-
1. Re: GateIn 3.2.0-Beta01 + OpenAM
macois Feb 2, 2012 3:24 AM (in response to kkas)Hello,
Could you describe exactly which files you have modified and which files you have added/deleted please !
You know SSO is terriby complicated, many things could cause troubles so we need all informations in order to debug your problem.
- jaas.conf,
- web.xml,
- ...
The only thing I can tell for the moment is : "You seem to use localhost as a domain ??? and in order ton access to OpenAM and to GateIN ??? Do you declare localhost as a synonym domain as the real FQDN in the OpenAM configuration ? Because, OpenAM per default can only work with FQDN."
Regards,
Thanks,
Macois.
-
2. Re: GateIn 3.2.0-Beta01 + OpenAM
kkas Feb 7, 2012 5:19 AM (in response to kkas)Hi Macois
Thanks for your reply.
I use the domain below, and those work on the GateIn 3.1.0-FINAL + OpenAM9.5.3.
Domain
OpenAM:openam.example.com
GateIn:gatein.example.com
And I use latest SSO library(sso-packaging-1.1.0-GA.zip).
All the steps I did are
1. Copy AuthenticationPlugin.xml in gatein-sso-1.1.0-GA/opensso/plugin/config/auth/default
to TOMCAT_HOME/webapps/openam/config/auth/default/
2. Copy all the jar files in gatein-sso-1.1.0-GA/opensso/plugin/WEB-INF/lib/
to TOMCAT_HOME/webapps/openam/WEB-INF/lib
3. Copy gatein.properties in gatein-sso-1.1.0-GA/opensso/plugin/WEB-INF/classes
to TOMCAT_HOME/webapps/openam/WEB-INF/classes
4. Copy all the jar files in gatein-sso-1.1.0-GA/opensso/gatein.ear/lib
to GATEIN_HOME/lib
5. Configure "gatein" realm in the Reference Guide)
6. Modify GATEIN_HOME/conf/jaas.conf file like this:
------------------
gatein-domain {
//org.gatein.wci.security.WCILoginModule optional;
//org.exoplatform.services.security.jaas.SharedStateLoginModule required;
//org.exoplatform.services.security.j2ee.TomcatLoginModule required;
// Uncomment the following part (and comment the other part for CAS integration
org.gatein.sso.agent.login.SSOLoginModule required;
org.exoplatform.services.security.j2ee.TomcatLoginModule required
portalContainerName="portal"
realmName="gatein-domain";
};
------------------
7. Access to http://openam.example.com:8080/openam/UI/Login?realm=gatein and
login with the username root and the password gtn.
8. Modify the GATEIN_HOME/webapps/web/groovy/groovy/webui/component/UIBannerPortlet.gtml file like this:
------------------
<!--
<a class="Login" onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
-->
<a class="Login" href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>
------------------
9. Modify the GATEIN_HOME/webapps/web/groovy/portal/webui/component/UILogoPortlet.gtmpl file like this:
------------------
<!--
<a onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
-->
<a href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>
------------------
10. Replace the entire contents of GATEIN_HOME/webapps/portal/login/jsp/login.jsp with:
------------------
<html>
<head>
<script type="text/javascript">
window.location = '/portal/sso';
</script>
</head>
<body>
</body>
</html>
------------------
11. Add the following Filters at the top of the filter chain in GATEIN_HOME/webapps/portal/WEB-INF/web.xml
------------------
<filter>
<filter-name>LoginRedirectFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
<init-param>
<!-- This should point to your SSO authentication server -->
<param-name>LOGIN_URL</param-name>
<param-value>http://openam.example.com:8080/openam/UI/Login?realm=gatein&goto=http://gatein.example.com:8080/portal/initiatessologin</param-value>
</init-param>
</filter>
<filter>
<filter-name>OpenSSOLogoutFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.OpenSSOLogoutFilter</filter-class>
<init-param>
<!-- This should point to your SSO authentication server -->
<param-name>LOGOUT_URL</param-name>
<param-value>http://openam.example.com:8080/openam/UI/Logout</param-value>
</init-param>
</filter>
<filter>
<filter-name>InitiateLoginFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.InitiateLoginFilter</filter-class>
<init-param>
<param-name>ssoServerUrl</param-name>
<param-value>http://openam.example.com:8080/openam</param-value>
</init-param>
<init-param>
<param-name>loginUrl</param-name>
<param-value>http://gatein.example.com:8080/portal/dologin</param-value>
</init-param>
<init-param>
<param-name>ssoCookieName</param-name>
<param-value>iPlanetDirectoryPro</param-value>
</init-param>
</filter>
<!-- Mapping the filters at the very top of the filter chain -->
<filter-mapping>
<filter-name>LoginRedirectFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>OpenSSOLogoutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>InitiateLoginFilter</filter-name>
<url-pattern>/initiatessologin</url-pattern>
</filter-mapping>
------------------
12. Add gatein-sso-1.1.0-GA/opensso/plugin/WEB-INF/lib/commons-httpclient-3.1.jar
to GATEIN_HOME/lib because of ClassNotFoundException
Then, infinate loop happens when I login with root/gtn.
