2 Replies Latest reply on Mar 6, 2013 9:15 AM by bigman921

    Enable SSO?

    bigman921
    bigman921 Mar 6, 2013 1:22 AM

      I've written a custom ServletFilter that does SSO with a reverse proxy.  The filter its self works and when I specify a password when creating the credential I'm able to login to GateIn without an issue:

       

      This code works:

       

                                        //after this code, username = "root" 
                                  String username = attr.getValues().get(0);
  
  
                                 Credentials credentials = new Credentials(username, "gtn");
                                                  ServletContainer container = ServletContainerFactory.getServletContainer();
  
                                                  // This will login or send an AuthenticationException
                                try
                                {
                                   container.login(request, response, credentials);
                                }
                                catch (AuthenticationException e)
                                {
                                   log.debug("User authentication failed");
                                   if (log.isTraceEnabled())
                                   {
                                      log.trace(e.getMessage(), e);
                                   }
                                }

       

      However, when I replace the "gtn" with "" (since I don't have a password) and set "gatein.sso.enabled" = true in standalone/configuration/gatein/configuration.properties and restart JBoss I am getting a failed login. 

       

      Here's the stack trace:

       

      01:15:33,065 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--192.168.122.219-8080-1) Login failure: javax.security.auth.login.LoginException: Login failed for root

              at org.exoplatform.services.security.jaas.DefaultLoginModule.login(DefaultLoginModule.java:136) [exo.core.component.security.core-2.5.0-GA.jar:2.5.0-GA]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_09-icedtea]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_09-icedtea]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_09-icedtea]

              at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_09-icedtea]

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_09-icedtea]

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_09-icedtea]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_09-icedtea]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_09-icedtea]

              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_09-icedtea]

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_09-icedtea]

              at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_09-icedtea]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

              at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

              at org.apache.catalina.authenticator.AuthenticatorBase.login(AuthenticatorBase.java:324) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.connector.Request.login(Request.java:3252) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1082) [jbossweb-7.0.13.Final.jar:]

              at org.gatein.wci.jboss.JB7ServletContainerContext.login(JB7ServletContainerContext.java:131) [wci-jboss7-2.3.0.Final.jar:2.3.0.Final]

              at org.gatein.wci.ServletContainer.login(ServletContainer.java:171) [wci-wci-2.3.0.Final.jar:2.3.0.Final]

              at com.tremolosecurity.jboss.login.GateInLastMile.postValidate(GateInLastMile.java:87) [jboss-plugins.jar:]

              at com.tremolosecurity.filter.AutoIDMFilter.doFilter(AutoIDMFilter.java:143) [tremolo.jar:]

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) [jbossweb-7.0.13.Final.jar:]

              at org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:159) [sso-integration-1.3.0.Final.jar:1.3.0.Final]

              at org.exoplatform.web.login.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:89) [exo.portal.component.web.security-3.5.0.Final.jar:3.5.0.Final]

              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

              at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_09-icedtea]

       

       

      Am I missing something?  Looking at the code for the SSO module org.gatein.sso.agent.login.SSOLoginModule it clearly isn't loading the password so I don't think its actually executing.

       

      Thanks

      Marc

        • 1. Re: Enable SSO?
          mposolda
          mposolda Mar 6, 2013 3:06 AM (in response to bigman921)

          Hi,

           

          in file standalone/configuration/standalone.xml is configuration of login modules, and here you can see that GateIn is using SSODelegateLoginModule for SSO login. And you can also see that there are 2 properties you need to configure in your configuration.properties:

          1) gatein.sso.login.module.enabled needs to be true if you want SSO login module to be used

          2) gatein.sso.login.module.class needs to have value of real login module class, which you want to use. So for example it could have value org.gatein.sso.agent.login.SSOLoginModule .

          Only responsibility of SSODelegateLoginModule is to recognize if SSO login is enabled and if yes, then delegate the real login work to another login module. So in this case, the work will be delegated to SSOLoginModule. You can also look into reference guide for example of SSO setup. For example SSO configuration for CAS integration is described here: https://docs.jboss.org/author/display/GTNPORTAL35/Central+Authentication+Service+%28CAS%29#CentralAuthenticationService%28CAS%29-Setuptheportal

           

          Very useful is also enable of TRACE logging for SSO. You can do it by adding this logging category into standalone/configuration/standalone.xml:

           

          <logger category="org.gatein.sso">
  <level name="TRACE"/>
</logger>

          Marek

            • Actions
          • 2. Re: Enable SSO?
            bigman921
            bigman921 Mar 6, 2013 9:15 AM (in response to mposolda)

            Thanks Marek,

             

            That put me on the right track.  After adding:

             

            gatein.sso.enabled=true

            gatein.sso.login.module.enabled=true

            gatein.sso.login.module.class=org.gatein.sso.agent.login.SSOLoginModule

             

            to standalone/configuration/gatein/configuration.properties it still wasn't working, but looking at the code for SSOLoginModule it appears that it does not get the Credentials object the same way as the default module.  I added "request.getSession(true).setAttribute(GenericAgent.AUTHENTICATED_CREDENTIALS, credentials);" before the call to login and that satisified the sso login module.

             

            Thanks

            Marc

              • Actions