The WSRP specification does not not include user identity propagation from the consumer to the producer. Instead, it defers this capability to existing WS specifications such as WS-Security.
This document will walk through the steps necessary to configure two portals (consumer and producer). The consumer portal will allow the user to login via SSL with browser certificates (CLIENT-AUTH). Then, the consumer will use SSL and WS-Security to securely pass the credentials to the WSRP producer. Both consumer and producer will be setup to authenticate against a certificate login module and authorize (get roles) from an LDAP login module.
Here are the high level steps:
1.) Create the necessary certificates and keystores
2.) Create and populate LDAP (using openLDAP for this example)
3.) Create the inital consumer and producer profiles for the two portal instances
4.) Configure SSL and login modules on the producer
5.) Configure SSL and login modules on the consumer
6.) Add WS-Security capabilities
7.) Deploy remoteable portlet on producer
8.) Start servers
9.) Configure consumer to use producer's WSRP portlet
1.) Create the necessary certificates and keystores
I'm going to assume for this document that we are using Tomcat Native - which is what should be used in production. Certificate setup for Tomcat Native is a bit different than Java Tomcat. We actually need quite a few certificates to make this all work:
- CA certificate (to sign other certificates making them valid)
- Consumer and producer certificates (so each can use SSL)
- Consumer truststore (since consumer will be Java WS client to producer)
- Browser certificates (so end users can access the portal)
1.1.) CA certificate
I'm going to assume that this is already done. If not, please see this link for creating a CA certificate with openssl.
1.2.) Consumer and producer certificates
Consumer:
[apestel@localhost SSL]$ openssl genrsa 1024 > consumer.key
Generating RSA private key, 1024 bit long modulus
.........................++++++
...++++++
e is 65537 (0x10001)
[apestel@localhost SSL]$ openssl req -new -key consumer.key -out consumer.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Texas
Locality Name (eg, city) [Newbury]:Dallas
Organization Name (eg, company) [My Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:JBoss
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:apestel@redhat.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[apestel@localhost SSL]$ openssl ca -config ca.conf -out consumer.crt -infiles consumer.csr
Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName : PRINTABLE:'US'
stateOrProvinceName : PRINTABLE:'Texas'
localityName : PRINTABLE:'Dallas'
organizationName : PRINTABLE:'Red Hat'
organizationalUnitName: PRINTABLE:'JBoss'
commonName : PRINTABLE:'localhost'
emailAddress :IA5STRING:'apestel@redhat.com'
Certificate is to be certified until Jan 22 03:03:21 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[apestel@localhost SSL]$
Producer:
[apestel@localhost SSL]$ openssl genrsa 1024 > producer.key
Generating RSA private key, 1024 bit long modulus
....................................++++++
........++++++
e is 65537 (0x10001)
[apestel@localhost SSL]$ openssl req -new -key producer.key -out producer.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Texas
Locality Name (eg, city) [Newbury]:Dallas
Organization Name (eg, company) [My Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:JBoss
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:apestel@redhat.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[apestel@localhost SSL]$ openssl ca -config ca.conf -out producer.crt -infiles producer.csr
Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName : PRINTABLE:'US'
stateOrProvinceName : PRINTABLE:'Texas'
localityName : PRINTABLE:'Dallas'
organizationName : PRINTABLE:'Red Hat'
organizationalUnitName: PRINTABLE:'JBoss'
commonName : PRINTABLE:'localhost'
emailAddress :IA5STRING:'apestel@redhat.com'
Certificate is to be certified until Jan 22 03:07:47 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[apestel@localhost SSL]$
1.3.) Consumer trust store
Why is this needed? The web containers of both the consumer and producer will be using regular certificates because that is what Tomcat Native requires. However, the consumer also has to make WSRP WS requests to the producer. The code making the WSRP WS requests is Java code and requires a keystore to be configured that will allow the Java code to accept the producers certificate for the SSL handshake.
Create a keystore that has the CA cert.
