?, ?, ?, ?, ?, ?) </insertDml> + + </sso-session-store> + --> + + + <!-- =============================================================== --> + <!-- Memory Session Store --> + <!-- =============================================================== --> + <sso-session-store> + <class>org.josso.gateway.session.service.store.MemorySessionStore</class> + </sso-session-store> + + <sso-session-id-generator> + + <class>org.josso.gateway.session.service.SessionIdGeneratorImpl</class> + <!-- + The message digest algorithm to be used when generating session + identifiers. This must be an algorithm supported by the + java.security.MessageDigest class on your platform. + + In J2SE 1.4.2 you can check : + Java Cryptography Architecture API Specification & Reference - Apendix A : Standard Names + Values are : MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512 + --> + <algorithm>MD5</algorithm> + + </sso-session-id-generator> + + </sso-session-manager> + + <!-- SSO Audit Manager compoment --> + <sso-audit-manager> + <class>org.josso.gateway.audit.service.SSOAuditManagerImpl</class> + + <!-- + List of handlers that will process this request + Every handler must have its own unique name. + --> + <handlers> + + <!-- This handler logs all audit trails using Log4J, under the given category --> + <handler> + <class>org.josso.gateway.audit.service.handler.LoggerAuditTrailHandler</class> + <name>LoggerAuditTrailHandler</name> + <category>org.josso.gateway.audit.SSO_AUDIT</category> + </handler> + + <!-- + <handler> + <class>MyOtherHandler</class> + <name>MyOhterHandlerName</name> + <myProperty>value</myProperty> + </handler> + --> + + </handlers> + </sso-audit-manager> + + <!-- SSO Event Manager component --> + <sso-event-manager> + <class>org.josso.gateway.event.security.JMXSSOEventManagerImpl</class> + <!-- + JMX Name of the EventManager MBean that will send SSO Events as JMX Notifications + The MBean will be registered by the MBeanComponentKeeper. + --> + <oname>josso:type=SSOEventManager</oname> + <!-- You can add your own listeners here : --> + <!-- Every listener should have a unique name --> + + <!-- + <listeners> + <listener> + <class>com.myCompany.MyEventListener</class> + <name>MyEventListener</name> + <property1>MyListenerProperty1Value</property1> + </listener> + <listener> + <class>com.myCompany.MyOtherEventListener</class> + <name>MyOtherEventListener</name> + <propertyA>MyOtherListenerPropertyAValue</propertyA> + </listener> + </listeners> + --> + + </sso-event-manager> + +</domain> Deleted: modules/identity/trunk/sso/src/etc/josso/josso_context.xml =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso_context.xml 2007-09-04 17:21:09 UTC (rev 8150) +++ modules/identity/trunk/sso/src/etc/josso/josso_context.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -1,4 +0,0 @@ -<?xml version="1.0"?> -<Context> - <Valve className="org.jboss.portal.identity.auth.JOSSOLogoutValve"/> -</Context> Deleted: modules/identity/trunk/sso/src/etc/josso/josso_error.jsp =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso_error.jsp 2007-09-04 17:21:09 UTC (rev 8150) +++ modules/identity/trunk/sso/src/etc/josso/josso_error.jsp 2007-09-04 17:27:52 UTC (rev 8151) @@ -1,41 +0,0 @@ -<%-- - ~ Copyright (c) 2004-2006, Novascope S.A. and the JOSSO team - ~ All rights reserved. - ~ Redistribution and use in source and binary forms, with or - ~ without modification, are permitted provided that the following - ~ conditions are met: - ~ - ~ * Redistributions of source code must retain the above copyright - ~ notice, this list of conditions and the following disclaimer. - ~ - ~ * Redistributions in binary form must reproduce the above copyright - ~ notice, this list of conditions and the following disclaimer in - ~ the documentation and/or other materials provided with the - ~ distribution. - ~ - ~ * Neither the name of the JOSSO team nor the names of its - ~ contributors may be used to endorse or promote products derived - ~ from this software without specific prior written permission. - ~ - ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND - ~ CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, - ~ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF - ~ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - ~ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS - ~ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - ~ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED - ~ TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - ~ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - ~ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - ~ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - ~ POSSIBILITY OF SUCH DAMAGE. - --%> - -<%@page contentType="text/html; charset=iso-8859-1" language="java" session="true" %> -<!-- -Redirects the user to the propper login page. Configured as the login url the web.xml for this application. ---> -<% - response.sendRedirect(request.getContextPath() + "/josso_login/"); -%> Deleted: modules/identity/trunk/sso/src/etc/josso/josso_josso-agent-config.xml =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso_josso-agent-config.xml 2007-09-04 17:21:09 UTC (rev 8150) +++ modules/identity/trunk/sso/src/etc/josso/josso_josso-agent-config.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -1,19 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1" ?> -<agent> - <class>org.josso.jb4.agent.JBossCatalinaSSOAgent</class> - <gatewayLoginUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginUrl> - <gatewayLogoutUrl>http://localhost:8080/josso/signon/logout.do</gatewayLogoutUrl> - <service-locator> - <class>org.josso.gateway.WebserviceGatewayServiceLocator</class> - <endpoint>localhost:8080</endpoint> - </service-locator> - <partner-apps> - <partner-app> - <context>/portal</context> - </partner-app> - <!-- used for testing purposes --> - <partner-app> - <context>/portal2</context> - </partner-app> - </partner-apps> -</agent> Deleted: modules/identity/trunk/sso/src/etc/josso/josso_josso-config.xml =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso_josso-config.xml 2007-09-04 17:21:09 UTC (rev 8150) +++ modules/identity/trunk/sso/src/etc/josso/josso_josso-config.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -1,4 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1" ?> -<configuration> - <hierarchicalXml fileName="josso-agent-config.xml"/> -</configuration> Deleted: modules/identity/trunk/sso/src/etc/josso/josso_josso-gateway-config.xml =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso_josso-gateway-config.xml 2007-09-04 17:21:09 UTC (rev 8150) +++ modules/identity/trunk/sso/src/etc/josso/josso_josso-gateway-config.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -1,569 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1" ?> -<!