-
1. Re: How to configure single sign on in AS7
billhong Aug 4, 2011 7:14 AM (in response to billhong)Well, I still got stuck in SSO. Does anyone know where to put below configuration into standalone.xml to enable SSO in AS7?
<Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
Is there any option to support SSO in AS7 anyway?
-
2. Re: How to configure single sign on in AS7
dmatheus Aug 8, 2011 12:13 PM (in response to billhong) -
3. Re: How to configure single sign on in AS7
billhong Aug 10, 2011 12:30 AM (in response to dmatheus)Thank you, Douglas.
That's exactly what I'm looking for. However, currently it still does not work across web apps. There's an issue opened for this:
https://issues.jboss.org/browse/AS7-1484
Hopefully, it will be addressed soon...
-
4. Re: How to configure single sign on in AS7
dmatheus Aug 18, 2011 9:49 AM (in response to billhong)Thank you Bill,
It was helpful your note about the issue.
Let's continue watching the subject until its fix.
-
5. Re: How to configure single sign on in AS7
plgregoire Jul 19, 2012 11:44 AM (in response to dmatheus)You can setup SSO in the JBoss Web subsystem. In this case it's a Clustered SSO but a valve also exist for non-clustered sso (org.apache.catalina.authenticator.SingleSignOn).
<subsystem xmlns="urn:jboss:domain:web:1.1" native="true" default-virtual-server="default-host">
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp" redirect-port="8443" enabled="true"/>
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<sso cache-container="web" cache-name="sso" domain="myDomain" reauthenticate="true"/>
</virtual-server>
</subsystem>
We then need to setup infinispan cache for clustering.
<subsystem xmlns="urn:jboss:domain:infinispan:1.1" default-cache-container="cluster">
...
<cache-container name="web" aliases="standard-session-cache" default-cache="repl">
<transport lock-timeout="60000"/>
<replicated-cache name="repl" mode="ASYNC" batching="true">
<file-store/>
</replicated-cache>
<replicated-cache name="sso" mode="SYNC" batching="true"/>
<distributed-cache name="dist" mode="ASYNC" batching="true">
<file-store/>
</distributed-cache>
</cache-container>
...
This will use the following Valve :
"org.jboss.as.web.sso.ClusteredSingleSignOn
A Valve that supports a "single sign on" user experience, where the security identity of a user who successfully authenticates to one web application is propagated to other web applications in the same security domain. For successful use, the following requirements must be met:
- This Valve must be configured on the Container that represents a virtual host (typically an implementation of
Host
). - The
Realm
that contains the shared user and role information must be configured on the same Container (or a higher one), and not overridden at the web application level. - The web applications themselves must use one of the standard Authenticators found in the
org.apache.catalina.authenticator
package. "
- This Valve must be configured on the Container that represents a virtual host (typically an implementation of
-
6. Re: How to configure single sign on in AS7
crazysoumya Feb 7, 2013 11:26 AM (in response to billhong)Does that mean SSO can only be enabled on a cluster and on domain? And cannot be done on standalone where one may need SSO on multiple apps deployed as wars on the same standalone instance?
-
7. Re: How to configure single sign on in AS7
plgregoire Feb 7, 2013 11:48 AM (in response to crazysoumya)You can enable it for a standalone server for multiple apps just by removing cache and domain attributes :
<sso reauthenticate="true"/>
-
8. Re: How to configure single sign on in AS7
crazysoumya Feb 8, 2013 6:15 AM (in response to plgregoire)Thanks Pieree
Apart from setting up a virtual host
adding the sso bit as stated above
and adding the virtualhost in jboss-web.xml
is there anything else we need to add?
Any Valve stuff on Jboss-web.xml on each war? As mentioned here
https://community.jboss.org/wiki/DRAFTUsingJBossNegotiationOnAS7
I am getting a bit confused with loads of documentation around SSO and session sharing among wars available for TOmcat which used to be used in it's variant in older Jboss versions. Not sure same applies to AS 7.