[apestel@localhost SSL]$ keytool -v -import -trustcacerts -keystore consumer.truststore -file ca.crt -alias ca
Enter keystore password: password
Re-enter new password: password
[...]
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing consumer.truststore]
[apestel@localhost SSL]$
1.4 Create browser certificates
[apestel@localhost SSL]$ openssl genrsa 1024 > browser.key
Generating RSA private key, 1024 bit long modulus
................................................++++++
....++++++
e is 65537 (0x10001)
[apestel@localhost SSL]$ openssl req -new -key browser.key -out browser.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Texas
Locality Name (eg, city) [Newbury]:Dallas
Organization Name (eg, company) [My Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:JBoss
Common Name (eg, your name or your server's hostname) []:Aaron Browser for Portal
Email Address []:apestel@redhat.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[apestel@localhost SSL]$ openssl ca -config ca.conf -out browser.crt -infiles browser.csr
Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName : PRINTABLE:'US'
stateOrProvinceName : PRINTABLE:'Texas'
localityName : PRINTABLE:'Dallas'
organizationName : PRINTABLE:'Red Hat'
organizationalUnitName: PRINTABLE:'JBoss'
commonName : PRINTABLE:'Aaron Browser for Portal'
emailAddress :IA5STRING:'apestel@redhat.com'
Certificate is to be certified until Jan 22 03:25:32 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[apestel@localhost SSL]$ openssl pkcs12 -export -in browser.crt -inkey browser.key -out browser.p12
Enter Export Password:
Verifying - Enter Export Password:
[apestel@localhost SSL]$
2.) Create and populate LDAP (using OpenLDAP for this example)
A full discussion of LDAP or OpenLDAP is beyond the scope of this document. Probably the most critical issue is determining how a user's certificate maps to a security Principal - essentially, what is the equivalent LDAP UID for a certificate? The JBoss BaseCertLoginModule is responsible for "authenticating" a certificate and creating a Principal (username) from it and is pluggable with regard to determining how to map a certificate to a Principal UID. The most common options are SubjectCNMapping and SubjectDNMapping. The former is the default, meaning that when JBoss looks in LDAP to find roles, it will look for ldap UIDs that match the certificate's CN.
OpenLDAP has a command line interfaces to add entries, delete entries, and search entries. You can create a text file with entries to create and another text file with entries to delete. Below is the example file for entries to create, delete, and sample commands to run the scripts and search the LDAP directory. It is VERY critical that these files do not have extra spaces at the end of the lines.
2.1.) create.ldif
dn: ou=People,dc=my-domain,dc=com
ou: people
objectclass: organizationalunit
dn: ou=Roles,dc=my-domain,dc=com
ou: Roles
objectClass: organizationalUnit
dn: cn=Authenticated,ou=Roles,dc=my-domain,dc=com
objectclass: groupOfNames
cn: Authenticated
member: uid=admin,ou=People,dc=my-domain,dc=com
member: uid=EMAILADDRESS=apestel@redhat.com\, CN=Aaron Browser for Portal\, OU=JBoss\, O=Red Hat\, L=Dallas\, ST=Texas\, C=US,ou=People,dc=my-domain,dc=com
dn: cn=Admin,ou=Roles,dc=my-domain,dc=com
objectclass: groupOfNames
cn: Admin
member: uid=admin,ou=People,dc=my-domain,dc=com
member: uid=EMAILADDRESS=apestel@redhat.com\, CN=Aaron Browser for Portal\, OU=JBoss\, O=Red Hat\, L=Dallas\, ST=Texas\, C=US,ou=People,dc=my-domain,dc=com
