1 2 Previous Next 15 Replies Latest reply on May 22, 2013 4:23 AM by trong.tran

    How to configure single sign on in AS7

    billhong

      The instructions on below site was out of date. The server.xml was gone.

      http://community.jboss.org/wiki/JBossWebSingleSignOn

       

      I can't find specific document about this. Does anyone know how to configure single sign on in AS7?

       

      Thanks!

        • 1. Re: How to configure single sign on in AS7
          billhong

          Well, I still got stuck in SSO. Does anyone know where to put below configuration into standalone.xml to enable SSO in AS7?

          <Valve className="org.apache.catalina.authenticator.SingleSignOn"/>

           

          Is there any option to support SSO in AS7 anyway?

          • 2. Re: How to configure single sign on in AS7
            dmatheus

            Hi there Bill,

             

              Try this:

             

              http://community.jboss.org/wiki/JBossAS7SecurityDomainModel

             

             

            [ ]'s

            Douglas

            • 3. Re: How to configure single sign on in AS7
              billhong

              Thank you, Douglas.

               

              That's exactly what I'm looking for. However, currently it still does not work across web apps. There's an issue opened for this:

              https://issues.jboss.org/browse/AS7-1484

               

              Hopefully, it will be addressed soon...

              • 4. Re: How to configure single sign on in AS7
                dmatheus

                Thank you Bill,

                 

                It was helpful your note about the issue.

                 

                Let's continue watching the subject until its fix.

                • 5. Re: How to configure single sign on in AS7
                  plgregoire

                  You can setup SSO in the JBoss Web subsystem. In this case it's a Clustered SSO but a valve also exist for non-clustered sso (org.apache.catalina.authenticator.SingleSignOn).

                   

                         <subsystem xmlns="urn:jboss:domain:web:1.1" native="true" default-virtual-server="default-host">

                              <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp" redirect-port="8443" enabled="true"/>

                              <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

                              <virtual-server name="default-host" enable-welcome-root="true">

                                  <alias name="localhost"/>

                                  <sso cache-container="web" cache-name="sso" domain="myDomain" reauthenticate="true"/>

                              </virtual-server>

                          </subsystem>

                   

                   

                  We then need to setup infinispan cache for clustering.

                   

                          <subsystem xmlns="urn:jboss:domain:infinispan:1.1" default-cache-container="cluster">

                              ...

                              <cache-container name="web" aliases="standard-session-cache" default-cache="repl">

                                  <transport lock-timeout="60000"/>

                                  <replicated-cache name="repl" mode="ASYNC" batching="true">

                                      <file-store/>

                                  </replicated-cache>

                                  <replicated-cache name="sso" mode="SYNC" batching="true"/>

                                  <distributed-cache name="dist" mode="ASYNC" batching="true">

                                      <file-store/>

                                  </distributed-cache>

                              </cache-container>

                              ...

                   

                  This will use the following Valve :

                   

                  "org.jboss.as.web.sso.ClusteredSingleSignOn

                   

                  A Valve that supports a "single sign on" user experience, where the security identity of a user who successfully authenticates to one web application is propagated to other web applications in the same security domain. For successful use, the following requirements must be met:

                  • This Valve must be configured on the Container that represents a virtual host (typically an implementation of Host).
                  • The Realm that contains the shared user and role information must be configured on the same Container (or a higher one), and not overridden at the web application level.
                  • The web applications themselves must use one of the standard Authenticators found in the org.apache.catalina.authenticator package. "
                  • 6. Re: How to configure single sign on in AS7
                    crazysoumya

                    Does that mean SSO can only be enabled on a cluster and on domain? And cannot be done on standalone where one may need SSO on multiple apps deployed as wars on the same standalone instance?

                    • 7. Re: How to configure single sign on in AS7
                      plgregoire

                      You can enable it for a standalone server for multiple apps just by removing cache and domain attributes :

                       

                      <sso reauthenticate="true"/>

                      • 8. Re: How to configure single sign on in AS7
                        crazysoumya

                        Thanks Pieree

                        Apart from setting up a virtual host

                         

                        adding the sso bit as stated above

                         

                        and adding the virtualhost in jboss-web.xml

                        is there anything else we need to add?

                         

                        Any Valve stuff on Jboss-web.xml on each war? As mentioned here

                        https://community.jboss.org/wiki/DRAFTUsingJBossNegotiationOnAS7

                         

                        I am getting a bit confused with loads of documentation around SSO and session sharing among wars available for TOmcat which used to be used in it's variant in older Jboss versions. Not sure same applies to AS 7.

