2 Replies Latest reply on Jun 14, 2012 1:51 PM by kdolan1

Why asked to authenticate multiple times?

kdolan1 Jun 13, 2012 12:52 PM

In JBoss 7.1.1 Final, I have an EAR that contains multiple WAR files. When I hit my application for the first time, I get a login screen, enter a valid user name and password and click OK. This brings me to the main screen in my application. I next click a link to go to another screen and am prompted again to authenticate (this time via the standard basic authentication dialog).

Additional Facts:

* The standalone.xml file includes <security-domain name="MyCompany"> referencing a custom login module. My assumption is this is configured correctly since when I do enter a user name and password, it is validated correctly.

* MyWar1.war contains:

-- web.xml w/ the following

<security-constraint>

<web-resource-collection>

<web-resource-name>Main</web-resource-name>

<url-pattern>/user</url-pattern>

<url-pattern>/user/</url-pattern>

<url-pattern>/user/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>*</role-name>

</auth-constraint>

</security-constraint>

...

<login-config>

<auth-method>FORM</auth-method>

<form-login-config>

<form-login-page>/WEB-INF/login.jsp</form-login-page>

<form-error-page>/WEB-INF/denied.jsp</form-error-page>

</form-login-config>

</login-config>

...

<security-role>

<role-name>*</role-name>

</security-role>

-- jboss-web.xml w/ the following

<security-domain>MyCompany</security-domain>

* MyWar2.war contains:

-- web.xml w/ the following

<security-constraint>

<web-resource-collection>

<web-resource-name>Service</web-resource-name>

<url-pattern>/LibraryService</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>*</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>BASIC</auth-method>

</login-config>

<security-role>

<role-name>*</role-name>

</security-role>

-- jboss-web.xml w/ the following

<security-domain>MyCompany</security-domain>

* MyEar.ear

-- application.xml w/ the following

<web>

<web-uri>MyWar1.war</web-uri>

<context-root>MyApp</context-root>

</web>

</module>

...

<web>

<web-uri>MyWar2.war</web-uri>

<context-root>MainLibrary</context-root>

</web>

</module>

When I log into the application, the URL is http://ip:port/MyApp/user. Since MyApp is actually MyWar1.war and /user is configured w/ a security constraint, I expect to get the custom login page and I do.

When I click on the next link, the URL posted is http://ip:port/MainLibrary/LibraryService. Since MainLibrary is actually MyWar2.war and /LibraryService is configured w/ a security constraint, I expect it to require authentication BUT I expected it to be covered by the initial authentication request. Instead, the URL response was HTTP 401 Unauthorized and I received the Basic authentication dialog that said "A username and password are being requested by http://ip:port. The site says: "Realm"".

This worked in JBoss 4.0.1sp1 which is the version of JBoss I'm trying to upgrade from. Is there something I'm missing? I've read various JBoss articles, documentation, posts and do not see what might have changed or what I'm doing wrong.

BTW - I don't really understand the cache-type attribute on the <security-domain> element and the impact it has on authentication but I thought I'd try adding it (set to default) but it did not change a thing.

Thanks,

Kelly

1. Re: Why asked to authenticate multiple times?

kdolan1 Jun 14, 2012 9:28 AM (in response to kdolan1)

I found http://stackoverflow.com/questions/5141637/how-to-implement-ear-wide-jaas which describes in a general sense my problem. It contains a link to a page that talks about Tomcat valves but I've never heard of this concept before. I'll start looking down that path but is there anyone that has any ideas or can help me out?

This is a deal-breaker for me. If I can't get my deployed application to only ask for credentials once, we cannot move to JBoss 7.
Actions
2. Re: Why asked to authenticate multiple times?

kdolan1 Jun 14, 2012 1:51 PM (in response to kdolan1)

After much turmoil, I have reached a solution.

I found in our original JBoss 4 configuration, the Tomcat <jboss>/server/default/deploy/jbossweb-tomcat50.sar/server.xml file that had following uncommented which ultimately turns on SSO w/in the entire container.

    <Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"/>

So, while I'm still not sure if "SSO" is supposed to be automatic across WARs in the same EAR, it no longer matters to me. I now just needed to enable SSO for the container. So what did I do?

Aside from (a) defining my security domain in standalone.xml and (b) referencing the domain in jboss-web.xml per the JBoss documentation, the missing piece was to add <sso> to the subsystem shown below (see schema for optional attributes). One post made reference to "sso" and "virtual host" but it wasn't apparent that this is what it talked about. Rather, I followed a trail to a JIRA issue (https://issues.jboss.org/browse/AS7-1484) that referenced a test case (specifically see SingleSignOnUnitTestCase.java) which demonstrated the standalone.xml change.

    <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
        <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
        <virtual-server name="default-host" enable-welcome-root="true">
            <alias name="localhost"/>
            <alias name="example.com"/>
            <sso/>
        </virtual-server>
    </subsystem>

Kelly
Actions

Go to original post