[jboss-user] [Security & JAAS/JBoss] - Single sign-on (SSO) access is not limited to security domai

[bkraz]

Hi, I have been trying to fix a problem with single sign-on (SSO) security in JBoss 4.0.4 GA.  The issue is that I cannot restrict some applications from taking part in the SSO domain.  No matter what settings I use, once a user successfully authenticates in an SSO application, he has access to ALL JBoss apps, even if they are listed in a different security domain.  Here are the details:

Single sign-on is activated with the following in deploy/jbossweb-tomcat55.sar/server.xml:


All liferay components are in this security domain:
<jboss-web>
        <security-domain>java:/jaas/PortalRealm</security-domain>
...
</jboss-web>

I have a few applications  (xforms) that I want to participate in the SSO domain.  These work perfectly.


I have another application (/axis) in a different security domain, which is still accessible to SSO users.

<jboss-web>
  <security-domain>java:/jaas/axis</security-domain> 
</jboss-web>



In conf/login-config.xml:

 <application-policy name = "axis">
       
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
           <module-option name="usersProperties">props/axis-users.properties</module-option>
           <module-option name="rolesProperties">props/axis-roles.properties</module-option>
          </login-module>
       
    </application-policy>


and

<application-policy name = "PortalRealm">
          
             <login-module code ="com.liferay.portal.security.jaas.PortalLoginModule"
                flag = "required">
                <module-option name="userClassNames">com.liferay.portal.security.jaas.PortalPrincipal</module-option>
             <module-option name="roleClassNames">com.liferay.portal.security.jaas.PortalRole</module-option>
   </login-module>
          
       </application-policy>

The above block is not necessary to make Liferay security work.  I added it myself, but it did not change any noticeable behavior.


I intend to make /axis only available to those with a specific username and password, however JBoss currently allows all Liferay users to have access to axis despite it being in a different security domain.  I have had problems with the java:/blah/blah naming convention, and I have seen a few posts indicating this might be an issue.  Does anyone have a suggestion for how I might limit SSO access to certain apps?  Thanks!  -Ben




View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4124962#4124962

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4124962