-
1. Re: Clustered SSO with SPNEGO/KERBEROS
j_ri Jan 25, 2007 12:00 PM (in response to j_ri)hello again,
after trying to manipulate some kerberos settings, I decided to try to force my JBoss server to propagate my serializable Principal around the cluster.
Unfortunately I didn't find a possibility for doing that.
Has anybody an idea how to force JBoss AS to propagate the Principal and not only username and credentials?
thanks
jochen -
2. Re: Clustered SSO with SPNEGO/KERBEROS
twittemb Jan 29, 2007 8:06 AM (in response to j_ri)Hello,
Why don't u store the principal in a distributed tables over the cluster ? The clustered SSO valve must work like this in order to make a call like that on each HttpRequest : request.setUserPrincipal (myPrincipal).
You can create a clustered table with JGroups, can't you ?
Hope this helps.
Best regards.
Thibault. -
3. Re: Clustered SSO with SPNEGO/KERBEROS
twittemb Jan 29, 2007 8:07 AM (in response to j_ri)"twittemb" wrote:
Hello,
Why don't u store the principal in a distributed tables over the cluster ? The clustered SSO valve must work like this in order to make a call like that on each HttpRequest : request.setUserPrincipal (myPrincipal).
You can create a clustered table with JGroups, can't you ?
Hope this helps.
Best regards.
Thibault. -
4. Re: Clustered SSO with SPNEGO/KERBEROS
j_ri Jan 30, 2007 2:06 AM (in response to j_ri)Hello Thibault,
thanks for your answer.
Unfortunately your idea doesn't help me, because the problem is not the web-layer, but the ejb layer.
My web-application makes a call to a stateless session bean (on node1 of the cluster) and 15 minutes later it makes another call to the bean (but this time the call goes to node2 in the cluster).
The web-appliaction is clever enough to recognize that's the same user-session and still has the principal. But the call to the second ejb gets intercepted by JBoss and the username and credentials (which got distributed in the cluster) are validated again...but unfortunately the credentials are too old now (a standard kerberos service ticket has to be validated within 5 minutes after it has been requested).
The Solution would be that the "jboss.security:service=JaasSecurityManager" MBean, configured in the jboss-service.xml in the conf-dir of a JBoss Server doesn't replay username and credential from the cache, but just keeps the information that the current user is already authenticated.
best regards
Jochen