-- - ~ Copyright (c) 2004-2006, Novascope S.A. and the JOSSO team - ~ All rights reserved. - ~ Redistribution and use in source and binary forms, with or - ~ without modification, are permitted provided that the following - ~ conditions are met: - ~ - ~ * Redistributions of source code must retain the above copyright - ~ notice, this list of conditions and the following disclaimer. - ~ - ~ * Redistributions in binary form must reproduce the above copyright - ~ notice, this list of conditions and the following disclaimer in - ~ the documentation and/or other materials provided with the - ~ distribution. - ~ - ~ * Neither the name of the JOSSO team nor the names of its - ~ contributors may be used to endorse or promote products derived - ~ from this software without specific prior written permission. - ~ - ~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND - ~ CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, - ~ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF - ~ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - ~ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS - ~ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - ~ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED - ~ TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - ~ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - ~ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - ~ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - ~ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - ~ POSSIBILITY OF SUCH DAMAGE. - --> - -<domain> - <name>JOSSO</name> - <type>web</type> - - <!--sso-web-config--> - - <!-- Optional : The URL where the user will be redirected after a successfull login only if josso_back_to request parameter - is not present when accessing the login url - <loginBackToURL>http://localhost:8080/partnerapp/protected/</loginBackToURL> - --> - - <!-- Optional : The URL where the user will be redirected after a logout only if josso_back_to is not present - when accessing the logout url - <logoutBackToURL>http://localhost:8080/partnerapp/protected/</logoutBackToURL> - --> - - <!-- Session token properties --> - <!--session-token--> - - <!-- Optional : Use a secure session token, a secure channel like SSL must be available for this to work - <secure>false</secure> - --> - - - <!--/session-token--> - - <!--/sso-web-config--> - - <authenticator> - <class>org.josso.auth.AuthenticatorImpl</class> - <authentication-schemes> - <!-- Basic Authentication Scheme --> - <authentication-scheme> - <name>basic-authentication</name> - <class>org.josso.auth.scheme.BindUsernamePasswordAuthScheme</class> - - <!-- - The message digest algorithm to be used when hashing passwords. - This must be an algorithm supported by the java.security.MessageDigest class - on your platform. - - In J2SE 1.4.2 you can check : - Java Cryptography Architecture API Specification & Reference - Apendix B : Algorithms - Values are : MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512,etc. - - To provide LDAP support, also CRYPT is available. - --> - <!-- - <hashAlgorithm>MD5</hashAlgorithm> - --> - - <!-- Supported values are HEX, BASE64. Mandatory if hashAlgorithm was specified --> - <!-- - <hashEncoding>HEX</hashEncoding> - --> - - <!-- Some hash algorithms, like CRYPT, use this property. The default value is 2. - <saltLength>2</saltLength> - --> - - <!-- - <ignorePasswordCase>false</ignorePasswordCase> - <ignoreUserCase>false</ignoreUserCase> - --> - <!-- ========================================================= --> - <!-- JDBC Credential Store --> - <!-- --> - <!-- Always scape comma chars [,] in queries because --> - <!-- jakarta commons-configuration uses them to define arrays. --> - <!-- ========================================================= --> - <!-- - <credential-store> - <class>org.josso.gateway.identity.service.store.db.JDBCIdentityStore</class> - - <credentialsQueryString> - - SELECT login AS username , password AS password FROM josso_user WHERE login = ? - - </credentialsQueryString> - <connectionName>josso</connectionName> - <connectionPassword>josso</connectionPassword> - <connectionURL>jdbc:oracle:thin:@localhost:1521:josso_db</connectionURL> - <driverName>oracle.jdbc.driver.OracleDriver</driverName> - </credential-store> - <credential-store> - <class>org.josso.gateway.identity.service.store.db.DataSourceIdentityStore</class> - - <credentialsQueryString>SELECT login AS username , password AS password FROM josso_user WHERE login = ?</credentialsQueryString> - <dsJndiName>java:jdbc/JossoSamplesDB</dsJndiName> - </credential-store> - --> - - <!-- =============================================================== --> - <!-- LDAP Credential Store --> - <!-- --> - <!-- Chcek javadoc for configuration details : --> - <!-- org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore --> - <!-- =============================================================== --> - <!-- - <credential-store> - <class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class> - <initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory> - <providerUrl>ldap://ldaphost</providerUrl> - <securityPrincipal>cn=Manager,dc=my-domain,dc=com</securityPrincipal> - <securityCredential>secret</securityCredential> - <securityAuthentication>simple</securityAuthentication> - <ldapSearchScope>SUBTREE</ldapSearchScope> - <usersCtxDN>ou=People,dc=my-domain,dc=com</usersCtxDN> - <principalUidAttributeID>uid</principalUidAttributeID> - <rolesCtxDN>ou=Roles,dc=my-domain,dc=com</rolesCtxDN> - <uidAttributeID>uniquemember</uidAttributeID> - <roleAttributeID>cn</roleAttributeID> - <credentialQueryString>uid=username,userPassword=password</credentialQueryString> - <userPropertiesQueryString>mail=mail,cn=description</userPropertiesQueryString> - </credential-store> - --> - - <!-- ================================================= --> - <!-- Memory Credential Store --> - <!-- ================================================= --> - <!-- - <credential-store> - <class>org.josso.gateway.identity.service.store.MemoryIdentityStore</class> - <credentialsFileName>josso-credentials.xml</credentialsFileName> - </credential-store> - --> - - <!-- ================================================= --> - <!-- JBoss Portal Credential Store --> - <!-- ================================================= --> - <credential-store> - <class>org.jboss.portal.identity.auth.JOSSOIdentityStore</class> - </credential-store> - - - - <!-- ================================================= --> - <!-- Credential Store Key adapter --> - <!-- ================================================= --> - <credential-store-key-adapter> - <class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter</class> - </credential-store-key-adapter> - - </authentication-scheme> - - <!-- Strong Authentication Scheme --> - <authentication-scheme> - <name>strong-authentication</name> - <class>org.josso.auth.scheme.X509CertificateAuthScheme</class> - - <!-- ========================================================= --> - <!-- JDBC Credential Store --> - <!-- --> - <!-- Always scape comma chars [,] in queries because --> - <!-- jakarta commons-configuration uses them to define arrays. --> - <!-- ========================================================= --> - <!