1 2 Previous Next 21 Replies Latest reply on Nov 22, 2006 12:41 PM by Brian McGovern

    Single Signon - Where do I start

    Brian McGovern Newbie

      Heres my situation. On jboss portal 2.4 bundled. I have deployed a webapp (outside of portal), and I have a portal app, with a bunch of portlets.

      My users will enter the system throught he webapp, login to a separate data source and then gain access to the portal.

      I want to be able to gracefully log them into the portal FROM the webapp. So i guess this question is how do I go about this? Starting from scratch here any tips are appreciated.

      Thanks

        • 1. Re: Single Signon - Where do I start
          Thomas Heute Master

          First you need to enable the single sign on in Tomcat then they will be authenticated in both your webapp and portal.

          Then it depends how you plan to work on the authorization. If roles are already defined or if you let JBoss Portal manage the roles.

          • 2. Re: Single Signon - Where do I start
            Brian McGovern Newbie

            Thanks. Gonna read up some docs on how to do that. Anyone else have info, since im doing this the first time, is appreciated.

            • 4. Re: Single Signon - Where do I start
              Brian McGovern Newbie

              Please excuse the noobish questions as I beat this topic to death.

              I put in the valve listener in tomcat and thats fine. But where im stuck is how do I now syncronize the different apps on my virt host? SHouldnt there be some changes im making to the code of each that says 'use the valve' somehow? Im not even sure what to google to figure out the answer.
              Thanks

              • 5. Re: Single Signon - Where do I start
                Thomas Heute Master

                I made the assumption that you were using JAAS to authenticate in your webapp. If you use your own authentication it is less straightforward

                • 6. Re: Single Signon - Where do I start
                  Brian McGovern Newbie

                  Read up on jaas a little bit. Unfortunately im getting confused. Ashamed to say I need a serious hand holding here. I found a pretty easy to follow read on Federated SSO http://labs.jboss.com/portal/jbosssso/?prjlist=false but that appears to be a separate download and not included with the bundled jboss app/portal.

                  What I need to find is a step by step blueprint that explains the steps needed in setting up a authentication service that hits a jdbc store and allows it to authenticate portal users, and web app users.

                  • 7. Re: Single Signon - Where do I start
                    Sohil Shah Master

                    bmcgovern-

                    The JBoss Federated SSO is a new project at JBoss under the JBoss Security umbrella of technologies. It is for enabling Single Sign On between wep apps and portals scattered on different physical machines even located in different web domains.

                    The user forum for this project is located on : http://www.jboss.com/index.html?module=bb&op=viewforum&f=49

                    Federated SSO is not bundled with JBoss Portal but has been tested to work on it (The new JBoss.com and JBoss.org) sites will be running on JBoss Portal with SSO enabled using Federated SSO project

                    Let me know if you have any further questions on the above mentioned Forum.

                    Thanks
                    Sohil

                    • 8. Re: Single Signon - Where do I start
                      Brian McGovern Newbie

                      Ok I got a little farther. Hopefully someone can help now that i've added more details. My goal is to set up DB Authentication.

                      I get the ugly login box popping up as you'd expect but at first it was throwing this exception, missing a few user and role properties files, which I added and got rid of error.

                      13:58:50,015 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
                      java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
                       at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
                       at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
                       at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
                       at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
                      


                      Now I don't get a successfull login OR anything in the logs. Im at a stand still.
                      I have 2 basic questions:
                      -How do i enable logging so I can see what its trying to do in the console?
                      -What am i doing wrong?



                      jboss-web.xml
                      <jboss-web><security-domain>java:jaas/myauth</security-domain></jboss-web>


                      web-inf/login-config.xml
                      <policy>
                       <!-- For the JCR CMS -->
                       <application-policy name="myauth">
                       <authentication>
                       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
                       <module-option name = "unauthenticatedIdentity">guest</module-option>
                       <module-option name = "dsJndiName">java:/PortalDS</module-option>
                       <module-option name = "principalsQuery">SELECT jbp_uname, jbp_password FROM jbp_users WHERE jbp_uname=?</module-option>
                       <module-option name = "rolesQuery">SELECT jbp_rid, 'Roles' FROM Jbp_roles WHERE jbp_uid=?</module-option>
                      
