-
15. Re: Single Signon - Where do I start
Hi bmcgovern
Did u use JBOSS SSO for the SSO to work. I tried to follow the things you have mentioned, but ended up that none of the URL's were working and neither could see the logs.
Please help me how did u achieve and is there anything that i have to download.
I want to have an SSO to an webapp and to the portal.
Thanks in advaacne -
16. Re: Single Signon - Where do I start
Thanvi -- Im happy to help. Everythign I used came with the portal and is part of the jaas spec so you dont need to download anything
Im using jboss bundled portal and app server. App server v 4.0.4GA and portal 2.4.
Before you start you need to figure out how you are going to authenticate. Your choices are defined in $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/META-INF/jboss-service.xml
You want to uncomment the following portion to allow each type of auth you are gonna use.<attribute name="Authenticators" serialDataType="jbxb"> <java:properties xmlns:java="urn:jboss:java-properties" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance" xs:schemaLocation="urn:jboss:java-properties resource:java-properties_1_0.xsd"> <java:property> <java:key>BASIC</java:key> <java:value>org.apache.catalina.authenticator.BasicAuthenticator</java:value> </java:property> <java:property> <java:key>CLIENT-CERT</java:key> <java:value>org.apache.catalina.authenticator.SSLAuthenticator</java:value> </java:property> <java:property> <java:key>DIGEST</java:key> <java:value>org.apache.catalina.authenticator.DigestAuthenticator</java:value> </java:property> <java:property> <java:key>FORM</java:key> <java:value>org.apache.catalina.authenticator.FormAuthenticator</java:value> </java:property> <java:property> <java:key>NONE</java:key> <java:value>org.apache.catalina.authenticator.NonLoginAuthenticator</java:value> </java:property> </java:properties> </attribute>
Next you want to set up the webapp to use one of the types of authentication. Im using FORMS auth. Which means i have to set up a jsp myself.
/yourwebapp/WEB-INF/web.xml<login-config> <!-- use forms auth --> <auth-method>FORM</auth-method> <form-login-config> <!-- These pages are used for good/bad logins--> <form-login-page>/WEB-INF/app/login.jsp</form-login-page> <form-error-page>/WEB-INF/app/login.jsp</form-error-page> </form-login-config> <!-- This is the name of the login configuration that we'll define in the next portion --> <realm-name>teenfitauth</realm-name> </login-config> <security-role> <description>The role required to access restricted content</description> <!-- The name of the role that is granted access to this webapp. this role is defined in the data store you use -- Im using DB --> <role-name>User</role-name> </security-role> <security-constraint> <web-resource-collection> <!-- This is the name of the login configuration that we'll define in the next portion --> <web-resource-name>myauth</web-resource-name> <url-pattern>/public/*</url-pattern> </web-resource-collection> <auth-constraint> <!-- The name of the role that is granted access to this webapp. this role is defined in the data store you use -- Im using DB --> <role-name>User</role-name> </auth-constraint> </security-constraint>
The login form /WEB-INF/app/login.jsp. This is simple.<form action="j_security_check" method="post"> <b>ID Number:</b> <input type="text" name="j_username" value="" size="9" /> <BR> <b>Pass Code:</b> <input type="password" name="j_password" value="" size="25" /> <p><input type="submit" value="Login"/> </form>
Now the webapp knows to map the /public/* uri to my security contstraint defined by the realm "myauth" and only allow users who belong to the User role. Next steps set up the "myauth" realm and point it to the portals DB for authentication. Other documentation says this is done by setting up a login-config.xml file in your webapps/WEB-INF dir, but that did not work for me. I had to put it in the containers login-config.xml
$JBOSS_HOME/server/default/conf/login-config.xml
I Added this.<!-- ADDED BY BJM FOR SSO --> <!-- the name of the policy / realm has to match what you defined above --> <application-policy name="myauth"> <authentication> <!-- use the db for auth. there are other choices like UserLoginModule, and some others --> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <!-- this is the default data source --> <module-option name="dsJndiName">java:/PortalDS</module-option> <!-- this part tripped me up alot. I had to look at the actual source of DatabaseServerLoginModule to see what columns it was reading and how it needed the sql to be written. All the docs i saw had very basic sql that was tied 2 tables constructed exactly as the jaas spec states. But thats not a real world example because for instance the portal's db isnt set up EXACTLy that way, so you can use a join to come up with the same structure --> <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option> <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option> </login-module> </authentication> </application-policy>
Now set up the servlet container to allow SSO.
$JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml
Uncomment the following line.<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
Now create a directory in your webapp called /public because thats what was defined as the protected URI. By this point SSO should work for the webapp. To get it to work for the portal as well do this.
The portal is protected by default through jaas. It uses a realm named "portal" So I replaced its definition with my realm definition so it uses my database the same way I defined for my webapp.
$JBOSS_HOME/server/default/deploy/jboss-portal.sar/conf/login-config.xml
replace current def with<application-policy name="portal"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name="dsJndiName">java:/PortalDS</module-option> <module-option name="principalsQuery">SELECT jbp_password FROM jbp_users WHERE jbp_uname=?</module-option> <module-option name="rolesQuery">SELECT jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=?</module-option> </login-module> </authentication> </application-policy>
Now the portal should use the same SSO and when youlogin to either portal or webapp you'll be logged into the other.
Turn on logging by setting $JBOSS_HOME/server/default/conf/log4j.xml
Change the CONSOLE appender Threshold from INFO to DEBUG.
Good luck! -
17. Re: Single Signon - Where do I start
Thanks for the details.
I followed the steps as mentioned, but i am getting the following error.
2006-11-22 14:28:40,277 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added portal, org.jboss.security.plugins.SecurityDomainContext@1f89e1 to map
2006-11-22 14:28:40,293 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=admin
2006-11-22 14:29:07,856 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=user
Any ideas how to proceed?
Thanks -
18. Re: Single Signon - Where do I start
When I access the portal I get the above error,
But when I access my webapp it gives the follwoing error
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:313)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601) -
19. Re: Single Signon - Where do I start
About the bad password. Its because the portal encrypts them before they hit the DB. Cut and paste the password from the db table and it will work. I have yet to figure out how to have JAAS do this by itself but I hope to figure that out before the end of the day.
Any tips from anyone on that would help ! -
20. Re: Single Signon - Where do I start
When you access the portal and get the properties file errors, that seems like you didnt tell the portal to use DBLoginModule. I had to specifally not put my login-config.xml in the portlets war. But rather in the portals/conf/login-config.xml. I had the same error as u until i did that.
-
21. Re: Single Signon - Where do I start
for the encryption issue. this thread solves it. just add 2 elements to login-config.xml and your done.
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3987954#3987954