Also when we say a user who las logged on to one web application - it's credentials are propagated to other web apps in the same realm - what does that exatly mean. Say when a user tries a login - we validate against our appliction database - create a HttpSession and store a User Object in it. For all other Authenticated pages we check the User is present in session. Now what we want is to propagate that session to other web apps. Not exactly sure where the realm bit kicks in here. To be the User object is just like any other object present in Session. How is the security and realm bit working is what I need clarification on.
Can you kindly confirm?
-
9. Re: How to configure single sign on in AS7
plgregoire Feb 8, 2013 1:52 PM (in response to crazysoumya)What is confusing in SSO documentation is that you can setup the Tomcat valve (org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn) or the JBoss AS Web valve (org.jboss.as.web.sso.ClusteredSingleSignOn). This is two different things and what I describe above is how to configure the JBoss valve. If you are in a standalone environment and don't use Infinispan to share the SSO cache I think JBoss will load a different valve but I don't remember the name, anyway it's still a JBoss valve.
In our case we have EJB3 Webservice Endpoints, which means that we can't configure the Tomcat valve (org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn) due to this issue :
https://issues.jboss.org/browse/AS7-5099
It's why we use the JBoss valve. We have in our EAR different types of endpoint : EJB3 WS packaged in jars and Servlet packaged in wars. To use the same security domain we have this in our jboss-web.xml :
<jboss-web>
<security-domain>WebServiceDatabaseAuth</security-domain>
...
</jboss-web>
And this annotation in our EJB beans : @SecurityDomain("WebServiceDatabaseAuth")
About your User object in your HttpSession, it will not be accessible through all your apps because SSO only allow authentication through all apps, not replication of HttpSession. SSO cache is more like a container of all HttpSession and register itself as a listener for all HttpSession events (logout, etc). When you first login to one app, sso valve create a new SSO session (and a JSESSIONSSO cookie) and attach credentials to this sso session. When user acces the second app, JBoss look for the cookie, retreive the sso session with stored credentials and use them to authenticate to second app, then store the second HttpSession in is Map. If user logout of one of the two apps, the sso valve with catch this event and will call the logout on all HttpSession.
However I think that each HttpSession have their own data... so your User object will not be replicated.
-
10. Re: How to configure single sign on in AS7
j_ri Feb 15, 2013 2:41 AM (in response to plgregoire)Hi Pierre,
did you manage to configure the
<sso ...>
part via CLI?
I tried with
/subsystem=web/virtual-server=default-host/sso=sso/:add(reauthenticate=false)
and with
/subsystem=web/virtual-server=default-host/:write-attribute(name="sso",value=[{"reauthenticate"=>"false"}])
but only get error messages;-(
Thanks,
Jochen
-
11. Re: How to configure single sign on in AS7
j_ri Feb 15, 2013 4:59 AM (in response to j_ri)Sorry,
I just managed to find the solutiopn myself;-)
/subsystem=web/virtual-server=default-host/sso=configuration:add(reauthenticate="false")
the mistake was the part "sso=configuration"
how could one know to put the word "configuration"?!?!?!
-
12. Re: How to configure single sign on in AS7
plgregoire Feb 15, 2013 9:50 AM (in response to j_ri)Hi,
I've configured it via standalone.xml because I have full access to the server.
Thanks for the information for configuration via CLI
-
13. Re: How to configure single sign on in AS7
g3n Apr 7, 2013 4:46 AM (in response to plgregoire)Hi,
we have a similar project setup and Im trying for a while but cant get this to work.
Can i have a step by step description of your configuration?
1. What has to be inside the standalone.xml
2. What in the jboss-web.xml
3. And finally the web.xml
-
14. Re: How to configure single sign on in AS7
plgregoire Apr 29, 2013 11:42 AM (in response to g3n)Hi,
There is nothing special to do in jboss-web.xml and web.xml. By enabling SSO in standalone.xml like I describe above, all your secured applications will be part of the Single Sign On process and then a user will enter his credentials only once.
For more information on how to secure your application(s) and how to setup clustering, search on these specific subjects.