                       </login-module>
                       </authentication>
                      </application-policy>
                      
                      
                      </policy>



                      web.xml

                      
                      <security-constraint>
                       <web-resource-collection>
                       <web-resource-name>myauth</web-resource-name>
                       <url-pattern>/*</url-pattern>
                       </web-resource-collection>
                       <auth-constraint>
                       <role-name>Users</role-name>
                       </auth-constraint>
                      </security-constraint>
                      
                      <login-config>
                       <auth-method>BASIC</auth-method>
                       <realm-name>myauth</realm-name>
                      </login-config>
                      
                      <security-role>
                       <description>The role required to access restricted content</description>
                       <role-name>Users</role-name>
                      </security-role>
                      



                      jbossweb-tomcat55.sar/server.xml

                      <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
                      



                      jbossweb-tomcat55.sar/META-INF/jboss-service.xml

                       <attribute name="Authenticators" serialDataType="jbxb">
                       <java:properties xmlns:java="urn:jboss:java-properties"
                       xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
                       xs:schemaLocation="urn:jboss:java-properties resource:java-properties_1_0.xsd">
                       <java:property>
                       <java:key>BASIC</java:key>
                       <java:value>org.apache.catalina.authenticator.BasicAuthenticator</java:value>
                       </java:property>
                       <java:property>
                       <java:key>CLIENT-CERT</java:key>
                       <java:value>org.apache.catalina.authenticator.SSLAuthenticator</java:value>
                       </java:property>
                       <java:property>
                       <java:key>DIGEST</java:key>
                       <java:value>org.apache.catalina.authenticator.DigestAuthenticator</java:value>
                       </java:property>
                       <java:property>
                       <java:key>FORM</java:key>
                       <java:value>org.apache.catalina.authenticator.FormAuthenticator</java:value>
                       </java:property>
                       <java:property>
                       <java:key>NONE</java:key>
                       <java:value>org.apache.catalina.authenticator.NonLoginAuthenticator</java:value>
                       </java:property>
                       </java:properties>
                       </attribute>
                      
                      


                      • 9. Re: Single Signon - Where do I start
                        Daniel Wasser Newbie

                        Hello bmcgovern,

                        i only can answer your first question.
                        For logging security issues, add the following code to your server/conf/log4j.xml:

                        <!-- Category for JBossSecurity -->







                        maybe you must set the console appender to level debug:






                        <!-- The default pattern: Date Priority [Category] Message\n -->





                        Daniel

                        • 10. Re: Single Signon - Where do I start
                          Daniel Wasser Newbie

                          another try...

                          first code snip:

                           <!-- Category for JBossSecurity -->
                           <category name="org.jboss.security">
                           <priority value="DEBUG"/>
                           </category>
                           <category name="org.jboss.web.tomcat.security">
                           <priority value="DEBUG"/>
                           </category>



                          second snip:

                          <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
                           <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler" />
                           <param name="Target" value="System.out" />
                           <param name="Threshold" value="DEBUG" />
                          
                           <layout class="org.apache.log4j.PatternLayout">
                           <!-- The default pattern: Date Priority [Category] Message\n -->
                           <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p (%x) [%c{1}] %m%n" />
                           </layout>
                           </appender>


                          • 11. Re: Single Signon - Where do I start
                            Brian McGovern Newbie

                            Thanks Kosmi. Your post didnt come through, but i got it by viewing source. Now i get a new message, basically saying the password is wrong. however.. Its not.

                            Does jaas authentication mandate some kind of standard encryption in stored DB passwords? Im 100% sure that my User/ pass combo are right, but i get the following debug in my logs.