Thank you for your help.
ssloss
2012/2/7 comment add
Sorry, I modified a red-letter part.
-
3. Re: GateIn 3.2.0-Beta01 + OpenAM
ndkhoiits Feb 2, 2012 5:12 AM (in response to kkas)Please access the URL gateindomain/rest/sso/authcallback/auth/root/gtn, let see the return value in browser is true or not.
-
4. Re: GateIn 3.2.0-Beta01 + OpenAM
macois Feb 2, 2012 5:21 AM (in response to kkas)Okay,
Could you try to check (and change) the name of the cookie by : "rememberme" in the SSO Server (and RESTART all) :
Configuration → Serveurs et Sites → Paramètres du serveur par défaut → Avancé
com.iplanet.am.cookie.c66Encode
⇒true
Cliquer sur "Enregistrer"
Cliquer sur l'onglet Sécurité.
Modifier "Nom du cookie" →
rememberme
Cocher la case contre "Coder la valeur du cookie".
Cliquer sur "Enregistrer" → "Revenir à Serveurs et Sites"
And (for an other future problem you may encounter) in the web.xml of the portal webapps :
<servlet>
<servlet-name>ErrorLoginServlet</servlet-name>
<servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
</servlet>
Regards,
F.
-
5. Re: GateIn 3.2.0-Beta01 + OpenAM
kkas Feb 2, 2012 5:23 AM (in response to ndkhoiits)Hi Nguyen
Thanks for your help.
I accessed the URL, and the return value in the browser was "true".
ssloss
-
6. Re: GateIn 3.2.0-Beta01 + OpenAM
macois Feb 2, 2012 5:26 AM (in response to macois)The matter is precisely here :
Have Look an the line
53
public static final String COOKIE_NAME = "rememberme";
So try to change the name in OpenAM ...
Macois
-
7. Re: GateIn 3.2.0-Beta01 + OpenAM
ndkhoiits Feb 2, 2012 5:52 AM (in response to macois)Ahhh, there is a problem with GateIn 3.2 and SSO. You have to use GateIn 3.2 JBoss bundle for integration, currently it doesn't work if you run GateIn in Tomcat.
Would you like to re-check with Jboss and let me know if everything are ok
Thank
-
8. Re: GateIn 3.2.0-Beta01 + OpenAM
kkas Feb 2, 2012 6:06 AM (in response to macois)Hi macois
I didn't mention but I already changed this setting.
com.iplanet.am.cookie.c66Encode
⇒true
I don't know what this means...uncheck the checkbox of "encoding the value of the cookie"?
(I tried both)
Cocher la case contre "Coder la valeur du cookie".
Then changed the name of cookie to "rememberme", but error page comes out because of the cookie's problem...
The file web.xml is little bit changed at new version of GateIn, and the part you mention is like this:
-------------------
<servlet>
<servlet-name>ErrorLoginServlet</servlet-name>
<servlet-class>org.exoplatform.web.login.ErrorLoginServlet</servlet-class>
</servlet>
-------------------
Thanks for your help.
ssloss
-
9. Re: GateIn 3.2.0-Beta01 + OpenAM
macois Feb 2, 2012 7:32 AM (in response to kkas)Cocher la case contre "Coder la valeur du cookie".
==> Check the input "Encode cookie value"
-
-
11. Re: GateIn 3.2.0-Beta01 + OpenAM
ndkhoiits Feb 3, 2012 3:00 AM (in response to macois)As above mentioned, did you try with JBoss bundle instead of Tomcat?
There was a problem in GateIn 3.2 Tomcat bundle and SSO integration.
-
12. Re: GateIn 3.2.0-Beta01 + OpenAM
kkas Feb 5, 2012 5:57 PM (in response to ndkhoiits)Hi Nguyen and macois
Thanks for the information about everything.
I don't have time to try with JBoss yet.
I wonder what is the problem with GateIn 3.2 with Tomcat.
Please explain to me?
Thanks.
ssloss
-
13. Re: GateIn 3.2.0-Beta01 + OpenAM
ndkhoiits Feb 5, 2012 8:59 PM (in response to kkas)In new version of GateIn SSO, there is new requirement for clusting mode, clustered config check credentials stored and propagated in session. This won't work in tomcat because of lack of JACC PolicyContext
-
14. Re: GateIn 3.2.0-Beta01 + OpenAM
kkas Feb 6, 2012 6:17 AM (in response to ndkhoiits)Hi Nguyen
Thank for your reply.
So, In this case, don't we have any solution for the integration with GateIn 3.2 Tomcat bundle and OpenAM?
By the way, I tried GateIn 3.2 JBoss bundle for the integration, and it works.
ssloss