5 Replies Latest reply on Mar 11, 2008 10:34 PM by sbiwal

    Auto-login on JBoss Portal



      I'm a newbee to Jboss Portal and am using it as the framework for our project's portal.
      I need to integrate the portal with a Shibboleth login. So basically a user should be able to select from a list of identity providers, use his login for that Identity provider and then access the portal. I want that once the user verifies himself on the Identity Provider, he should automatically login to the portal.

      The username of the logged in user is provided to my application as a parameter on the request. I don't understand at which point should I intercept the framework to provide auto-login and then redirect the user to the default page.

      Any help would be highly appreciated.

        • 2. Re: Auto-login on JBoss Portal

          Thanks for your reply.
          I do understand a little better of the idea you were suggesting after reading the related documentation. However I am using AAF (Australian Access Federation) as my SSO server. I am running my JBoss Application Server under Apache2 and have already configured Apache2 to redirect my portal access to the AAF login site. Here the user chooses his IdP and logins using the same. This part is done. Now after the user logs in successfully, he can see the default page of the portal but he is NOT logged into the portal. I need a way to log him into the portal and set his username/principal on to the request parameters.

          Also the framework that I am trying to provide, I would still like the "Logout" button on the portal which the user can click to signout as his default login and use another login if he may have (like if someone knows the admin login).

          • 3. Re: Auto-login on JBoss Portal

            One more question -
            I have created and built a custom tomcat Valve which will create the UserPrincipal object. How do I make JBoss Application Server to use this tomcat instead of the standard one that it uses ?

            • 4. Re: Auto-login on JBoss Portal

              Look at the Reference Guide: http://docs.jboss.com/jbportal/v2.6.4/referenceGuide/html/sso.html

              You configure valve in context.xml file.

              If you login using your IdP site then you probably have some kind of token present in request (cookie or something) right? Recognize this in a valve and then authenticate user. You can see the code I showed you to check what is needed. For example:


              Just swap opensso api calls with stuff specific for your provider.

              • 5. Re: Auto-login on JBoss Portal

                Thanks a lot.
                I was able to successfully create a custom tomcat valve (code attached below). This even allowed automatic login to my user and displayed the default page as "User logged in: ". However I think this user is still not authorized to access anything that is below the /auth access.

                When I call the this.container.getRealm().authenticate method in the valve I am forwarded to the JBossSecurityMgrRealm.authenticate method. In this method, the securityCtx object is null and so I just get a null from the function. I think this is the problem why my users are not being authorized.

                Can you please shed some light as to where I could be going wrong.

                So in short all I have changed in the Jboss AS code is adding this custom valve and changing the server.xml
                I have not changed anything in the Jboss Portal code at all.

                 * JBoss, Home of Professional Open Source.
                 * Copyright 2006, Red Hat Middleware LLC, and individual contributors
                 * as indicated by the @author tags. See the copyright.txt file in the
                 * distribution for a full listing of individual contributors.
                 * This is free software; you can redistribute it and/or modify it
                 * under the terms of the GNU Lesser General Public License as
                 * published by the Free Software Foundation; either version 2.1 of
                 * the License, or (at your option) any later version.
                 * This software is distributed in the hope that it will be useful,
                 * but WITHOUT ANY WARRANTY; without even the implied warranty of
                 * Lesser General Public License for more details.
                 * You should have received a copy of the GNU Lesser General Public
                 * License along with this software; if not, write to the Free
                 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
                 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
                package org.jboss.web.tomcat.security;
                import java.io.IOException;
                import java.security.Principal;
                import java.security.acl.Group;
                import java.util.ArrayList;
                import java.util.List;
                import javax.security.auth.Subject;
                import javax.servlet.ServletException;
                import org.apache.catalina.connector.Request;
                import org.apache.catalina.connector.Response;
                import org.apache.catalina.Context;
                import org.apache.catalina.Session;
                import org.apache.catalina.realm.GenericPrincipal;
                import org.apache.catalina.valves.ValveBase;
                import org.jboss.logging.Logger;
                import org.jboss.security.SecurityAssociation;
                import org.jboss.security.SimpleGroup;
                //import com.sun.security.auth.UserPrincipal;
                //import com.sun.security.auth.UserPrincipal;
                /** A valve that provides information on the jaas login exception seen in the
                 SecurityAssociation exception data. The useExceptionAsMsg flag indicates if
                 the exception message should be set as the http response message. The
                 exceptionHeader attribute if set is the header name that should be populated
                 with the exception message.
                 @author Scott.Stark@jboss.org
                 @version $Revision: 57206 $
                public class BasicAuthValve
                 extends ValveBase
                 private static Logger log = Logger.getLogger(BasicAuthValve.class);
                 private static boolean trace = log.isTraceEnabled();
                 /** Should the exception message be used as the request status message */
                 private boolean useExceptionAsMsg = false;
                 /** A flag indicating if the auth exception thread local should be cleared */
                 private boolean clearAuthException = true;
                 /** The name of the reply header to use to return the exception message */
                 private String exceptionHeader = null;
                 public boolean isUseExceptionAsMsg()
                 return useExceptionAsMsg;
                 public void setUseExceptionAsMsg(boolean useExceptionAsMsg)
                 this.useExceptionAsMsg = useExceptionAsMsg;
                 public String getExceptionHeader()
                 return exceptionHeader;
                 public void setExceptionHeader(String exceptionHeader)
                 this.exceptionHeader = exceptionHeader;
                 public void invoke(Request request, Response response)
                 throws IOException, ServletException
                 // TODO Auto-generated method stub
                 List roles = new ArrayList();
                 String password = "user";
                 String username = "user";
                 Principal p = this.getContainer().getRealm().authenticate(username, (String)null);
                 request.setUserPrincipal(new GenericPrincipal(request.getContext().getRealm(), username, password, roles));
                 this.getNext().invoke(request, response);