-
1. Re: JBPM6 SSO integration with PicketLink 2.5.2
swiderski.maciej Feb 3, 2014 1:54 AM (in response to marius.gherghief)you need to make sure that proper (one used by your other servers/applications) configuration of security is present on the server that hosts kie-wb and then alter security domain configuration in kie-wb/WEB-INF/jboss-web.xml
Then enable SSO for the web subsystem and you should be ready to go with SSO for all these applications. If you use the BAM application next to kie-wb you need to modify it's security domain same way as for kie-wb.
HTH
-
2. Re: JBPM6 SSO integration with PicketLink 2.5.2
marius.gherghief Feb 3, 2014 10:41 AM (in response to swiderski.maciej)If i enable the integration, I get the following error:
ERROR [org.picketlink.common] (http-/0.0.0.0:8080-1) Service Provider could not handle the request.: java.io.IOException: JBWEB002035: Buffer length 4096 overflow with limit 4096 and no sink
at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:448) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:351) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.authenticator.FormAuthenticator.saveRequest(FormAuthenticator.java:591) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.generalUserRequest(AbstractSPFormAuthenticator.java:626) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:328) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:261) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:447) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
This is the jboss-web.xml content:
<security-domain>java:/jaas/QFPSecurityProvider</security-domain>
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
</valve>
This is the picketlink.xml content:
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL">
<IdentityURL>${idp.url::http://xxxxxx.com:8083/QFPIdentityProvider/}</IdentityURL>
<ServiceURL>${qfp-web.url::http://xxxxxx.com:8087/QFPBPMConsole/}</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="ASSERTION_SESSION_ATTRIBUTE_NAME" Value="org.picketlink.sp.assertion"/>
</Handler>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>
And this is the security domain configuration:
<security-domain name="QFPSecurityProvider" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
this configuration works for all other servers.