[gatein-dev] clustering sso, exo.profiles and wsrp webservice security

Boleslaw Dawidowicz boleslaw.dawidowicz at gmail.com
Wed Mar 23 11:35:20 EDT 2011


On Mar 23, 2011, at 3:11 PM, Julien Viet wrote:

> 
> 
> An option would be to change the code in wci and allow for the retrieval
> of the actual password when presented with the username and token.
> 
> There is a notion of token store in GateIn itself, I don't know if it is related or not.
>  
> If we can create a type of password store in wci, then we don't need to
> store the password in the servlet session during the a portal login.
> 
> Somehow this already kind of exist with the token store, that stores the password for the login. It is used when someone performs a form login not triggerred by Java EE (i.e 90% of the time).
> This token store is used to produce a token that will be used with the browser interactions. Perhaps it would make sense to move it to WCI as well.
>  
> This would be enough for the wsrp ws-security, but I think the
> clusteringsso filter would still need to exist.
> 
> My concern was about moving this server specific part to the JBoss AS WCI SPI implementation.
>  

Just to add some context ClusteredSSOFilter was brought in as a quick workaround because token service breaks the way auth is propagated around the cluster in JBoss AS. SSO Valve that does the job was propagating token instead of password and IIRC token service store content was not replicated between nodes anyhow.

But this is something that users may also hit when trying to plug their LoginModule into portal JAAS stack. I saw people removing the whole LM stack and putting forked pieces of GTN auth code from different modules into new LM to workaround this. We could try to make it more friendly for customizations and implement rememberme/token feature in a different way - just a thought - I don't have any ready design inside of my heat atm. 

Bolek


More information about the gatein-dev mailing list