[jboss-user] [Beginners Corner] - SSO/JAAS/Dashboard

ch33zm0ng3r do-not-reply at jboss.com
Fri Jul 20 13:10:12 EDT 2007

Hello, All I'm a Jboss Beginner but i feel that I have a fairly complex question.  I'm trying to integrate a third party SSO solution into Jboss, which is a mostly trivial task on it's own.  I am able to authenticate users that are configured through the SSO gateway.  However, I want these users to be able to log into Portal as well.  In my current configuration(4.2.1 AS - 2.6 Portal) users are able to log in and are shown options in the user portlet bassed on their roles.  However, the header still shows a login link unless the users is manually added with an admin user through the user portlet.  Users added "manually" through the user portlet and granted an "Admn" role do not get access to the admin portal and no user is able to use the dashboard (a 403 error is returned when clicking the dashboard link and no "admin" link for users with admin roles)  

I am under the impression that the reason that the dashboard doesn't work is because I need to synchronize my portal database with whatever information comes from the SSO gateway.  I have attempted to use the 'SynchronizingLoginModule but with no success.  I think that my confusion is in the JAAS layer.  Josso has it's own security realm which, by the installation instructions is held in $JBOSS_HOME/server/someservername/conf/login-config.xml  :

<application-policy name = "josso">
  |   <authentication>
  |     <login-module code = "org.josso.jb4.agent.JBossSSOGatewayLoginModule" flag = "required">
  |        <module-option name="debug">true</module-option>
  |     </login-module>
  |   </authentication>
  | </application-policy>

>From my vauge understanding of the JAAS layer, this module will be used whenever JOSSO is called to authenticate a user.  This login module appears to be doing everything that it should be as the user portlet recognizes the correct user as being logged in.  However, we need more to make portal happy.  In $JBOSS_HOME/server/someservername/deploy/jboss-portal.sar/conf/login-config.xml I have: 

<application-policy name="portal">
  |       <authentication>
  | <login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
  |             <module-option name="synchronizeIdentity">true</module-option>
  |             <module-option name="synchronizeRoles">true</module-option>
  |             <module-option name="additionalRole">Authenticated</module-option>
  |             <module-option name="defaultAssignedRole">User</module-option>
  |             <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
  |             <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
  |             <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
  |             <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
  |          </login-module>
  |      </authentication>
  |    </application-policy>

and in $JBOSS_HOME/server/someservername/deploy/jboss-portal.sar/jboss-server.war/WEB-INF/jboss-web.xml

  |    <security-domain>java:/jaas/portal</security-domain>
  |    <context-root>/portal</context-root>
  |    <replication-config>
  |       <replication-trigger>SET</replication-trigger>
  |    </replication-config>
  |    <resource-ref>
  |       <res-ref-name>jdbc/PortalDS</res-ref-name>
  |       <jndi-name>java:PortalDS</jndi-name>
  |    </resource-ref>
  | </jboss-web>

My understanding of this setup is that when jboss is asked to authenticate a user it will use the josso login module (which appears to work) and then the portal context will attempt, through SynchronizingLoginModule, to add the principal information to the JBP database if it cannot already find it.  I have also tried adding the syncronizingloginmodule under the 'josso' application policy because I was uncertain if it would get called since the user was already authenticated.  This caused a null pointer exception to be thrown.  This oproblem is getting fusterating.  Perhaps the SynchLoginMod doesn't do what I think it should.

Any thoughts, questions,  comments, and/or stern reprimands for my being foolish are greatly appreciated.  


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4066283#4066283

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4066283

More information about the jboss-user mailing list