                         

                        Also when we say a user who las logged on to one web application - it's credentials are propagated to other web apps in the same realm - what does that exatly mean. Say when a user tries a login - we validate against our appliction database - create a HttpSession and store a User Object in it. For all other Authenticated pages we check the User is present in session. Now what we want is to propagate that session to other web apps. Not exactly sure where the realm bit kicks in here. To be the User object is just like any other object present in Session. How is the security and realm bit working is what I need clarification on.

                         

                        Can you kindly confirm?

                        • 9. Re: How to configure single sign on in AS7
                          plgregoire

                          What is confusing in SSO documentation is that you can setup the Tomcat valve (org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn)  or the JBoss AS Web valve (org.jboss.as.web.sso.ClusteredSingleSignOn). This is two different things and what I describe above is how to configure the JBoss valve. If you are in a standalone environment and don't use Infinispan to share the SSO cache I think JBoss will load a different valve but I don't remember the name, anyway it's still a JBoss valve.

                           

                          In our case we have EJB3 Webservice Endpoints, which means that we can't configure the Tomcat valve (org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn) due to this issue :

                           

                          https://issues.jboss.org/browse/AS7-5099

                           

                          It's why we use the JBoss valve. We have in our EAR different types of endpoint : EJB3 WS packaged in jars and Servlet packaged in wars. To use the same security domain we have this in our jboss-web.xml :

                           

                          <jboss-web>

                                    <security-domain>WebServiceDatabaseAuth</security-domain>

                                    ...

                          </jboss-web>

                           

                          And this annotation in our EJB beans : @SecurityDomain("WebServiceDatabaseAuth")

                           

                          About your User object in your HttpSession, it will not be accessible through all your apps because SSO only allow authentication through all apps, not replication of HttpSession. SSO cache is more like a container of all HttpSession and register itself as a listener for all HttpSession events (logout, etc). When you first login to one app, sso valve create a new SSO session (and a JSESSIONSSO cookie) and attach credentials to this sso session. When user acces the second app, JBoss look for the cookie, retreive the sso session with stored credentials and use them to authenticate to second app, then store the second HttpSession in is Map. If user logout of one of the two apps, the sso valve with catch this event and will call the logout on all HttpSession.

                           

                          However I think that each HttpSession have their own data... so your User object will not be replicated.

                          • 10. Re: How to configure single sign on in AS7
                            j_ri

                            Hi Pierre,

                             

                            did you manage to configure the

                            <sso ...>

                            part via CLI?

                             

                            I tried with

                            /subsystem=web/virtual-server=default-host/sso=sso/:add(reauthenticate=false)

                             

                            and with

                            /subsystem=web/virtual-server=default-host/:write-attribute(name="sso",value=[{"reauthenticate"=>"false"}])

                             

                            but only get error messages;-(

                             

                            Thanks,

                            Jochen

                            • 11. Re: How to configure single sign on in AS7
                              j_ri

                              Sorry,

                               

                              I just managed to find the solutiopn myself;-)

                               

                              /subsystem=web/virtual-server=default-host/sso=configuration:add(reauthenticate="false")

                               

                              the mistake was the part "sso=configuration"

                               

                              how could one know to put the word "configuration"?!?!?!

                              • 12. Re: How to configure single sign on in AS7
                                plgregoire

                                Hi,

                                 

                                I've configured it via standalone.xml because I have full access to the server.

                                 

                                Thanks for the information for configuration via CLI

                                • 13. Re: How to configure single sign on in AS7
                                  g3n

                                  Hi,

                                   

                                  we have a similar project setup and Im trying for a while but cant get this to work.

                                  Can i have a step by step description of your configuration?

                                  1. What has to be inside the standalone.xml

                                  2. What in the jboss-web.xml

                                  3. And finally the web.xml

                                  • 14. Re: How to configure single sign on in AS7
                                    plgregoire

                                    Hi,

                                     

                                    There is nothing special to do in jboss-web.xml and web.xml. By enabling SSO in standalone.xml like I describe above, all your secured applications will be part of the Single Sign On process and then a user will enter his credentials only once.

                                     

                                    For more information on how to secure your application(s) and how to setup clustering, search on these specific subjects.

                                    1 2 Previous Next