-- - <credential-store> - <class>org.josso.gateway.identity.service.store.db.JDBCIdentityStore</class> - - <credentialsQueryString> - - SELECT login AS username , password AS password FROM josso_user WHERE login = ? - - </credentialsQueryString> - <connectionName>josso</connectionName> - <connectionPassword>josso</connectionPassword> - <connectionURL>jdbc:oracle:thin:@localhost:1521:josso_db</connectionURL> - <driverName>oracle.jdbc.driver.OracleDriver</driverName> - </credential-store> - --> - - <!-- =============================================================== --> - <!-- LDAP Credential Store --> - <!-- --> - <!-- Chcek javadoc for configuration details : --> - <!-- org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore --> - <!-- =============================================================== --> - <!-- - <credential-store> - <class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class> - <initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory> - <providerUrl>ldap://ldaphost</providerUrl> - <securityPrincipal>cn=Manager,dc=my-domain,dc=com</securityPrincipal> - <securityCredential>secret</securityCredential> - <securityAuthentication>simple</securityAuthentication> - <ldapSearchScope>SUBTREE</ldapSearchScope> - <usersCtxDN>ou=People,dc=my-domain,dc=com</usersCtxDN> - <principalUidAttributeID>uid</principalUidAttributeID> - <rolesCtxDN>ou=Roles,dc=my-domain,dc=com</rolesCtxDN> - <uidAttributeID>uniquemember</uidAttributeID> - <roleAttributeID>cn</roleAttributeID> - <credentialQueryString>uid=username,userCertificate;binary=userCertificate</credentialQueryString> - <userPropertiesQueryString>mail=mail,cn=description</userPropertiesQueryString> - </credential-store> - --> - - <!-- ================================================= --> - <!-- Memory Credential Store --> - <!-- ================================================= --> - <credential-store> - <class>org.josso.gateway.identity.service.store.MemoryIdentityStore</class> - <credentialsFileName>josso-credentials.xml</credentialsFileName> - </credential-store> - - <!-- ================================================= --> - <!-- Credential Store Key adapter --> - <!-- ================================================= --> - <credential-store-key-adapter> - <class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter</class> - </credential-store-key-adapter> - - </authentication-scheme> - </authentication-schemes> - </authenticator> - - <sso-identity-manager> - - <class>org.josso.gateway.identity.service.SSOIdentityManagerImpl</class> - - <!-- ========================================================= --> - <!-- DataSource Identity Store --> - <!-- --> - <!-- Always scape comma chars [,] in queries because --> - <!-- jakarta commons-configuration uses them to define arrays. --> - <!-- ========================================================= --> - <!-- - <sso-identity-store> - <class>org.josso.gateway.identity.service.store.db.DataSourceIdentityStore</class> - - <userQueryString> - SELECT login FROM josso_user WHERE login = ? - </userQueryString> - - <userPropertiesQueryString> - SELECT 'user.description' AS name , description AS value FROM josso_user WHERE login = ? - UNION - SELECT name AS name , value AS value FROM josso_user_property WHERE login = ? - </userPropertiesQueryString> - - <rolesQueryString> - SELECT josso_role.name FROM josso_role , josso_user_role , josso_user WHERE josso_user.login = ? AND josso_user.login = josso_user_role.login AND josso_role.name = josso_user_role.name - </rolesQueryString> - - <dsJndiName>java:jdbc/JossoSamplesDB</dsJndiName> - </sso-identity-store> - --> - <!-- ========================================================= --> - <!-- JDBC Identity Store --> - <!-- --> - <!-- Always scape comma chars [,] in queries because --> - <!-- jakarta commons-configuration uses them to define arrays. --> - <!-- ========================================================= --> - - <!--sso-identity-store> - <class>org.josso.gateway.identity.service.store.db.JDBCIdentityStore</class> - - <userQueryString> - SELECT login FROM josso_user WHERE login = ? - </userQueryString> - - You could use a UNION to select properties from different tables/columns : - SELECT 'user.lastName' AS name , lastName AS value FROM josso_user WHERE login = ? - UNION - SELECT 'user.name' AS name , name AS value FROM josso_user WHERE login = ? - UNION - SELECT name AS name , value AS value FROM josso_user_properties WHERE login = ? - - <userPropertiesQueryString> - SELECT 'user.description' AS name , description AS value FROM josso_user WHERE login = ? - UNION - SELECT name AS name , value AS value FROM josso_user_property WHERE login = ? - </userPropertiesQueryString> - <rolesQueryString> - SELECT josso_role.name FROM josso_role , josso_user_role , josso_user WHERE josso_user.login = ? AND josso_user.login = josso_user_role.login AND josso_role.name = josso_user_role.name - </rolesQueryString> - <connectionName>josso</connectionName> - <connectionPassword>josso</connectionPassword> - <connectionURL>jdbc:oracle:thin:@localhost:1521:josso_db</connectionURL> - <driverName>oracle.jdbc.driver.OracleDriver</driverName> - </sso-identity-store--> - - <!-- =============================================================== --> - <!-- LDAP Identity Store --> - <!-- --> - <!-- Chcek javadoc for configuration details : --> - <!-- org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore --> - <!-- ================================================= --> - <!-- - <sso-identity-store> - <class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class> - <initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory> - <providerUrl>ldap://ldaphost</providerUrl> - <securityPrincipal>cn=Manager,dc=my-domain,dc=com</securityPrincipal> - <securityCredential>secret</securityCredential> - <securityAuthentication>simple</securityAuthentication> - <ldapSearchScope>SUBTREE</ldapSearchScope> - <usersCtxDN>ou=People,dc=my-domain,dc=com</usersCtxDN> - <principalUidAttributeID>uid</principalUidAttributeID> - <rolesCtxDN>ou=Roles,dc=my-domain,dc=com</rolesCtxDN> - <uidAttributeID>uniquemember</uidAttributeID> - <roleAttributeID>cn</roleAttributeID> - <credentialQueryString>uid=username,userPassword=password</credentialQueryString> - <userPropertiesQueryString>mail=mail,cn=description</userPropertiesQueryString> - </sso-identity-store> - --> - - <!-- ================================================= --> - <!-- Memory Identity Store --> - <!-- ================================================= --> - <!-- - <sso-identity-store> - <class>org.josso.gateway.identity.service.store.MemoryIdentityStore</class> - <usersFileName>josso-users.xml</usersFileName> - </sso-identity-store> - --> - - <!-- ================================================= --> - <!-- JBoss Portal Credential Store --> - <!-- ================================================= --> - <sso-identity-store> - <class>org.jboss.portal.identity.auth.JOSSOIdentityStore</class> - </sso-identity-store> - - <!-- ================================================= --> - <!-- Identity Store Key adapter --> - <!