-
1. Re: Single Signon - Where do I start
theute Nov 10, 2006 10:56 AM (in response to bmcgovern)First you need to enable the single sign on in Tomcat then they will be authenticated in both your webapp and portal.
Then it depends how you plan to work on the authorization. If roles are already defined or if you let JBoss Portal manage the roles. -
2. Re: Single Signon - Where do I start
bmcgovern Nov 10, 2006 11:02 AM (in response to bmcgovern)Thanks. Gonna read up some docs on how to do that. Anyone else have info, since im doing this the first time, is appreciated.
-
3. Re: Single Signon - Where do I start
theute Nov 10, 2006 11:09 AM (in response to bmcgovern)The JBoss Wiki is your friend ;)
http://wiki.jboss.org/wiki/Wiki.jsp?page=SingleSignOn -
4. Re: Single Signon - Where do I start
bmcgovern Nov 10, 2006 11:39 AM (in response to bmcgovern)Please excuse the noobish questions as I beat this topic to death.
I put in the valve listener in tomcat and thats fine. But where im stuck is how do I now syncronize the different apps on my virt host? SHouldnt there be some changes im making to the code of each that says 'use the valve' somehow? Im not even sure what to google to figure out the answer.
Thanks -
5. Re: Single Signon - Where do I start
theute Nov 10, 2006 12:00 PM (in response to bmcgovern)I made the assumption that you were using JAAS to authenticate in your webapp. If you use your own authentication it is less straightforward
-
6. Re: Single Signon - Where do I start
bmcgovern Nov 10, 2006 1:40 PM (in response to bmcgovern)Read up on jaas a little bit. Unfortunately im getting confused. Ashamed to say I need a serious hand holding here. I found a pretty easy to follow read on Federated SSO http://labs.jboss.com/portal/jbosssso/?prjlist=false but that appears to be a separate download and not included with the bundled jboss app/portal.
What I need to find is a step by step blueprint that explains the steps needed in setting up a authentication service that hits a jdbc store and allows it to authenticate portal users, and web app users. -
7. Re: Single Signon - Where do I start
soshah Nov 10, 2006 1:53 PM (in response to bmcgovern)bmcgovern-
The JBoss Federated SSO is a new project at JBoss under the JBoss Security umbrella of technologies. It is for enabling Single Sign On between wep apps and portals scattered on different physical machines even located in different web domains.
The user forum for this project is located on : http://www.jboss.com/index.html?module=bb&op=viewforum&f=49
Federated SSO is not bundled with JBoss Portal but has been tested to work on it (The new JBoss.com and JBoss.org) sites will be running on JBoss Portal with SSO enabled using Federated SSO project
Let me know if you have any further questions on the above mentioned Forum.
Thanks
Sohil -
8. Re: Single Signon - Where do I start
bmcgovern Nov 13, 2006 9:07 AM (in response to bmcgovern)Ok I got a little farther. Hopefully someone can help now that i've added more details. My goal is to set up DB Authentication.
I get the ugly login box popping up as you'd expect but at first it was throwing this exception, missing a few user and role properties files, which I added and got rid of error.13:58:50,015 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313) at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186) at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200) at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
Now I don't get a successfull login OR anything in the logs. Im at a stand still.
I have 2 basic questions:
-How do i enable logging so I can see what its trying to do in the console?
-What am i doing wrong?
jboss-web.xml<jboss-web><security-domain>java:jaas/myauth</security-domain></jboss-web>
web-inf/login-config.xml<policy> <!-- For the JCR CMS --> <application-policy name="myauth"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/PortalDS</module-option> <module-option name = "principalsQuery">SELECT jbp_uname, jbp_password FROM jbp_users WHERE jbp_uname=?</module-option> <module-option name = "rolesQuery">SELECT jbp_rid, 'Roles' FROM Jbp_roles WHERE jbp_uid=?</module-option> </login-module> </authentication> </application-policy> </policy>
web.xml<security-constraint> <web-resource-collection> <web-resource-name>myauth</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>myauth</realm-name> </login-config> <security-role> <description>The role required to access restricted content</description> <role-name>Users</role-name> </security-role>
jbossweb-tomcat55.sar/server.xml<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
jbossweb-tomcat55.sar/META-INF/jboss-service.xml<attribute name="Authenticators" serialDataType="jbxb"> <java:properties xmlns:java="urn:jboss:java-properties" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance" xs:schemaLocation="urn:jboss:java-properties resource:java-properties_1_0.xsd"> <java:property> <java:key>BASIC</java:key> <java:value>org.apache.catalina.authenticator.BasicAuthenticator</java:value> </java:property> <java:property> <java:key>CLIENT-CERT</java:key> <java:value>org.apache.catalina.authenticator.SSLAuthenticator</java:value> </java:property> <java:property> <java:key>DIGEST</java:key> <java:value>org.apache.catalina.authenticator.DigestAuthenticator</java:value> </java:property> <java:property> <java:key>FORM</java:key> <java:value>org.apache.catalina.authenticator.FormAuthenticator</java:value> </java:property> <java:property> <java:key>NONE</java:key> <java:value>org.apache.catalina.authenticator.NonLoginAuthenticator</java:value> </java:property> </java:properties> </attribute>
-
9. Re: Single Signon - Where do I start
kosmi Nov 13, 2006 9:17 AM (in response to bmcgovern)Hello bmcgovern,
i only can answer your first question.