dn: cn=User,ou=Roles,dc=my-domain,dc=com
objectclass: groupOfNames
cn: User
member: uid=ldap-user,ou=People,dc=my-domain,dc=com
member: uid=EMAILADDRESS=apestel@redhat.com\, CN=Aaron Browser for Portal\, OU=JBoss\, O=Red Hat\, L=Dallas\, ST=Texas\, C=US,ou=People,dc=my-domain,dc=com
dn: uid=admin,ou=People,dc=my-domain,dc=com
displayName: Directory Superuser
uid: admin
userpassword: admin
title: admin
mail: admin@my-domain.com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: administrator
cn: system administrator
dn: uid=EMAILADDRESS=apestel@redhat.com\, CN=Aaron Browser for Portal\, OU=JBoss\, O=Red Hat\, L=Dallas\, ST=Texas\, C=US,ou=People,dc=my-domain,dc=com
uid: EMAILADDRESS=apestel@redhat.com, CN=Aaron Browser for Portal, OU=JBoss, O=Red Hat, L=Dallas, ST=Texas, C=US
userpassword: ldap-user
title: ldap-user
mail: ldap-user@my-domain.com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
sn: EMAILADDRESS=apestel@redhat.com, CN=Aaron Browser for Portal, OU=JBoss, O=Red Hat, L=Dallas, ST=Texas, C=US
cn: EMAILADDRESS=apestel@redhat.com, CN=Aaron Browser for Portal, OU=JBoss, O=Red Hat, L=Dallas, ST=Texas, C=US
2.2.) delete.ldif
uid=admin,ou=People,dc=my-domain,dc=com
uid=EMAILADDRESS=apestel@redhat.com, CN=Aaron Browser for Portal, OU=JBoss, O=Red Hat, L=Dallas, ST=Texas, C=US
cn=Authenticated,ou=Roles,dc=my-domain,dc=com
cn=Admin,ou=Roles,dc=my-domain,dc=com
cn=User,ou=Roles,dc=my-domain,dc=com
ou=People,dc=my-domain,dc=com
ou=Roles,dc=my-domain,dc=com
2.3.) commands
[root@localhost ~]# ldapdelete -x -c -D "cn=Manager,dc=my-domain,dc=com" -w secret -f delete.ldif
[...]
[root@localhost ~]# ldapadd -x -c -D "cn=Manager,dc=my-domain,dc=com" -w secret -f create.ldif
[...]
[root@localhost ~]# ldapsearch -x -b 'dc=my-domain,dc=com' '(objectclass=*)'
[...]
3.) Create the inital consumer and producer profiles for the two portal instances
3.1) For this document, we're simply going to copy the default profile twice - once as "consumer" and once as "producer".
[apestel@localhost server]$ cd $EPP_HOME/jboss-as/server
[apestel@localhost server]$ cp -R default consumer
[apestel@localhost server]$ cp -R default producer
3.2.) Copy new SOAP related libraries to handle changes to the SOAP API in Java 1.6 (must be done on consumer and producer). Without this, you will get errors about "setProperty()" not being implemented.
cp $EPP_HOME/jboss-as/client/jboss-jax* $EPP_HOME/jboss-as/lib/endorsed
cp $EPP_HOME/jboss-as/client/jboss-saaj.jar $EPP_HOME/jboss-as/lib/endorsed
cp $EPP_HOME/jboss-as/client/jaxb-api.jar $EPP_HOME/jboss-as/lib/endorsed
4.) Configure SSL and login modules on the producer
4.1.) $EPP_HOME/jboss-as/server/producer/conf/jboss-service.xml
Here we need to add a new security domain
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=SecurityDomain">
<constructor>
<arg type="java.lang.String" value="cert-domain"></arg>
</constructor>
<!--We won't use these since we're already checking the cert via SSL
<attribute name="KeyStoreURL">/home/apestel/SSL/myKey.keystore</attribute>
<attribute name="KeyStorePass">password</attribute>
-->
<depends>jboss.security:service=JaasSecurityManager</depends>
</mbean>
4.2.) $EPP_HOME/jboss-as/server/producer/deploy/jboss-portal.sar/conf/login-config.xml
In this file, we set the portal login policy. Basically, we are going authenticate with the BaseCertLoginModule and then fall through to the next module to get roles from LDAP.
