5 Replies Latest reply on Apr 6, 2010 7:06 PM by Marek Posolda

    How to configure GateIn Portal SSO

    Tong Su Novice

      I just configured SSO in a GateIn Portal instance but it's not working completely.

      When I hit a protected page, I am getting challenged properly by my company's screen. However, after I type in the id and password, I still cannot log in.

      In the log, I see the following error:

      'ERROR [SetCurrentIdentityFilter] Not found identity in IdnetityRegistry for user xxx, check Login Module'


      The 'xxx' in the log above is indeed my login Id.


      My question is if the SetCurrentIdentityFilter has to work with some login module from org.exoplatform? Do I need to chain a login module to the one provided by my firm?

        • 1. Re: How to configure GateIn Portal SSO
          Tong Su Novice

          Tried to comment out the SetCurrentIdentityFilter in the web.xml and also tried to chain my own login module with  org.exoplatform.services.security.jaas.IdentitySetLoginModule. Neither worked.


          Really appreciate it if you can help.

          • 2. Re: How to configure GateIn Portal SSO
            Marek Posolda Expert

            Yes, you will need to chain your login module with org.exoplatform.services.security.j2ee.JbossLoginModule if you are using GateIn on JBoss. So your gatein.ear/META-INF/gatein-jboss-beans.xml can look similar to this:

              <login-module code="org.something.YourLoginModule" flag="required">
              <login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
                <module-option name="portalContainerName">portal</module-option>
                <module-option name="realmName">gatein-domain</module-option>


            Especially you can look to source code of this class and you will see this in commit() method of class DefaultLoginModule (superclass of JbossLoginModule):




            And this is needed for correct work with SetCurrentIdentityFilter.


            It's also possible that you will need to use something like this in your login module to avoid authentication with GateIn authenticator:


            sharedState.put("exo.security.identity", identity);
            sharedState.put("javax.security.auth.login.name", username);

            but then you will need to override your login with org.exoplatform.services.security.jaas.AbstractLoginModule.


            You can take inspiration of GateIn SSO solution which is described in GateIn reference guide - chapter 3. And you can look to source code of class org.gatein.sso.agent.login.SSOLoginModule.


            Most important source codes for you will be in

            exo.core.component.security.core: http://anonsvn.jboss.org/repos/exo-jcr/core/trunk/exo.core.component.security.core/

            GateIn sso-agent library: http://anonsvn.jboss.org/repos/gatein/components/sso/trunk/agent/


            Hope this helps,


            • 3. Re: How to configure GateIn Portal SSO
              Marek Posolda Expert
              And you will need class org.exoplatform.services.security.j2ee.TomcatLoginModule if you are using GateIn on Tomcat.
              • 4. Re: How to configure GateIn Portal SSO
                Tong Su Novice

                Hi Marek,

                Thanks very much for the information.

                I tried a few things based on your reply but still could not get it to work.


                First, I chained the JBossLoginModule to my firm's login module, with the default module-options values. The login failed and I saw the following lines in the log:


                [core.DefaultLoginModule] In login of DefualtLoginModule

                [core.DefaultLoginModule] Try create identity


                [core.DefaultLoginModule] Login failed for xxx


                The log before these lines show that I passed the firmwide login authentication successfully. I cannot find the place that prints this line in the DefaultLoginModule class.


                Second, I tried changing the value of the realmName from 'gatein-domain' to be the same as the name attrib for my own application-polity in the gatein-jboss-beans.xml. Same behavior.


                By looking at the source code of the DefaultLoginModule, the only way to bypass the gatein authenticator is to have the identify set in the SharedState object. The problem is that the login module distributed by my firm does not store anything in the ShareState object. What are my options here?

                You mentioned something about overriding my module with AbstractLoginModule. Were you suggest to replace the firm's module with something of my own based on AbstractLoginModule?

                One option I am thinking is to extend the firm's class and overwrite the login method because it does store user name in a class var. So if the firm's login returns true, then I set the user name and Identify class in SharedState in the login method.


                Do you see any problem with this approach? Please let me know if there is a better way of doing this.




                • 5. Re: How to configure GateIn Portal SSO
                  Marek Posolda Expert

                  Hi Tong,


                  It's interesting that you are not seeing the lines you sent. Did you look at correct class? Because I am seeing this in DefaultLoginModule.login():


                           if (sharedState.containsKey("exo.security.identity"))
                              if (log.isDebugEnabled())
                                 log.debug("Use Identity from previous LoginModule");
                              identity = (Identity)sharedState.get("exo.security.identity");
                              if (log.isDebugEnabled())
                                 log.debug("Try create identity");


                              Authenticator authenticator = (Authenticator)getContainer().getComponentInstanceOfType(Authenticator.class);




                              String userId = authenticator.validateUser(credentials);
                              identity = authenticator.createIdentity(userId);
                              sharedState.put("javax.security.auth.login.name", userId);
                              subject.getPublicCredentials().add(new UsernameCredential(username));
                           return true;


                        catch (final Throwable e)
                           throw new LoginException(e.getMessage());


                  So it's obvious that you don't have "exo.security.identity" in your sharedState map so you are going to else branch. And line authenticator.validateUser(credentials) is throwing exception for you because credentials should not be authenticated against GateIn Authenticator but against Authenticator of your firm.


                  In shortcut, in DefaultLoginModule.login(), You mustn't fell down into "else" but you must go through "if" part. This means that you should have identity under key "exo.security.identity" already in your sharedState map. So you are right in your last paragraph.


                  Is it possible for you to edit the login module from your firm to inherit from org.exoplatform.services.security.jaas.AbstractLoginModule? This will give you access to sharedState map in your login module. Because you really need to have identity in your sharedState map with key "exo.security.identity" before the JbossLoginModule.login method is executed (last module in the chain). Maybe you can try other things you mentioned in your last paragraph.


                  I think that good inspiration for you should be source code of other login modules in GateIn. Another good thing can be debugging of GateIn authentication in Eclipse or some other IDE. This will give you good overview how are things working under the hood.


                  Good luck!