For logging security issues, add the following code to your server/conf/log4j.xml:
<!-- Category for JBossSecurity -->
maybe you must set the console appender to level debug:
<!-- The default pattern: Date Priority [Category] Message\n -->
Daniel -
10. Re: Single Signon - Where do I start
kosmi Nov 13, 2006 9:20 AM (in response to bmcgovern)another try...
first code snip:<!-- Category for JBossSecurity --> <category name="org.jboss.security"> <priority value="DEBUG"/> </category> <category name="org.jboss.web.tomcat.security"> <priority value="DEBUG"/> </category>
second snip:<appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender"> <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler" /> <param name="Target" value="System.out" /> <param name="Threshold" value="DEBUG" /> <layout class="org.apache.log4j.PatternLayout"> <!-- The default pattern: Date Priority [Category] Message\n --> <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p (%x) [%c{1}] %m%n" /> </layout> </appender>
-
11. Re: Single Signon - Where do I start
bmcgovern Nov 13, 2006 9:27 AM (in response to bmcgovern)Thanks Kosmi. Your post didnt come through, but i got it by viewing source. Now i get a new message, basically saying the password is wrong. however.. Its not.
Does jaas authentication mandate some kind of standard encryption in stored DB passwords? Im 100% sure that my User/ pass combo are right, but i get the following debug in my logs.09:24:56,390 DEBUG [[localhost]] Checking for SSO cookie 09:24:56,390 DEBUG [[localhost]] SSO cookie is not present 09:24:56,390 DEBUG [AuthenticatorBase] Security checking request GET /myauth/ 09:24:56,390 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true 09:24:56,390 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true 09:24:56,390 DEBUG [AuthenticatorBase] Calling hasUserDataPermission() 09:24:56,390 DEBUG [RealmBase] User data constraint has no restrictions 09:24:56,390 DEBUG [AuthenticatorBase] Calling authenticate() 09:24:56,406 DEBUG [DatabaseServerLoginModule] Bad password for username=1 09:24:56,406 DEBUG [AuthenticatorBase] Failed authenticate() test
-
12. Re: Single Signon - Where do I start
kosmi Nov 13, 2006 9:38 AM (in response to bmcgovern)Hello bmcgovern,
your second question is answered in your errormessage:
13:58:50,015 ERROR [UsersRolesLoginModule]
A UserRolesLoginModule sends the message, but
you defined the<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
in ??/web inf/login-config
If you want to login at the portal an want to use the
DatabaseServerLoginModule,
you have to define this login-module in the
-portal.sar/conf/login-config
Now you have defined the UsersRolesLoginModule
at this place, which could not find his required propertie files.
Daniel Wasser -
13. Re: Single Signon - Where do I start
bmcgovern Nov 13, 2006 1:34 PM (in response to bmcgovern)Kosmi,
Thanks for the help. I think, as it turns out, the error described:
13:58:50,015 ERROR [UsersRolesLoginModule]
was due to my login-config.xml being deployed in my application war WAS NOT CORRECT. I had to remove that file and place the application-policy definition inside of the containers login-config.xml at $JBOSS_HOME/server/default/conf/login-config.xml.
Can anyone on the jboss team confirm that for me. I am 99% sure, but it may be a bug as the documentation says to put login-config.xml in your web.xml.
Now back to the problem. I'm very close now, I think. I've got it calling my database. It fails every time but there are two scenarios:
1. I enter a bad UID and password on purpose and get this in the logs on DEBUG level"12:56:09,375 DEBUG [[localhost]] Process request for '/myauth/' 12:56:09,375 DEBUG [[localhost]] Checking for SSO cookie 12:56:09,375 DEBUG [[localhost]] SSO cookie is not present 12:56:09,390 DEBUG [AuthenticatorBase] Security checking request GET /teenfit/ 12:56:09,390 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true 12:56:09,390 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true 12:56:09,390 DEBUG [AuthenticatorBase] Calling hasUserDataPermission() 12:56:09,390 DEBUG [RealmBase] User data constraint has no restrictions 12:56:09,390 DEBUG [AuthenticatorBase] Calling authenticate() 12:56:09,390 DEBUG [DatabaseServerLoginModule] Bad password for username=user 12:56:09,390 DEBUG [AuthenticatorBase] Failed authenticate() test
2. I enter a good UID and password and still don't get logged in, but the bad password message is no longer in the logs. Any ideas?12:56:01,062 DEBUG [[localhost]] Process request for '/myauth/' 12:56:01,062 DEBUG [[localhost]] Checking for SSO cookie 12:56:01,062 DEBUG [[localhost]] SSO cookie is not present 12:56:01,062 DEBUG [AuthenticatorBase] Security checking request GET /teenfit/ 12:56:01,062 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true 12:56:01,062 DEBUG [RealmBase] Checking constraint 'SecurityConstraint[myauth]' against GET / --> true 12:56:01,062 DEBUG [AuthenticatorBase] Calling hasUserDataPermission() 12:56:01,062 DEBUG [RealmBase] User data constraint has no restrictions 12:56:01,078 DEBUG [AuthenticatorBase] Calling authenticate() 12:56:01,078 DEBUG [AuthenticatorBase] Failed authenticate() test
-
14. Re: Single Signon - Where do I start
bmcgovern Nov 13, 2006 5:19 PM (in response to bmcgovern)I got it working, the problem ended up being the sql i was using for the roles Query. My database (the jboss portal) db. Doesn't have a schema that directly matches the way the query has to be shaped.
By looking at the source of DatabaseServerLoginModule.java I was able to figure out what it was looking for in each query. The fix was to make a view that did the joining needed to create the schema that jaas wants.
My docs / config were right. And in the end you do have to move login-config.xml out of your web.xml and into /deploy/conf/login-config.xml for the server to see it. This is on bundled AS 4.0.4 and portal 2.4.
Thanks to everyone for thier help.