14 Replies Latest reply on Apr 28, 2014 6:20 PM by santos.sandro

    Using SSO on WildFly 8.0.0.Final?

    tinche

      Hello,

       

      I'm trying to get SSO working on the newly released 8.0.0.Final. In the past we used the org.apache.catalina.authenticator.SingleSignOn valve (in jboss-web.xml), along with <sso /> in the JBoss web subsystem. I've added the <single-sign-on /> element to Undertow configuration and enabled Infinispan, but it still doesn't work. Can anyone point me to some documentation on exactly what's required to get going?

       

      I don't actually need distributed SSO, just a way to have logging in to a single deployment log a user in to all of them (within a single security realm) on the same WildFly instance.

       

      Thanks in advance for any pointers!

        • 1. Re: Using SSO on WildFly 8.0.0.Final?
          andy12345

          Hello Tin,

           

          you just have to turn on SSO in the wildfly server config, by editing the standalone.xml as follows:

           

          ...

          <subsystem xmlns="urn:jboss:domain:undertow:1.0">

               ...

               <server name="default-server">

                    ...

                    <host name="default-host" alias="localhost">

                         ...

                        <single-sign-on domain="localhost"/>

          • 2. Re: Using SSO on WildFly 8.0.0.Final?
            tinche

            Hi Andy,

             

            thanks for the reply. I've tried that, but it still doesn't seem to work (I have to log in separately to all the applications). Am I supposed to see a JSESSIONIDSSO cookie in addition to the JSESSIONID cookie? It's not being set.

             

            Cheers

            • 3. Re: Using SSO on WildFly 8.0.0.Final?
              andy12345

              Hi Tin,

               

              there will not be set a JSESSIONIDSSO cookie, but have you configured a propper security-constraint in your web.xml?

              • 4. Re: Using SSO on WildFly 8.0.0.Final?
                tinche

                Hi Andy,

                 

                I think my web.xml's are fine; the auth works properly individually, just not once-for-all. Is there anything special I should add to get SSO working?

                 

                My security constraints generally contain a web-resource-collection, an auth-constraint (listing all the roles), and a user-data-constraint for no transport guarantee.

                • 5. Re: Using SSO on WildFly 8.0.0.Final?
                  ctomc

                  Tin Tvrtkovic wrote:

                   

                  Am I supposed to see a JSESSIONIDSSO cookie in addition to the JSESSIONID cookie? It's not being set.

                   

                  Yes you should see it. Can you try different browser, otherwise this looks like a bug.

                  • 6. Re: Using SSO on WildFly 8.0.0.Final?
                    bgaraude

                    Hello,

                     

                    I'm encoutering the same issue on Wildfly 8.0.0.Final.

                     

                    Basically, i have an EAR with 2 WARs inside.

                    Each WAR has a web.xml with security-constraints, login-config (form based), and security roles. They both use the same realm.

                    The auth works fine on each WAR individually.

                     

                    When i activate the SSO as described above by Andy, i still have to perform the auth twice.

                    If i check the cookies, i only have the JSESSIONID cookie, but no JSESSIONIDSSO cookie.

                    This happens on Chrome (v 32) and Firefox (v 27).

                     

                    I've not made any particular configuration for Infinispan.

                     

                    Do i miss something?

                     

                    Cheers,

                    • 7. Re: Using SSO on WildFly 8.0.0.Final?
                      sepp.marant

                      Hi!

                       

                      I've the same setup (2 WARs in one EAR) and both use the same security-domain. <sso/> is working in JBoss 7.2.0 but not in Wildfly 8.

                       

                      The reason why i want to switch to Wildfly 8 is this bug: https://issues.jboss.org/browse/WFLY-1720

                      Maybe someone can help me with a propper solution fix this logout problem in JBoss 7.2.0?

                       

                      Thanks,

                      Sepp

                      • 8. Re: Using SSO on WildFly 8.0.0.Final?
                        tinche

                        Hi,

                         

                        so the cookie is there. The domain attribute, however, is always being set, even if it's not set in standalone.xml, so the server sets the cookie to the 'default-host' domain, which is useless obviously. How do I get undertow to not use the domain attribute at all in the Set-Cookie directive, so the browser fills in the domain I'm requesting from?

                         

                        Also, the path cookie attribute isn't being set at all, so if I log into one service the SSO cookie won't be sent when I try accessing another service at a different URL. Can I set the cookie path to '/' or something? Since the cookie isn't being set at all, my ProxyPassReverseCookiePath Apache directive isn't taking effect, so now I'd need to introduce additional logic here...

                        • 9. Re: Using SSO on WildFly 8.0.0.Final?
                          swd847

                          Looks like a bug in org.wildfly.extension.undertow.SingleSignOnService, where the domain is defaulted if it is not set. Can you file a JIRA?

                          • 10. Re: Using SSO on WildFly 8.0.0.Final?
                            hkais

                            Hello all,

                             

                            I have the similar problem. I want to make a web application single sign on, but I have no clue how to configure it. I see you discuss already in detail. Can someone point me to the relevant documentation or a good book?

                            • 11. Re: Using SSO on WildFly 8.0.0.Final?
                              tinche
                              • 12. Re: Using SSO on WildFly 8.0.0.Final?
                                hkais

                                Please give me a hint how to configure my applications to use a web SSO?

                                I have one EAR, which contains several WAR files. I have to authenticate against all WAR files, instead once (SSO)

                                 

                                I am new to wildfly an JBoss, so I am only finding outdated documentations about JBoss AS7 and earlier. I can see, here are some users, who managed to get a SSO, but how?

                                What to configure in the standalone.xml?

                                What to configure in my EAR file?

                                What to configure in my WAR files?

                                 

                                So again, please help a newbe to make a quick win with wildfly (against Websphere...)

                                • 13. Re: Re: Using SSO on WildFly 8.0.0.Final?
                                  pferraro

                                  Within the undertow subsystem configuration, configure the target host with a nested <single-sign-on domain="..."/> element, where domain defines the domain of the cookie that will store the SSO session identifier per user.

                                  • 14. Re: Using SSO on WildFly 8.0.0.Final?
                                    santos.sandro

                                    My undertow isn't working, I've worked with sso until 7.1.3, I'm trying to use 8.1.0.CR1.

                                     

                                    Here is my undertow configuration:

                                     

                                           <subsystem xmlns="urn:jboss:domain:undertow:1.1">

                                                <buffer-cache name="default"/>

                                                <server name="default-server">

                                                    <http-listener name="default" socket-binding="http"/>

                                                    <host name="default-host" alias="localhost">

                                      <single-sign-on domain="localhost" />

                                                        <location name="/" handler="welcome-content"/>

                                                        <filter-ref name="server-header"/>

                                                        <filter-ref name="x-powered-by-header"/>

                                                    </host>

                                                </server>

                                                <servlet-container name="default">

                                                    <jsp-config/>

                                                </servlet-container>

                                                <handlers>

                                                    <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>

                                                </handlers>

                                                <filters>

                                                    <response-header name="server-header" header-name="Server" header-value="Wildfly 8"/>

                                                    <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow 1"/>

                                                </filters>

                                            </subsystem>

                                     

                                    There's something different in the web.xml to do ? What would be  the correct web.xml ?

                                     

                                    Is necessary to install the valve de negotiation in the jboss-web ?

                                    <valve>
                                    <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
                                    </valve>