Version 2
Created by aljacinto on Jan 17, 2013 7:52 AM. Last modified by aljacinto on Jan 30, 2013 2:52 PM.

    This shows how to configure non-clustered SSO for JBoss AS 7.1.1 using Tomcat valve (org.apache.catalina.authenticator.SingleSignOn).  This is an addendum to article https://community.jboss.org/wiki/JBossWebSingleSignOn

     

    SSO allows you to seamlessly gain access, without the need to login more than once, to secured resources of web applications of the same virtual host.

    Subsystem Configuration

    Setup SSO by including it in your JBoss Web subsystem in standalone configuration.

     

           <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <alias name="example.com"/>
                <sso domain="localhost" reauthenticate="false"/>
            </virtual-server>
        </subsystem>

     

    reauthenticate attribute according to https://access.redhat.com/knowledge/docs/en-US/JBoss_Enterprise_Web_Platform/5/html/Administration_And_Configuration_Guide/clustering-http-sso.html (probably from old version of JBoss but should still be good).

    A flag to determine whether each request needs to be reauthenticated to the securityRealm. If true, this valve uses cached security credentials (username and password) to reauthenticate to the JBoss Web security Realm each request associated with an SSO session. If false, the valve can itself authenticate requests based on the presence of a valid SSO cookie, without rechecking with the Realm. Setting to true can allow web applications with different security-domain configurations to share an SSO. Default isfalse.

     

    and the domain attribute as

     

    Sets the host domain to be used for SSO cookies.


    As noted above the SSO valve supports a cookieDomain configuration attribute. This attribute allows configuration of the SSO cookie's domain (that is, the set of hosts to which the browser will present the cookie). By default the domain is "/", meaning the browser will only present the cookie to the host that issued it. The cookieDomain attribute allows the cookie to be scoped to a wider domain.

     

    For example, suppose we have a case where two apps, with URLs http://app1.xyz.com and http://app2.xyz.com, that wish to share an SSO context. These applications could be running on different servers in a cluster or the virtual host with which they are associated could have multiple aliases. This can be supported with the following configuration:

    <Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn" cookieDomain="xyz.com" />


     

    From the explanation above, if you set the reauthenticate to true, all your web applications must have the same security realm or security credentials.  What happens is that the credential you used to login will be use to login to the next web application you are trying to access.  In theory, if you have an LDAP login module for web app A and a Database login module for web app B, the SSO would work only if the same credential resides both places.

     

    If you set the reauthenticate to false then you need to provide the cookie domain or go with the default "/"

     

    Web Application Valve Configuration

    Aside from configuring the standalone.xml, you also have to configure the valve for each of the web application you are trying to SSO.  Every request will go through this valve and it will act according to what you specified in reauthenticate flag.

     

     

    <?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>sso</security-domain>
          <valve>
        <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
    </valve>
</jboss-web>

     

    Examples

    Attach are two wars you can deploy and the standalone.xml.  The web apps are derived from the quickstarts of picketlink so you might see some reference regarding it.

     

    1. Copy the standalone.xml to your jboss standalone configuration
    2. Deploy the two wars
    3. Open http://127.0.0.1:8080/sso1 (login page)
    4. In another tab, open http://127.0.0.1:8080/sso2 (login page)
    5. Login with user: tomcat password: tomcat for sso1  (You should see welcome if you login successfully)
    6. Refresh page in step 4 and you should NOT see the login page but the welcome page instead.

     

    To try the reauthentication:

    1. Close browser
    2. Remove the two attributes of the sso.  It is important to remove the attributes, if you set it to reauthenticate to true it does not work.  Your sso line should be "<sso/>"
    3. Restart jboss
    4. Open http://127.0.0.1:8080/sso1 (login page)
    5. In another tab, open http://127.0.0.1:8080/sso2 (login page)
    6. Login with user: tomcat password: tomcat for sso1  (You should see welcome if you login successfully)
    7. Refresh page in step 4 and you should NOT see the login page but the welcome page instead.

     

    Things to check

    • Make sure you have the same roles across your application otherwise the authorization will fail.
    • Check for other valves configured with your application which might interfere with the sso valve.
    • If you get a blank pages, it is probably the cookie domain not matching i.e. you are trying to access with localhost and the cookie is set to example.com