2 Replies Latest reply on Jan 15, 2008 12:10 AM by anil.saldhana

    SSO with Multiple Roles

    cvelo

      Hello - I am using JBoss 422 with embedded tomcat. I've written my own custom login module which extends org.jboss.security.auth.spi.AbstractServerLoginModule. The module validates the user name and password from 1 system, then retrieves domain groups from an ldap system and maps those groups to application specific roles in the web apps I am working on (so for example I am a member of 'WebAdmins' group in LDAP domain which maps to 'ADMINS' role in 1 web app and 'SuperUser' role in a 2nd app).

      I have configured /deploy/custom-login-config.service.xml and /conf/custom-login-config.xml. The custom-login-config.xml contains 2 applications policies, say P1 and P2. I've setup 1 web app in 1 ear and another web app in 2nd ear and setup the /META-INF/jboss-app with the security domain in app 1 going to P1 and the security-domain in app 2 going to P2. This is all working fine. I can login to both and get the correct roles setup.

      The issue is that I have to login to each specific ear file on the server. When I do that all is well, my login module authenticates me, gets the ldap groups I am a member of and maps those to application roles. Obviously though I do not want our users logging into each ear file. To work around that I enabled

      <Valve className="org.apache.catalina.authenticator.SingleSignOn" />

      in /deploy/jboss-web.deployer/server.xml file. When I do that I do not have to login again but my login module does not run, so I cannot map the domain groups the application roles.

      Is there any setup that will allow me to both login to a server once and map domain groups to application roles on an ear by ear basis? I've tried using multiple application-policy elements in the login-config and using only 1. I've tried that with and without the SingleSignOn valve and am stumped.

      We should be moving to a 2 server clustered jboss setup also, so if there is a setup that would users to hit any web app on any server and be authenticated to all web apps on all servers that would be the best.

      Thanks in advance,

      chris

        • 1. Re: SSO with Multiple Roles
          cvelo

          After reading this

          Once authenticated, the roles associated with this user will be utilized for access control decisions across all of the associated web applications, without challenging the user to authenticate themselves to each application individually.
          on this page http://wiki.jboss.org/wiki/Wiki.jsp?page=SingleSignOn I've come to the conclusion that the single sign-on valve is not the way to go.

          Let me rephrase the question simply: using Form based auth, how do I have users login to a server once, but give them different roles in different ears (without having them login again)?

          • 2. Re: SSO with Multiple Roles
            anil.saldhana

            This is not possible as tomcat caches the roles within the principal (instance of GenericPrincipal).

            You have two requirements: you need SSO as well as roles refresh. These cannot be mixed with the current standard valves.