-- ================================================= --> - <sso-identity-store-key-adapter> - <class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter</class> - </sso-identity-store-key-adapter> - - </sso-identity-manager> - - <sso-session-manager> - - <class>org.josso.gateway.session.service.SSOSessionManagerImpl</class> - - <!-- - Set the maximum time interval, in minutes, between client requests before the SSO Service will invalidate - the session. A negative time indicates that the session should never time out. - --> - <maxInactiveInterval>30</maxInactiveInterval> - - <!-- Max number of sessions per user, default 1 - A negative value indicates that an unlimited number of sessions per user is allowed. - --> - <maxSessionsPerUser>-1</maxSessionsPerUser> - <!-- - If true, when the max number of sessions per user is exceeded, - an already existing session will be invalidated to create a new one. - If false, when the max number of sessions per user is exceeded, - an exception is thrown and the new session is not created. - --> - <invalidateExceedingSessions>false</invalidateExceedingSessions> - - - <!-- - Time interval, in milliseconds, between exired sessions cleanup. - --> - <sessionMonitorInterval>10000</sessionMonitorInterval> - - <!-- =================================================================== --> - <!-- Serialized Session Store --> - <!-- --> - <!-- Session Store implementation which uses Java Serialization to --> - <!-- persist Single Sign-On user sessions. --> - <!-- It allows to reconstruct the session state after a system shutdown. --> - <!-- =================================================================== --> - <!-- - <sso-session-store> - <class>org.josso.gateway.session.service.store.SerializedSessionStore</class> - file where serialized sessions will be stored (optional) - <serializedFile>/tmp/josso_sessions.ser</serializedFile> - </sso-session-store> - --> - - - <!-- =============================================================== --> - <!-- DataSource Session Store --> - <!-- --> - <!-- This store persists SSO sessions in a RDBMS, it's usefull for --> - <!-- example when multiple SSO servers must share session information--> - <!-- like in a cluster. --> - <!-- --> - <!-- NOTE :Remember to escape spetial chars like < with &lt; , etc --> - <!-- --> - <!-- --> - <!-- Chcek javadoc for configuration details : --> - <!-- org.josso.gateway.session.service.store.db.DataSourceSessionStore --> - <!-- =============================================================== --> - <!-- - <sso-session-store> - - <class>org.josso.gateway.session.service.store.db.DataSourceSessionStore</class> - - <dsJndiName>java:jdbc/JossoSamplesDB</dsJndiName> - - <sizeQuery>SELECT COUNT(*) FROM JOSSO_SESSION</sizeQuery> - <keysQuery>SELECT session_id FROM JOSSO_SESSION</keysQuery> - <loadAllQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION</loadAllQuery> - <loadQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE session_id = ?</loadQuery> - <loadByUserNameQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE username = ?</loadByUserNameQuery> - - <loadByLastAccessTimeQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE last_access_time &lt; ?</loadByLastAccessTimeQuery> - <loadByValidQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE valid = ?</loadByValidQuery> - <deleteDml>DELETE FROM JOSSO_SESSION WHERE session_id = ?</deleteDml> - <deleteAllDml>DELETE FROM JOSSO_SESSION</deleteAllDml> - <insertDml>INSERT INTO JOSSO_SESSION (session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid) VALUES (?, ?, ?, ?, ?, ?, ?) </insertDml> - - <dsJndiName>java:jdbc/JossoSamplesDB</dsJndiName> - - </sso-session-store> - --> - - <!-- =============================================================== --> - <!-- Jdbc Session Store --> - <!-- --> - <!-- This store persists SSO sessions in a RDBMS, it's usefull for --> - <!-- example when multiple SSO servers must share session information--> - <!-- like in a cluster. --> - <!-- --> - <!-- NOTE :Remember to escape spetial chars like < with &lt; , etc --> - <!-- --> - <!-- Chcek javadoc for configuration details : --> - <!-- org.josso.gateway.session.service.store.db.JdbcSessionStore --> - <!-- =============================================================== --> - <!-- - <sso-session-store> - - <class>org.josso.gateway.session.service.store.db.JdbcSessionStore</class> - - <connectionName>josso</connectionName> - <connectionPassword>josso</connectionPassword> - <connectionURL>jdbc:oracle:thin:@localhost:1521:josso_db</connectionURL> - <driverName>oracle.jdbc.driver.OracleDriver</driverName> - - <sizeQuery>SELECT COUNT(*) FROM JOSSO_SESSION</sizeQuery> - <keysQuery>SELECT session_id FROM JOSSO_SESSION</keysQuery> - <loadAllQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION</loadAllQuery> - <loadQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE session_id = ?</loadQuery> - <loadByUserNameQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE username = ?</loadByUserNameQuery> - - <loadByLastAccessTimeQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE last_access_time &lt; ?</loadByLastAccessTimeQuery> - <loadByValidQuery>SELECT session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid FROM JOSSO_SESSION WHERE valid = ?</loadByValidQuery> - <deleteDml>DELETE FROM JOSSO_SESSION WHERE session_id = ?</deleteDml> - <deleteAllDml>DELETE FROM JOSSO_SESSION</deleteAllDml> - <insertDml>INSERT INTO JOSSO_SESSION (session_id, userName, creation_time, last_access_time, access_count, max_inactive_interval, valid) VALUES (?, ?, ?, ?, ?, ?, ?) </insertDml> - - </sso-session-store> - --> - - - <!-- =============================================================== --> - <!-- Memory Session Store --> - <!-- =============================================================== --> - <sso-session-store> - <class>org.josso.gateway.session.service.store.MemorySessionStore</class> - </sso-session-store> - - <sso-session-id-generator> - - <class>org.josso.gateway.session.service.SessionIdGeneratorImpl</class> - <!-- - The message digest algorithm to be used when generating session - identifiers. This must be an algorithm supported by the - java.security.MessageDigest class on your platform. - - In J2SE 1.4.2 you can check : - Java Cryptography Architecture API Specification & Reference - Apendix A : Standard Names - Values are : MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512 - --> - <algorithm>MD5</algorithm> - - </sso-session-id-generator> - - </sso-session-manager> - - <!-- SSO Audit Manager compoment --> - <sso-audit-manager> - <class>org.josso.gateway.audit.service.SSOAuditManagerImpl</class> - - <!-- - List of handlers that will process this request - Every handler must have its own unique name. - --> - <handlers> - - <!-- This handler logs all audit trails using Log4J, under the given category --> - <handler> - <class>org.josso.gateway.audit.service.handler.LoggerAuditTrailHandler</class> - <name>LoggerAuditTrailHandler</name> - <category>org.josso.gateway.audit.SSO_AUDIT</category> - </handler> - - <!