2 Replies Latest reply on Jun 21, 2013 1:18 PM by vijaydaniel

picketlink + clusteredsinglesignon

vijaydaniel Jun 17, 2013 10:17 AM

Hi,

I'm trying to set up jboss cluster [jboss 7.1.1], in which I would like to have SSO between deployed applications.

I have followed this domain configuration in the article http://www.mastertheboss.com/jboss-security/configuring-single-signon-on-jboss-as-7

I tried to use 'ClusteredSingleSignOn' Valve to get the SSO behavior, but the deployment of my war fails with the below exception.

[Server:server-one] Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: JBAS018096: Error instantiating container component: org.jboss.as.web.sso.ClusteredSingleSignOn

[Server:server-one] at org.jboss.as.web.deployment.WarDeploymentProcessor.getInstance(WarDeploymentProcessor.java:431)

[Server:server-one] at org.jboss.as.web.deployment.WarDeploymentProcessor.processDeployment(WarDeploymentProcessor.java:231)

[Server:server-one] at org.jboss.as.web.deployment.WarDeploymentProcessor.deploy(WarDeploymentProcessor.java:132)

[Server:server-one] at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:120) [jboss-as-server-8.0.0.Alpha1-SNAPSHOT.jar:8.0.0.Alpha1-SNAPSHOT]

[Server:server-one] ... 5 more

[Server:server-one] Caused by: java.lang.InstantiationException: org.jboss.as.web.sso.ClusteredSingleSignOn

[Server:server-one] at java.lang.Class.newInstance0(Class.java:359) [rt.jar:1.7.0_17]

[Server:server-one] at java.lang.Class.newInstance(Class.java:327) [rt.jar:1.7.0_17]

[Server:server-one] at org.jboss.as.web.deployment.WarDeploymentProcessor.getInstance(WarDeploymentProcessor.java:423)

[Server:server-one] ... 8 more

I have even tried the latest build of JBOSS 'jboss-as-8.0.0.Alpha1', but no solution.

I'm using the below picketlink valve:

<valve>

<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>

</valve>

Can someone please help me out to reslove this issue ?

With Regards,

Vijay

1. Re: picketlink + clusteredsinglesignon

jcacek Jun 21, 2013 10:57 AM (in response to vijaydaniel)
Vijay,

it seems you still have the ClusteredSingleSignOn valve enabled in your jboss-web.xml. The article about the configuration Clustered SSO is wrong. The SSO valve is enabled automatically on server-side if your virtual-host contains subelement <sso ... />
Look at:
https://github.com/wildfly/wildfly/blob/7.1.1.Final/web/src/main/java/org/jboss/as/web/WebVirtualHostService.java#L212

Clustered SSO is reimplemented in current sources of Wildfly 8.0, but the configuration should be the same. So don't use ClusteredSingleSignOn valve directly from jboss-web.xml. This should be enough:

<jboss-web> <security-domain>sp</security-domain> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name> </valve> </jboss-web>

AFAIK, you don't need to enable the server side SSO implementation when you use the Picketlink ServiceProviderAuthenticator. The Application Server should be responsible for the Clustering and Picketlink is responsible for the SSO.
Actions
2. Re: picketlink + clusteredsinglesignon

vijaydaniel Jun 21, 2013 1:18 PM (in response to jcacek)

Hi Josef,

Thanks for your reply.
I was above to write on this topic, as you said I did some more study on JBoss code and found out the same.

Found this code:
SingleSignOn ssoValve = element.hasDefined("cache-container") ? new ClusteredSingleSignOn((SSOClusterManager)this.ssoManager.getValue()) : new SingleSignOn();

so I have configured cache-container="web", hence could see ClusteredSingleSignOn class traces in server.log.

I'm trying to call one web service from another web service, which is running in different server instance of a cluster.
But as you know, WS is invoked by http URL, which is again intercepted by picketlink valve.
Since the web service call is in the backend [ one server instanace to another server instance of cluster] the authentication is failing.

I log message of clusteredsinglesignon class says, that there is not SSO cookie available in the request.

I'm just invoking the http url using spring rest temlpate.
So i tried to set cookie manually by getting the HttpServletResquest object and getting cookie from the browser request, then set it with the rest template request. It seems working. But not completly

Pasting code snippet:

Cookie[] cookies = request.getCookies();
            Cookie cookie = null;
            String SINGLE_SIGN_ON_COOKIE = System.getProperty("org.apache.catalina.authenticator.Constants.JSESSIONIDSSO", "JSESSIONIDSSO");
            HttpHeaders requestHeaders = new HttpHeaders();
            for (int i = 0; i < cookies.length; i++) {
                System.out.println("SINGLE_SIGN_ON_COOKIE:"+SINGLE_SIGN_ON_COOKIE);
                System.out.println("cookie name:"+cookies[i].getName());
                  if (SINGLE_SIGN_ON_COOKIE.equals(cookies[i].getName())) {
                    cookie = cookies[i];
                    requestHeaders.add("Cookie", "JSESSIONIDSSO=" + cookie.getValue());
                    break;
                  }
                }
            if(cookie!=null){
            System.out.println("getValue:" + cookie.getValue() + "getPath:"
                    + cookie.getPath() +"getDomain:"+ cookie.getDomain()
                    + "getName:"+ cookie.getName());
            }

            HttpEntity requestEntity = new HttpEntity(null, requestHeaders);
            ResponseEntity rssResponse = restTemplate.exchange(
                    "http://node2.COMPANY.com:8080/sales-post2/services/test/" + id,
                    HttpMethod.GET, requestEntity, Employee.class);
            System.out.println("rssResponse:" + rssResponse);
            e = (Employee) rssResponse.getBody();
            System.out.println(e);

Okay, my question is should I do so much to make the WS rest calls to work? will JBoss take care of session/cookies ?
I'm sorry for such a long message.

With Regards,
Vijay
Actions

Go to original post