1 Reply Latest reply on Apr 18, 2011 11:17 AM by gutoconde

    Sharing security context between 2 web applications

      Hi,


      I´m trying to share a security context between 2 web applications. The first one is a real web application and the other one is an image repository. The image repository has to be protected against non authenticated users.


      To do this I´ve created this LoginModule configuration in login-config.xml :




      <application-policy name="ativaDomain">
             <authentication>
               <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                    flag="required">
                       <!-- users and roles for tests -->
                    <module-option name="usersProperties">props/ativa-users.properties</module-option>
                    <module-option name="rolesProperties">props/ativa-roles.properties</module-option>
            </login-module>
             </authentication>
        </application-policy>



      The components.xml look like this :



      <security:identity jaas-config-name="ativaDomain" />




      In login.page.xml is configured to raise loginEvent. I capture this event to load some user information into the session context :


      <navigation from-action="#{identity.login}" >
            <rule if="#{identity.loggedIn}">
                  <raise-event type="loginEvent"/>
               <redirect view-id="/paginas/funcionalidades/home.xhtml"/>
            </rule>
         </navigation>



      In the second application (the image repository), I´ve made this configuration in web.xml, allowing admin role to access to image repository:


      <security-constraint>
          <display-name>Restrict Documents</display-name>
          <web-resource-collection>
            <web-resource-name>Todos os recursos</web-resource-name>
            <url-pattern>/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
               <role-name>admin</role-name>
          </auth-constraint>
          <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
        </security-constraint>
        
           <login-config>
                <auth-method>BASIC</auth-method>
                <realm-name>ativaDomain</realm-name>
           </login-config>
           
           <security-role>
                <role-name>admin</role-name>
           </security-role>








        • 1. Re: Sharing security context between 2 web applications

          I set the security-domain in jboss-web.xml, for both applications :




          <jboss-web>
               <class-loading java2ClassLoadingCompliance="false">
                  <loader-repository>
                      seam.jboss.org:loader=ativa
                      <loader-repository-config>java2ParentDelegation=false</loader-repository-config>
                  </loader-repository>
              </class-loading>
              
              <security-domain>java:/jaas/ativaDomain</security-domain>
          </jboss-web>





          And finaly, I´m using the SingleSignOn Valve, configured in deploy\jbossweb.sar\server.xml.





          <Valve className="org.apache.catalina.authenticator.SingleSignOn"/>




          With all this configuration, I can login in the first application, but when I try to acces the second application (the image repository) the application show me the browser login page, requesting username and password.


          I´ve tried to put the jmx-console application using my LoginModule configuration and the SSO works fine with the image repositoty application. It doesnt work with the first application.


          Is there something wrong? Or Jboss Seam doesnt work with the SSO Valve?


          Thanx and sorry for my bad english,


          Jose Augusto Conde
          Brasilia / Brazil