-- - <handler> - <class>MyOtherHandler</class> - <name>MyOhterHandlerName</name> - <myProperty>value</myProperty> - </handler> - --> - - </handlers> - </sso-audit-manager> - - <!-- SSO Event Manager component --> - <sso-event-manager> - <class>org.josso.gateway.event.security.JMXSSOEventManagerImpl</class> - <!-- - JMX Name of the EventManager MBean that will send SSO Events as JMX Notifications - The MBean will be registered by the MBeanComponentKeeper. - --> - <oname>josso:type=SSOEventManager</oname> - <!-- You can add your own listeners here : --> - <!-- Every listener should have a unique name --> - - <!-- - <listeners> - <listener> - <class>com.myCompany.MyEventListener</class> - <name>MyEventListener</name> - <property1>MyListenerProperty1Value</property1> - </listener> - <listener> - <class>com.myCompany.MyOtherEventListener</class> - <name>MyOtherEventListener</name> - <propertyA>MyOtherListenerPropertyAValue</propertyA> - </listener> - </listeners> - --> - - </sso-event-manager> - -</domain> Deleted: modules/identity/trunk/sso/src/etc/josso/josso_login-config.xml =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso_login-config.xml 2007-09-04 17:21:09 UTC (rev 8150) +++ modules/identity/trunk/sso/src/etc/josso/josso_login-config.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -1,165 +0,0 @@ -<?xml version='1.0'?> -<!DOCTYPE policy PUBLIC - "-//JBoss//DTD JBOSS Security Config 3.0//EN" - "http://www.jboss.org/j2ee/dtd/security_config.dtd"> - -<!-- The XML based JAAS login configuration read by the -org.jboss.security.auth.login.XMLLoginConfig mbean. Add -an application-policy element for each security domain. - -The outline of the application-policy is: -<application-policy name="security-domain-name"> - <authentication> - <login-module code="login.module1.class.name" flag="control_flag"> - <module-option name = "option1-name">option1-value</module-option> - <module-option name = "option2-name">option2-value</module-option> - ... - </login-module> - - <login-module code="login.module2.class.name" flag="control_flag"> - ... - </login-module> - ... - </authentication> -</application-policy> - ---> - -<policy> - <!-- Used by clients within the application server VM such as - mbeans and servlets that access EJBs. - --> - <application-policy name = "client-login"> - <authentication> - <login-module code = "org.jboss.security.ClientLoginModule" - flag = "required"> - <!-- Any existing security context will be restored on logout --> - <module-option name="restore-login-identity">true</module-option> - </login-module> - </authentication> - </application-policy> - - <!-- Security domain for JBossMQ --> - <application-policy name = "jbossmq"> - <authentication> - <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" - flag = "required"> - <module-option name = "unauthenticatedIdentity">guest</module-option> - <module-option name = "dsJndiName">java:/DefaultDS</module-option> - <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> - <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> - </login-module> - </authentication> - </application-policy> - - <!-- Security domain for JBossMQ when using file-state-service.xml - <application-policy name = "jbossmq"> - <authentication> - <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule" - flag = "required"> - <module-option name = "unauthenticatedIdentity">guest</module-option> - <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option> - </login-module> - </authentication> - </application-policy> - --> - - <!-- Security domains for testing new jca framework --> - <application-policy name = "HsqlDbRealm"> - <authentication> - <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" - flag = "required"> - <module-option name = "principal">sa</module-option> - <module-option name = "userName">sa</module-option> - <module-option name = "password"></module-option> - <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option> - </login-module> - </authentication> - </application-policy> - - <application-policy name = "JmsXARealm"> - <authentication> - <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" - flag = "required"> - <module-option name = "principal">guest</module-option> - <module-option name = "userName">guest</module-option> - <module-option name = "password">guest</module-option> - <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option> - </login-module> - </authentication> - </application-policy> - - <!-- A template configuration for the jmx-console web application. This - defaults to the UsersRolesLoginModule the same as other and should be - changed to a stronger authentication mechanism as required. - --> - <application-policy name = "jmx-console"> - <authentication> - <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" - flag = "required"> - <module-option name="usersProperties">props/jmx-console-users.properties</module-option> - <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> - </login-module> - </authentication> - </application-policy> - - <!-- A template configuration for the web-console web application. This - defaults to the UsersRolesLoginModule the same as other and should be - changed to a stronger authentication mechanism as required. - --> - <application-policy name = "$webConsoleDomain"> - <authentication> - <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" - flag = "required"> - <module-option name="usersProperties">web-console-users.properties</module-option> - <module-option name="rolesProperties">web-console-roles.properties</module-option> - </login-module> - </authentication> - </application-policy> - - <!-- A template configuration for the JBossWS web application (and transport layer!). - This defaults to the UsersRolesLoginModule the same as other and should be - changed to a stronger authentication mechanism as required. - --> - <application-policy name="JBossWS"> - <authentication> - <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" - flag="required"> - <module-option name="usersProperties">props/jbossws-users.properties</module-option> - <module-option name="rolesProperties">props/jbossws-roles.properties</module-option> - <module-option name="unauthenticatedIdentity">anonymous</module-option> - </login-module> - </authentication> - </application-policy> - - <!-- The default login configuration used by any security domain that - does not have a application-policy entry with a matching name - --> - <application-policy name = "other"> - <!-- A simple server login module, which can be used when the number - of users is relatively small. It uses two properties files: - users.properties, which holds users (key) and their password (value). - roles.properties, which holds users (key) and a comma-separated list of - their roles (value). - The unauthenticatedIdentity property defines the name of the principal - that will be used when a null username and password are presented as is - the case for an unuathenticated web client or MDB. If you want to - allow such users to be authenticated add the property, e.g., - unauthenticatedIdentity="nobody" - --> - <authentication> - <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" - flag = "required" /> - </authentication> - </application-policy> - - <!