-
1. Re: Auto-login on JBoss Portal
bdaw Mar 10, 2008 5:58 AM (in response to sbiwal)You can consider integrating using tomcat valve. Read about CAS and JOSSO configuration in the Reference Guide and look at the source code:
http://anonsvn.jboss.org/repos/portal/modules/identity/branches/JBP_IDENTITY_BRANCH_1_0/sso/src/main/org/jboss/portal/identity/sso/cas/
http://anonsvn.jboss.org/repos/portal/modules/identity/branches/JBP_IDENTITY_BRANCH_1_0/sso/src/main/org/jboss/portal/identity/sso/josso/
http://anonsvn.jboss.org/repos/portal/modules/identity/branches/JBP_IDENTITY_BRANCH_1_0/sso/src/main/org/jboss/portal/identity/sso/opensso/ -
2. Re: Auto-login on JBoss Portal
sbiwal Mar 10, 2008 8:14 PM (in response to sbiwal)Thanks for your reply.
I do understand a little better of the idea you were suggesting after reading the related documentation. However I am using AAF (Australian Access Federation) as my SSO server. I am running my JBoss Application Server under Apache2 and have already configured Apache2 to redirect my portal access to the AAF login site. Here the user chooses his IdP and logins using the same. This part is done. Now after the user logs in successfully, he can see the default page of the portal but he is NOT logged into the portal. I need a way to log him into the portal and set his username/principal on to the request parameters.
Also the framework that I am trying to provide, I would still like the "Logout" button on the portal which the user can click to signout as his default login and use another login if he may have (like if someone knows the admin login). -
3. Re: Auto-login on JBoss Portal
sbiwal Mar 10, 2008 11:37 PM (in response to sbiwal)One more question -
I have created and built a custom tomcat Valve which will create the UserPrincipal object. How do I make JBoss Application Server to use this tomcat instead of the standard one that it uses ? -
4. Re: Auto-login on JBoss Portal
bdaw Mar 11, 2008 3:06 AM (in response to sbiwal)Look at the Reference Guide: http://docs.jboss.com/jbportal/v2.6.4/referenceGuide/html/sso.html
You configure valve in context.xml file.
If you login using your IdP site then you probably have some kind of token present in request (cookie or something) right? Recognize this in a valve and then authenticate user. You can see the code I showed you to check what is needed. For example:
http://anonsvn.jboss.org/repos/portal/modules/identity/branches/JBP_IDENTITY_BRANCH_1_0/sso/src/main/org/jboss/portal/identity/sso/opensso/OpenSSOAuthenticationValve.java
Just swap opensso api calls with stuff specific for your provider. -
5. Re: Auto-login on JBoss Portal
sbiwal Mar 11, 2008 10:34 PM (in response to sbiwal)Thanks a lot.
I was able to successfully create a custom tomcat valve (code attached below). This even allowed automatic login to my user and displayed the default page as "User logged in: ". However I think this user is still not authorized to access anything that is below the /auth access.
When I call the this.container.getRealm().authenticate method in the valve I am forwarded to the JBossSecurityMgrRealm.authenticate method. In this method, the securityCtx object is null and so I just get a null from the function. I think this is the problem why my users are not being authorized.
Can you please shed some light as to where I could be going wrong.
So in short all I have changed in the Jboss AS code is adding this custom valve and changing the server.xml
I have not changed anything in the Jboss Portal code at all./* * JBoss, Home of Professional Open Source. * Copyright 2006, Red Hat Middleware LLC, and individual contributors * as indicated by the @author tags. See the copyright.txt file in the * distribution for a full listing of individual contributors. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this software; if not, write to the Free * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * 02110-1301 USA, or see the FSF site: http://www.fsf.org. */ package org.jboss.web.tomcat.security; import java.io.IOException; import java.security.Principal; import java.security.acl.Group; import java.util.ArrayList; import java.util.List; import javax.security.auth.Subject; import javax.servlet.ServletException; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.Context; import org.apache.catalina.Session; import org.apache.catalina.realm.GenericPrincipal; import org.apache.catalina.valves.ValveBase; import org.jboss.logging.Logger; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimpleGroup; //import com.sun.security.auth.UserPrincipal; //import com.sun.security.auth.UserPrincipal; /** A valve that provides information on the jaas login exception seen in the SecurityAssociation exception data. The useExceptionAsMsg flag indicates if the exception message should be set as the http response message. The exceptionHeader attribute if set is the header name that should be populated with the exception message. @author Scott.Stark@jboss.org @version $Revision: 57206 $ */ public class BasicAuthValve extends ValveBase { private static Logger log = Logger.getLogger(BasicAuthValve.class); private static boolean trace = log.isTraceEnabled(); /** Should the exception message be used as the request status message */ private boolean useExceptionAsMsg = false; /** A flag indicating if the auth exception thread local should be cleared */ private boolean clearAuthException = true; /** The name of the reply header to use to return the exception message */ private String exceptionHeader = null; public boolean isUseExceptionAsMsg() { return useExceptionAsMsg; } public void setUseExceptionAsMsg(boolean useExceptionAsMsg) { this.useExceptionAsMsg = useExceptionAsMsg; } public String getExceptionHeader() { return exceptionHeader; } public void setExceptionHeader(String exceptionHeader) { this.exceptionHeader = exceptionHeader; } public void invoke(Request request, Response response) throws IOException, ServletException { // TODO Auto-generated method stub List roles = new ArrayList(); roles.add("Authenticated"); roles.add("User"); roles.add("Admin"); roles.add("CustomRole"); String password = "user"; String username = "user"; Principal p = this.getContainer().getRealm().authenticate(username, (String)null); request.setAuthType("FORM"); request.setUserPrincipal(new GenericPrincipal(request.getContext().getRealm(), username, password, roles)); this.getNext().invoke(request, response); } }