                            09:24:56,390 DEBUG [[localhost]] Checking for SSO cookie
                            09:24:56,390 DEBUG [[localhost]] SSO cookie is not present
                            09:24:56,390 DEBUG [AuthenticatorBase] Security checking request GET /myauth/
                            09:24:56,390 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true
                            09:24:56,390 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true
                            09:24:56,390 DEBUG [AuthenticatorBase] Calling hasUserDataPermission()
                            09:24:56,390 DEBUG [RealmBase] User data constraint has no restrictions
                            09:24:56,390 DEBUG [AuthenticatorBase] Calling authenticate()
                            09:24:56,406 DEBUG [DatabaseServerLoginModule] Bad password for username=1
                            09:24:56,406 DEBUG [AuthenticatorBase] Failed authenticate() test
                            


                            • 12. Re: Single Signon - Where do I start
                              Daniel Wasser Newbie

                              Hello bmcgovern,

                              your second question is answered in your errormessage:
                              13:58:50,015 ERROR [UsersRolesLoginModule]

                              A UserRolesLoginModule sends the message, but
                              you defined the

                              <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                              

                              in ??/web inf/login-config

                              If you want to login at the portal an want to use the
                              DatabaseServerLoginModule,
                              you have to define this login-module in the
                              -portal.sar/conf/login-config

                              Now you have defined the UsersRolesLoginModule
                              at this place, which could not find his required propertie files.

                              Daniel Wasser








                              • 13. Re: Single Signon - Where do I start
                                Brian McGovern Newbie

                                Kosmi,
                                Thanks for the help. I think, as it turns out, the error described:
                                13:58:50,015 ERROR [UsersRolesLoginModule]

                                was due to my login-config.xml being deployed in my application war WAS NOT CORRECT. I had to remove that file and place the application-policy definition inside of the containers login-config.xml at $JBOSS_HOME/server/default/conf/login-config.xml.

                                Can anyone on the jboss team confirm that for me. I am 99% sure, but it may be a bug as the documentation says to put login-config.xml in your web.xml.

                                Now back to the problem. I'm very close now, I think. I've got it calling my database. It fails every time but there are two scenarios:

                                1. I enter a bad UID and password on purpose and get this in the logs on DEBUG level"

                                12:56:09,375 DEBUG [[localhost]] Process request for '/myauth/'
                                12:56:09,375 DEBUG [[localhost]] Checking for SSO cookie
                                12:56:09,375 DEBUG [[localhost]] SSO cookie is not present
                                12:56:09,390 DEBUG [AuthenticatorBase] Security checking request GET /teenfit/
                                12:56:09,390 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true
                                12:56:09,390 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true
                                12:56:09,390 DEBUG [AuthenticatorBase] Calling hasUserDataPermission()
                                12:56:09,390 DEBUG [RealmBase] User data constraint has no restrictions
                                12:56:09,390 DEBUG [AuthenticatorBase] Calling authenticate()
                                 12:56:09,390 DEBUG [DatabaseServerLoginModule] Bad password for username=user
                                 12:56:09,390 DEBUG [AuthenticatorBase] Failed authenticate() test
                                

                                2. I enter a good UID and password and still don't get logged in, but the bad password message is no longer in the logs. Any ideas?
                                12:56:01,062 DEBUG [[localhost]] Process request for '/myauth/'
                                12:56:01,062 DEBUG [[localhost]] Checking for SSO cookie
                                12:56:01,062 DEBUG [[localhost]] SSO cookie is not present
                                12:56:01,062 DEBUG [AuthenticatorBase] Security checking request GET /teenfit/
                                12:56:01,062 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true
                                12:56:01,062 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true
                                12:56:01,062 DEBUG [AuthenticatorBase] Calling hasUserDataPermission()
                                12:56:01,062 DEBUG [RealmBase] User data constraint has no restrictions
                                12:56:01,078 DEBUG [AuthenticatorBase] Calling authenticate()
                                 12:56:01,078 DEBUG [AuthenticatorBase] Failed authenticate() test
                                


                                • 14. Re: Single Signon - Where do I start
                                  Brian McGovern Newbie

                                  I got it working, the problem ended up being the sql i was using for the roles Query. My database (the jboss portal) db. Doesn't have a schema that directly matches the way the query has to be shaped.

                                  By looking at the source of DatabaseServerLoginModule.java I was able to figure out what it was looking for in each query. The fix was to make a view that did the joining needed to create the schema that jaas wants.

                                  My docs / config were right. And in the end you do have to move login-config.xml out of your web.xml and into /deploy/conf/login-config.xml for the server to see it. This is on bundled AS 4.0.4 and portal 2.4.

                                  Thanks to everyone for thier help.

                                  1 2 Previous Next