<application-policy name="portal">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="optional">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="securityDomain">java:/jaas/cert-domain</module-option>
<module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
</login-module>
<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="unauthenticatedIdentity">guest</module-option>
<module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
<module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
<module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
<module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
<module-option name="validateUserNameCase">true</module-option>
<module-option name="additionalRole">Authenticated</module-option>
</login-module></authentication>
</application-policy>
4.3.) Move $EPP_HOME/jboss-as/server/producer/deploy/jboss-portal.sar/conf/identity/ldap_identity-config.xml to $EPP_HOME/jboss-as/server/producer/deploy/jboss-portal.sar/conf/identity/identity-config.xml
There are a few things we need to edit in this file to make sure it points at our LDAP server. Note how this lines up with the People and Roles in our ldif file.
...
<datasource>
<name>LDAP</name>
<config>
<option>
<name>host</name>
<value>localhost</value>
</option>
<option>
<name>port</name>
<value>389</value>
</option>
<option>
<name>adminDN</name>
<value>cn=Manager,dc=my-domain,dc=com</value>
</option>
<option>
<name>adminPassword</name>
<value>secret</value>
</option>
...
<option-group>
<group-name>common</group-name>
<option>
<name>userCtxDN</name>
<value>ou=People,dc=my-domain,dc=com</value>
</option>
...
<option>
<name>roleCtxDN</name>
<value>ou=Roles,dc=my-domain,dc=com</value>
</option>
...
4.4.) $EPP_HOME/jboss-as/server/producer/deploy/jboss-web.deployer/server.xml
In this file, we will configure the web container to use SSL. Note that you probably should also comment out the 8080 non-SSL connector.
<Connector port="8443" address="${jboss.bind.address}"
protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
SSLCertificateFile="/home/apestel/SSL/producer.crt"
SSLCertificateKeyFile="/home/apestel/SSL/producer.key"
SSLPassword=""
SSLCACertificateFile="/home/apestel/SSL/ca.crt"
/>
4.5.) $EPP_HOME/jboss-as/server/producer/deploy/jboss-portal.sar/portal-wsrp.sar/portal-wsrp.war/WEB-INF/jboss-web.xml
This is a new file we need to create. Here we need to tell the portal-wsrp.war (producer web app) that it is going to use the "portal" security domain for authentication. This will be the domain that the WS-Security credentials will be authenticated against.
<?xml version="1.0"?>
<jboss-web>
<security-domain>java:jaas/portal</security-domain>
<resource-ref>
<res-ref-name>jdbc/PortalDS</res-ref-name>
<jndi-name>java:PortalDS</jndi-name>
</resource-ref>
</jboss-web>
4.6.) $EPP_HOME/jboss-as/server/producer/deploy/jboss-portal.sar/portal-wsrp.sar/portal-wsrp.war/WEB-INF/web.xml
Here we need to add the following to the bottom of web.xml so that the portal wsrp web app will use the portal security realm we created above and declare a dependence on the PortalDS.
<login-config>
<realm-name>JBoss Portal</realm-name>
</login-config>
<resource-ref>
<res-ref-name>jdbc/PortalDS</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
5.) Configure SSL and login modules on the consumer
5.1.) $EPP_HOME/jboss-as/server/consumer/conf/jboss-service.xml
Here we need to add a new security domain, like we did for the producer.
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=SecurityDomain">
<constructor>
<arg type="java.lang.String" value="cert-domain"></arg>
</constructor>
<!--We won't use these since we're already checking the cert via SSL
<attribute name="KeyStoreURL">/home/apestel/SSL/myKey.keystore</attribute>
<attribute name="KeyStorePass">password</attribute>
-->
<depends>jboss.security:service=JaasSecurityManager</depends>
</mbean>
5.2.) $EPP_HOME/jboss-as/server/consumer/deploy/jboss-portal.sar/conf/login-config.xml
In this file, we set the portal login policy like we did for the producer. Basically, we are going authenticate with the BaseCertLoginModule and then fall through to the next module to get roles from LDAP.