-- JOSSO JAAS Module configuration --> - <application-policy name = "josso"> - <authentication> - <login-module code = "org.jboss.portal.identity.auth.JOSSOLoginModule" - flag = "required"> - <module-option name="debug">true</module-option> - </login-module> - </authentication> - </application-policy> -</policy> Deleted: modules/identity/trunk/sso/src/etc/josso/josso_server.xml =================================================================== --- modules/identity/trunk/sso/src/etc/josso/josso_server.xml 2007-09-04 17:21:09 UTC (rev 8150) +++ modules/identity/trunk/sso/src/etc/josso/josso_server.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -1,178 +0,0 @@ -<Server> - - <!-- Use a custom version of StandardService that allows the - connectors to be started independent of the normal lifecycle - start to allow web apps to be deployed before starting the - connectors. - --> - <Service name="jboss.web" - className="org.jboss.web.tomcat.tc5.StandardService"> - - <!-- A HTTP/1.1 Connector on port 8080 --> - <Connector port="8080" address="${jboss.bind.address}" - maxThreads="250" strategy="ms" maxHttpHeaderSize="8192" - emptySessionPath="true" - enableLookups="false" redirectPort="8443" acceptCount="100" - connectionTimeout="20000" disableUploadTimeout="true"/> - - <!-- Add this option to the connector to avoid problems with - .NET clients that don't implement HTTP/1.1 correctly - restrictedUserAgents="^.*MS Web Services Client Protocol 1.1.4322.*$" - --> - - <!-- A AJP 1.3 Connector on port 8009 --> - <Connector port="8009" address="${jboss.bind.address}" - emptySessionPath="true" enableLookups="false" redirectPort="8443" - protocol="AJP/1.3"/> - - <!-- SSL/TLS Connector configuration using the admin devl guide keystore - <Connector port="8443" address="${jboss.bind.address}" - maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" - emptySessionPath="true" - scheme="https" secure="true" clientAuth="false" - keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" - keystorePass="rmi+ssl" sslProtocol = "TLS" /> - --> - - <Engine name="jboss.web" defaultHost="localhost"> - - <!-- The JAAS based authentication and authorization realm implementation - that is compatible with the jboss 3.2.x realm implementation. - - certificatePrincipal : the class name of the - org.jboss.security.auth.certs.CertificatePrincipal impl - used for mapping X509[] cert chains to a Princpal. - - allRolesMode : how to handle an auth-constraint with a role-name=*, - one of strict, authOnly, strictAuthOnly - + strict = Use the strict servlet spec interpretation which requires - that the user have one of the web-app/security-role/role-name - + authOnly = Allow any authenticated user - + strictAuthOnly = Allow any authenticated user only if there are no - web-app/security-roles - --> - <!-- - <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm" - certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" - allRolesMode="authOnly" - /> - --> - - <!-- A subclass of JBossSecurityMgrRealm that uses the authentication - behavior of JBossSecurityMgrRealm, but overrides the authorization - checks to use JACC permissions with the current java.security.Policy - to determine authorized access. - - allRolesMode : how to handle an auth-constraint with a role-name=*, - one of strict, authOnly, strictAuthOnly - + strict = Use the strict servlet spec interpretation which requires - that the user have one of the web-app/security-role/role-name - + authOnly = Allow any authenticated user - + strictAuthOnly = Allow any authenticated user only if there are no - web-app/security-roles - <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm" - certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" - allRolesMode="authOnly" - /> - --> - - <!-- Integrating the JOSSO realm --> - <Realm className="org.josso.jb4.agent.JBossCatalinaRealm" - appName="josso" - userClassNames="org.josso.gateway.identity.service.BaseUserImpl" - roleClassNames="org.josso.gateway.identity.service.BaseRoleImpl" - debug="1" /> - - <Host name="localhost" - autoDeploy="false" deployOnStartup="false" deployXML="false"> - - <!-- UNCOMMENT TO ENABLE CUSTOMIZATION OF TOMCAT AUTHENTICATORS - <Host name="localhost" - autoDeploy="false" deployOnStartup="false" deployXML="false" - configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"> - --> - - - <!-- Uncomment to enable request dumper. This Valve "logs interesting - contents from the specified Request (before processing) and the - corresponding Response (after processing). It is especially useful - in debugging problems related to headers and cookies." - --> - <!-- - <Valve className="org.apache.catalina.valves.RequestDumperValve" /> - --> - - <!-- Access logger --> - <!-- - <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" - prefix="localhost_access_log." suffix=".log" - pattern="common" directory="${jboss.server.home.dir}/log" - resolveHosts="false" /> - --> - - <!-- Uncomment to enable single sign-on across web apps - deployed to this host. Does not provide SSO across a cluster. - - If this valve is used, do not use the JBoss ClusteredSingleSignOn - valve shown below. - - A new configuration attribute is available beginning with - release 4.0.4: - - cookieDomain configures the domain to which the SSO cookie - will be scoped (i.e. the set of hosts to - which the cookie will be presented). By default - the cookie is scoped to "/", meaning the host - that presented it. Set cookieDomain to a - wider domain (e.g. "xyz.com") to allow an SSO - to span more than one hostname. - --> - <!-- - <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> - --> - - <!-- Uncomment to enable single sign-on across web apps - deployed to this host AND to all other hosts in the cluster. - - If this valve is used, do not use the standard Tomcat SingleSignOn - valve shown above. - - Valve uses a JBossCache instance to support SSO credential - caching and replication across the cluster. The JBossCache - instance must be configured separately. By default, the valve - shares a JBossCache with the service that supports HttpSession - replication. See the "tc5-cluster-service.xml" file in the - server/all/deploy directory for cache configuration details. - - Besides the attributes supported by the standard Tomcat - SingleSignOn valve (see the Tomcat docs), this version also - supports the following attributes: - - cookieDomain see above - - treeCacheName JMX ObjectName of the JBossCache MBean used to - support credential caching and replication across - the cluster. If not set, the default value is - "jboss.cache:service=TomcatClusteringCache", the - standard ObjectName of the JBossCache MBean used - to support session replication. - --> - <!-- - <Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn" /> - --> - - - <!