6 Replies Latest reply on Oct 22, 2003 4:22 PM by gudmundsonsc

    Jetty SSO


      The jboss-3.2.2RC2_jetty-4.2.11 and jboss-3.2.2RC3_jetty-4.2.11
      distros include the Jetty SSO (single sign-on) classes. How
      does one configure JBoss and deployed apps to take
      advantage of the Jetty SSO capability?

        • 1. Re: Jetty SSO

          I did some research on the mortbay.org web site and found that SSO is supported in jetty if the UserRealm implements SSORealm. I needed this so I downloaded the latest src and noticed that JBossUserRealm did not implement SSORealm, so I modified it to do so. Attached is the jar containing the modification. I plan to submit the change as a patch as well. I have dropped the jar into <JBOSS_HOME>\server\default\deploy\jbossweb-jetty.sar\ (you will also need to org.jboss.jetty.jar since this file replaces it) and it works great in jboss-3.2.2RC4_jetty-4.2.11. I have not tried it in any other variants of jboss, although I assume you could upgrade the jetty inside of jboss-3.2.1 to 4.2.11 and then replace this jar and have the same effect.

          • 2. Re: Jetty SSO

            Thanks! This works great with 3.2.2RC3 as well. I do have a problem, however. How do I logout completely so that access to any of the web applications managed by SSO will result in JASS logon?

            (Or how do I gain access to the SSORealm object associated with the current user so I can call clearSingleSignOn()?)


            • 3. Re: Jetty SSO

              The SSO ID that is stored in the SSO_ID cookie is needed for SSO to work. If you can delete this cookie then they will not be able to get into any other apps. But, if they have already been authenticated to other apps, then the JSESSIONID cookie or url string would be enough to let them in again ( to solve this you may be able to delete that cookie or somehow invalidate the session on each app the person has logged into ).

              • 4. Re: Jetty SSO

                It is the invalidation of JSESSIONID that is troubling because I can have potentially 20+ web applications. That means if I sign out from any one web application, somehow, the web application being signed off would magically know existings sessions from other application.

                It can be done by implementing a session event listener, and keep track of sessions created. It would be much nicer if this is automatically handled by JBoss as part of the JBoss session manager, however.

                P.S. I am already quite relief (and happy) that SSO works. I guess I shouldn't complain. :)


                • 5. Re: Jetty SSO

                  Attached are the latest jbossweb-jetty files that provide single sign on. You can get jetty for jboss 3.2.2 from http://sourceforge.net/project/showfiles.php?group_id=7322

                  In the jboss-web sar, replace org.jboss.jetty.jar with one of the org.jboss.jetty...sso.jar files.

                  Also for jetty 4.2.14 you will need to replace org.mortbay.jetty.jar with the attached patched one. It only changes one line of code, but is needed.

                  The *global* files will ignore the <login-config>...<realm-name>... in the web apps web.xml file. The *realm* files will do sso only across realms with the same name according to the same web.xml setting.

                  I have submitted the source code patches for all of these as well:



                  • 6. Re: Jetty SSO

                    Here are the files, sorry.