<application-policy name="portal">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="optional">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="securityDomain">java:/jaas/cert-domain</module-option>
<module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
</login-module>
<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="unauthenticatedIdentity">guest</module-option>
<module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
<module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
<module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
<module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
<module-option name="validateUserNameCase">true</module-option>
<module-option name="additionalRole">Authenticated</module-option>
</login-module></authentication>
</application-policy>
5.3.) Move $EPP_HOME/jboss-as/server/consumer/deploy/jboss-portal.sar/conf/identity/ldap_identity-config.xml to $EPP_HOME/jboss-as/server/consumer/deploy/jboss-portal.sar/conf/identity/identity-config.xml
There are a few things we need to edit in this file to make sure it points at our LDAP server. Note: We wouldn't have to point to the same LDAP as the consumer. The producer could potentially have a different mapping of users to roles.
...
<datasource>
<name>LDAP</name>
<config>
<option>
<name>host</name>
<value>localhost</value>
</option>
<option>
<name>port</name>
<value>389</value>
</option>
<option>
<name>adminDN</name>
<value>cn=Manager,dc=my-domain,dc=com</value>
</option>
<option>
<name>adminPassword</name>
<value>secret</value>
</option>
...
<option-group>
<group-name>common</group-name>
<option>
<name>userCtxDN</name>
<value>ou=People,dc=my-domain,dc=com</value>
</option>
...
<option>
<name>roleCtxDN</name>
<value>ou=Roles,dc=my-domain,dc=com</value>
</option>
...
5.4.) $EPP_HOME/jboss-as/server/consumer/deploy/jboss-web.deployer/server.xml
In this file, we will configure the web container to use SSL. Note that you probably should also comment out the 8080 non-SSL connector. Also note that since this is the consumer, we are are requiring client certs.
<Connector port="8443" address="${jboss.bind.address}"
protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
SSLCertificateFile="/home/apestel/SSL/consumer.crt"
SSLCertificateKeyFile="/home/apestel/SSL/consumer.key"
SSLPassword=""SSLVerifyClient="require"
SSLCACertificateFile="/home/apestel/SSL/ca.crt"
/>
5.5.) $EPP_HOME/jboss-as/server/consumer/deploy/jboss-portal.sar/portal-server.war/WEB-INF/web.xml
Here we simply need to change the login config to authenticate via CLIENT-CERT instead of FORM or BASIC. Make sure the other login-config entries are removed or commented out.
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>JBoss Portal</realm-name>
</login-config>
6.) Add WS-Security capabilities
Adding WS-Security between the consumer and the producer is relatively straight forward. Essentially, we are:
- Adding a JAX-RPC handler on the consumer to create the WS-Security header
- Adding a JAX-RPC handler on the producer to extract the WS-Security header and authenticat based on the passed credentials
- Adding a patch so that WSRP portlet security will use the authentication done through WS-Security
6.1.) Consumer JAX-RPC handler
- Copy attached portal-wsrp-handler-lib.jar to $EPP_HOME/jboss-as/server/consumer/deploy/jboss-portal.sar/portal-wsrp.sar/portal-wsrp-handler-lib.jar
- Register the handler by adding the following to the following file (note that this will require extracting the config file from the JAR, editing it, and updating the JAR): $EPP_HOME/jboss-as/server/consumer/deploy/jboss-portal.sar/portal-wsrp.sar/portal-wsrp-client.jar/META-INF/application-client.xml
<service-ref>
<service-ref-name>service/MarkupService</service-ref-name>
[existing tags]
[existing handlers]
<handler>
<handler-name>WSSecurityHandler</handler-name>
<handler-class>com.jboss.sample.ConsumerWsSecurityHandler</handler-class>
</handler>
</service-ref>
6.2.) Producer JAX-RPC handler
- Copy attached portal-wsrp-handler-lib.jar to $EPP_HOME/jboss-as/server/producer/deploy/jboss-portal.sar/portal-wsrp.sar/portal-wsrp-handler-lib.jar
- Register the handler by adding the following to the following file: $EPP_HOME/jboss-as/server/producer/deploy/jboss-portal.sar/portal-wsrp.sar/portal-wsrp.war/WEB-INF/webservices.xml
<port-component>
<port-component-name>WSRPBaseService</port-component-name>
[other tags][other handlers]
<handler>
<handler-name>ProducerWsrpSecurityHandler</handler-name>
<handler-class>com.jboss.sample.ProducerWsSecurityHandler</handler-class>
</handler></port-component>
6.3.) WSRP patch
Update $EPP_HOME/jboss-as/server/producer/deploy/jboss-portal.sar/portal-wsrp.sar/portal-wsrp-lib.jar with the contents of the attached portal-wsrp-lib-patch.jar. Don't forget to save off a copy of the original portal-wsrp-lib.jar.