-- Uncomment to check for unclosed connections and transaction terminated checks - in servlets/jsps. - Important: You need to uncomment the dependency on the CachedConnectionManager - in META-INF/jboss-service.xml - <Valve className="org.jboss.web.tomcat.tc5.jca.CachedConnectionValve" - cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager" - transactionManagerObjectName="jboss:service=TransactionManager" /> - --> - - <!-- JOSSO Agent Valve --> - <Valve className="org.josso.tc55.agent.SSOAgentValve" debug="1"/> - </Host> - </Engine> - - </Service> - -</Server> Copied: modules/identity/trunk/sso/src/etc/josso/login-config.xml (from rev 8140, modules/identity/trunk/sso/src/etc/josso/josso_login-config.xml) =================================================================== --- modules/identity/trunk/sso/src/etc/josso/login-config.xml (rev 0) +++ modules/identity/trunk/sso/src/etc/josso/login-config.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -0,0 +1,165 @@ +<?xml version='1.0'?> +<!DOCTYPE policy PUBLIC + "-//JBoss//DTD JBOSS Security Config 3.0//EN" + "http://www.jboss.org/j2ee/dtd/security_config.dtd"> + +<!-- The XML based JAAS login configuration read by the +org.jboss.security.auth.login.XMLLoginConfig mbean. Add +an application-policy element for each security domain. + +The outline of the application-policy is: +<application-policy name="security-domain-name"> + <authentication> + <login-module code="login.module1.class.name" flag="control_flag"> + <module-option name = "option1-name">option1-value</module-option> + <module-option name = "option2-name">option2-value</module-option> + ... + </login-module> + + <login-module code="login.module2.class.name" flag="control_flag"> + ... + </login-module> + ... + </authentication> +</application-policy> + +--> + +<policy> + <!-- Used by clients within the application server VM such as + mbeans and servlets that access EJBs. + --> + <application-policy name = "client-login"> + <authentication> + <login-module code = "org.jboss.security.ClientLoginModule" + flag = "required"> + <!-- Any existing security context will be restored on logout --> + <module-option name="restore-login-identity">true</module-option> + </login-module> + </authentication> + </application-policy> + + <!-- Security domain for JBossMQ --> + <application-policy name = "jbossmq"> + <authentication> + <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" + flag = "required"> + <module-option name = "unauthenticatedIdentity">guest</module-option> + <module-option name = "dsJndiName">java:/DefaultDS</module-option> + <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> + <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> + </login-module> + </authentication> + </application-policy> + + <!-- Security domain for JBossMQ when using file-state-service.xml + <application-policy name = "jbossmq"> + <authentication> + <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule" + flag = "required"> + <module-option name = "unauthenticatedIdentity">guest</module-option> + <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option> + </login-module> + </authentication> + </application-policy> + --> + + <!-- Security domains for testing new jca framework --> + <application-policy name = "HsqlDbRealm"> + <authentication> + <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" + flag = "required"> + <module-option name = "principal">sa</module-option> + <module-option name = "userName">sa</module-option> + <module-option name = "password"></module-option> + <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option> + </login-module> + </authentication> + </application-policy> + + <application-policy name = "JmsXARealm"> + <authentication> + <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" + flag = "required"> + <module-option name = "principal">guest</module-option> + <module-option name = "userName">guest</module-option> + <module-option name = "password">guest</module-option> + <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option> + </login-module> + </authentication> + </application-policy> + + <!-- A template configuration for the jmx-console web application. This + defaults to the UsersRolesLoginModule the same as other and should be + changed to a stronger authentication mechanism as required. + --> + <application-policy name = "jmx-console"> + <authentication> + <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" + flag = "required"> + <module-option name="usersProperties">props/jmx-console-users.properties</module-option> + <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> + </login-module> + </authentication> + </application-policy> + + <!-- A template configuration for the web-console web application. This + defaults to the UsersRolesLoginModule the same as other and should be + changed to a stronger authentication mechanism as required. + --> + <application-policy name = "$webConsoleDomain"> + <authentication> + <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" + flag = "required"> + <module-option name="usersProperties">web-console-users.properties</module-option> + <module-option name="rolesProperties">web-console-roles.properties</module-option> + </login-module> + </authentication> + </application-policy> + + <!-- A template configuration for the JBossWS web application (and transport layer!). + This defaults to the UsersRolesLoginModule the same as other and should be + changed to a stronger authentication mechanism as required. + --> + <application-policy name="JBossWS"> + <authentication> + <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" + flag="required"> + <module-option name="usersProperties">props/jbossws-users.properties</module-option> + <module-option name="rolesProperties">props/jbossws-roles.properties</module-option> + <module-option name="unauthenticatedIdentity">anonymous</module-option> + </login-module> + </authentication> + </application-policy> + + <!-- The default login configuration used by any security domain that + does not have a application-policy entry with a matching name + --> + <application-policy name = "other"> + <!-- A simple server login module, which can be used when the number + of users is relatively small. It uses two properties files: + users.properties, which holds users (key) and their password (value). + roles.properties, which holds users (key) and a comma-separated list of + their roles (value). + The unauthenticatedIdentity property defines the name of the principal + that will be used when a null username and password are presented as is + the case for an unuathenticated web client or MDB. If you want to + allow such users to be authenticated add the property, e.g., + unauthenticatedIdentity="nobody" + --> + <authentication> + <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" + flag = "required" /> + </authentication> + </application-policy> + + <!