1 Reply Latest reply on Jan 30, 2008 7:13 PM by bkraz

    Single sign-on (SSO) access is not limited to security domai

    bkraz

      Hi, I have been trying to fix a problem with single sign-on (SSO) security in JBoss 4.0.4 GA. The issue is that I cannot restrict some applications from taking part in the SSO domain. No matter what settings I use, once a user successfully authenticates in an SSO application, he has access to ALL JBoss apps, even if they are listed in a different security domain. Here are the details:

      Single sign-on is activated with the following in deploy/jbossweb-tomcat55.sar/server.xml:


      All liferay components are in this security domain:
      <jboss-web>
      <security-domain>java:/jaas/PortalRealm</security-domain>
      ...
      </jboss-web>

      I have a few applications (xforms) that I want to participate in the SSO domain. These work perfectly.


      I have another application (/axis) in a different security domain, which is still accessible to SSO users.

      <jboss-web>
      <security-domain>java:/jaas/axis</security-domain>
      </jboss-web>



      In conf/login-config.xml:

      <application-policy name = "axis">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">
      <module-option name="usersProperties">props/axis-users.properties</module-option>
      <module-option name="rolesProperties">props/axis-roles.properties</module-option>
      </login-module>

      </application-policy>


      and

      <application-policy name = "PortalRealm">

      <login-module code ="com.liferay.portal.security.jaas.PortalLoginModule"
      flag = "required">
      <module-option name="userClassNames">com.liferay.portal.security.jaas.PortalPrincipal</module-option>
      <module-option name="roleClassNames">com.liferay.portal.security.jaas.PortalRole</module-option>
      </login-module>

      </application-policy>

      The above block is not necessary to make Liferay security work. I added it myself, but it did not change any noticeable behavior.


      I intend to make /axis only available to those with a specific username and password, however JBoss currently allows all Liferay users to have access to axis despite it being in a different security domain. I have had problems with the java:/blah/blah naming convention, and I have seen a few posts indicating this might be an issue. Does anyone have a suggestion for how I might limit SSO access to certain apps? Thanks! -Ben


        • 1. Re: Single sign-on (SSO) access is not limited to security d
          bkraz

          I have partially fixed my problem.

          In /axis web.xml, I changed the only role of "users" to "axisusers". This now prevents Liferay users (in SSO) from acessing /axis. I am not sure why putting axis in a different security domain doesn't work, but this solution of setting up a separate role for axis users will probably float my boat. I'd still appreciate anyone's help regarding security domains in general, though. Thanks -Ben

          <security-constraint>
          <web-resource-collection>
          <web-resource-name>Secured</web-resource-name>
          <url-pattern>/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
          <role-name>axisusers</role-name>
          </auth-constraint>
          <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
          </security-constraint>
          <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>axisrealm</realm-name>
          </login-config>
          <security-role>
          <role-name>axisusers</role-name>
          </security-role>