7.) Deploy remoteable portlet on producer
Copy attached MyRemotePortlet.war to $EPP_HOME/jboss-as/server/producer/deploy
8.) Start servers
8.1.) Producer
[apestel@localhost bin]$ cd $EPP_HOME/jboss-as/bin
[apestel@localhost bin]$ ./run.sh -c producer -g producerPartition
8.2.) Consumer
- Add the following single line to the bottom of $EPP/jboss-as/bin/run.conf
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/home/apestel/SSL/consumer.truststore -Djavax.net.ssl.trustStorePassword=password"
- Modify the following to use a different port group (ports-01) for this consumer (only necessary if on same host as producer): $EPP_HOME/jboss-as/server/consumer/conf/jboss-service.xml This mbean should already exist, it's just commented out by default and it needs to be uncommented.
<mbean code="org.jboss.services.binding.ServiceBindingManager"
name="jboss.system:service=ServiceBindingManager">
<attribute name="ServerName">ports-01</attribute>
<attribute name="StoreURL">${jboss.home.url}/docs/examples/binding-manager/sample-bindings.xml</attribute>
<attribute name="StoreFactoryClassName">
org.jboss.services.binding.XMLServicesStoreFactory
</attribute>
</mbean>
- Start the consumer
[apestel@localhost bin]$ cd $EPP_HOME/jboss-as/bin
[apestel@localhost bin]$ ./run.sh -c consumer -g consumerPartition
9.) Configure consumer to use producer's WSRP portlet
9.1.) Add browser cert to your browser
9.2.) Go to https://localhost:8543/portal/authsec/
9.3.) Click the Admin link
9.4.) Click the "WSRP" tab and then "Consumer's Configuration" tab
9.5.) Create a consumer name "MyConsumer"
9.6.) Unselect "Use WSDL"
9.7.) Enter the following four URLs:
https://localhost:8443/portal-wsrp/ServiceDescriptionService
https://localhost:8443/portal-wsrp/MarkupService
9.8.) Click "Refresh and Save"
9.9.) Create a portlet instance for the remote portlet definition
- Click "Admin | Portlet Definitions" tab
- Select your consumer from the drop down and click the "View Portlets" button
- Click the "Create Instance" next to "MyRemotePortlet"
- Give it a name and click the "Create Instance" button
9.10.) Add the remote portlet instance to the default portal page
- Click the "Admin | Portal Objects" tab
- Click the "default" portal and then the "default" page
- Click the "Page Layout" button
- Click the "MyRemotePortlet" instance and click the "Add" button to add it to a region on the page
9.11.) Access the default portal page (https://localhost:8543/portal/authsec) and notice that the remote portlet is present and displays the user ID of the user's browser certificate and whether or not that user is in various roles.
Congratulations! You have configure a portal consumer and portal producer such that the identity of the end user is securlty passed to the portal producer. Further, the producer also has the capability to authentication and authorize the end user independently of the portal consumer if desired.
Comments