-- JOSSO JAAS Module configuration --> + <application-policy name = "josso"> + <authentication> + <login-module code = "org.jboss.portal.identity.auth.JOSSOLoginModule" + flag = "required"> + <module-option name="debug">true</module-option> + </login-module> + </authentication> + </application-policy> +</policy> Copied: modules/identity/trunk/sso/src/etc/josso/server.xml (from rev 8140, modules/identity/trunk/sso/src/etc/josso/josso_server.xml) =================================================================== --- modules/identity/trunk/sso/src/etc/josso/server.xml (rev 0) +++ modules/identity/trunk/sso/src/etc/josso/server.xml 2007-09-04 17:27:52 UTC (rev 8151) @@ -0,0 +1,178 @@ +<Server> + + <!-- Use a custom version of StandardService that allows the + connectors to be started independent of the normal lifecycle + start to allow web apps to be deployed before starting the + connectors. + --> + <Service name="jboss.web" + className="org.jboss.web.tomcat.tc5.StandardService"> + + <!-- A HTTP/1.1 Connector on port 8080 --> + <Connector port="8080" address="${jboss.bind.address}" + maxThreads="250" strategy="ms" maxHttpHeaderSize="8192" + emptySessionPath="true" + enableLookups="false" redirectPort="8443" acceptCount="100" + connectionTimeout="20000" disableUploadTimeout="true"/> + + <!-- Add this option to the connector to avoid problems with + .NET clients that don't implement HTTP/1.1 correctly + restrictedUserAgents="^.*MS Web Services Client Protocol 1.1.4322.*$" + --> + + <!-- A AJP 1.3 Connector on port 8009 --> + <Connector port="8009" address="${jboss.bind.address}" + emptySessionPath="true" enableLookups="false" redirectPort="8443" + protocol="AJP/1.3"/> + + <!-- SSL/TLS Connector configuration using the admin devl guide keystore + <Connector port="8443" address="${jboss.bind.address}" + maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" + emptySessionPath="true" + scheme="https" secure="true" clientAuth="false" + keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" + keystorePass="rmi+ssl" sslProtocol = "TLS" /> + --> + + <Engine name="jboss.web" defaultHost="localhost"> + + <!-- The JAAS based authentication and authorization realm implementation + that is compatible with the jboss 3.2.x realm implementation. + - certificatePrincipal : the class name of the + org.jboss.security.auth.certs.CertificatePrincipal impl + used for mapping X509[] cert chains to a Princpal. + - allRolesMode : how to handle an auth-constraint with a role-name=*, + one of strict, authOnly, strictAuthOnly + + strict = Use the strict servlet spec interpretation which requires + that the user have one of the web-app/security-role/role-name + + authOnly = Allow any authenticated user + + strictAuthOnly = Allow any authenticated user only if there are no + web-app/security-roles + --> + <!-- + <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm" + certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" + allRolesMode="authOnly" + /> + --> + + <!-- A subclass of JBossSecurityMgrRealm that uses the authentication + behavior of JBossSecurityMgrRealm, but overrides the authorization + checks to use JACC permissions with the current java.security.Policy + to determine authorized access. + - allRolesMode : how to handle an auth-constraint with a role-name=*, + one of strict, authOnly, strictAuthOnly + + strict = Use the strict servlet spec interpretation which requires + that the user have one of the web-app/security-role/role-name + + authOnly = Allow any authenticated user + + strictAuthOnly = Allow any authenticated user only if there are no + web-app/security-roles + <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm" + certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" + allRolesMode="authOnly" + /> + --> + + <!-- Integrating the JOSSO realm --> + <Realm className="org.josso.jb4.agent.JBossCatalinaRealm" + appName="josso" + userClassNames="org.josso.gateway.identity.service.BaseUserImpl" + roleClassNames="org.josso.gateway.identity.service.BaseRoleImpl" + debug="1" /> + + <Host name="localhost" + autoDeploy="false" deployOnStartup="false" deployXML="false"> + + <!-- UNCOMMENT TO ENABLE CUSTOMIZATION OF TOMCAT AUTHENTICATORS + <Host name="localhost" + autoDeploy="false" deployOnStartup="false" deployXML="false" + configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"> + --> + + + <!-- Uncomment to enable request dumper. This Valve "logs interesting + contents from the specified Request (before processing) and the + corresponding Response (after processing). It is especially useful + in debugging problems related to headers and cookies." + --> + <!-- + <Valve className="org.apache.catalina.valves.RequestDumperValve" /> + --> + + <!-- Access logger --> + <!-- + <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" + prefix="localhost_access_log." suffix=".log" + pattern="common" directory="${jboss.server.home.dir}/log" + resolveHosts="false" /> + --> + + <!-- Uncomment to enable single sign-on across web apps + deployed to this host. Does not provide SSO across a cluster. + + If this valve is used, do not use the JBoss ClusteredSingleSignOn + valve shown below. + + A new configuration attribute is available beginning with + release 4.0.4: + + cookieDomain configures the domain to which the SSO cookie + will be scoped (i.e. the set of hosts to + which the cookie will be presented). By default + the cookie is scoped to "/", meaning the host + that presented it. Set cookieDomain to a + wider domain (e.g. "xyz.com") to allow an SSO + to span more than one hostname. + --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Uncomment to enable single sign-on across web apps + deployed to this host AND to all other hosts in the cluster. + + If this valve is used, do not use the standard Tomcat SingleSignOn + valve shown above. + + Valve uses a JBossCache instance to support SSO credential + caching and replication across the cluster. The JBossCache + instance must be configured separately. By default, the valve + shares a JBossCache with the service that supports HttpSession + replication. See the "tc5-cluster-service.xml" file in the + server/all/deploy directory for cache configuration details. + + Besides the attributes supported by the standard Tomcat + SingleSignOn valve (see the Tomcat docs), this version also + supports the following attributes: + + cookieDomain see above + + treeCacheName JMX ObjectName of the JBossCache MBean used to + support credential caching and replication across + the cluster. If not set, the default value is + "jboss.cache:service=TomcatClusteringCache", the + standard ObjectName of the JBossCache MBean used + to support session replication. + --> + <!-- + <Valve className="org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn" /> + --> + + + <!-- Uncomment to check for unclosed connections and transaction terminated checks + in servlets/jsps. + Important: You need to uncomment the dependency on the CachedConnectionManager + in META-INF/jboss-service.xml + <Valve className="org.jboss.web.tomcat.tc5.jca.CachedConnectionValve" + cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager" + transactionManagerObjectName="jboss:service=TransactionManager" /> + --> + + <!-- JOSSO Agent Valve --> + <Valve className="org.josso.tc55.agent.SSOAgentValve" debug="1"/> + </Host> + </Engine> + + </Service> + +</Server>