1 2 Previous Next 20 Replies Latest reply on Nov 4, 2006 10:11 AM by Sohil Shah

    Jboss SSO Web Application

    Nipun Batra Newbie

      Hi

      Thanks for all your help

      I am configuring my web application

      1) What I would like to know is why I have to setup the JAAS module

      I have written my own LoginProvider and I am authenticating user, also the roles changes quite frequently. As The Loginprovider getRoles method solves my purpose and i can fetch roles from Database or LDAP.

      2) In the context.xml of my web application
      When I define the URL of my Logout page, Do I have to do anything specific in that page?

      3) In the context.xml when I define
      assertingParty="{uniqueId to identify this web application in the federation}"

      Where exactly this unique id will be used? Is it something usind by apllication intenally

      4) Is there any agent code whcih I can use in my web application whcih tells me if user is logged in or not ? I maen how can I find out if this user has already logged on some other web application

      5) What exactly is this
      application-policy name="{your web application identifier}"

      What we have to define here.

      Thanks again for your help
      Nipun

        • 1. Re: Jboss SSO Web Application
          Sohil Shah Master

           


          1) What I would like to know is why I have to setup the JAAS module

          I have written my own LoginProvider and I am authenticating user, also the roles changes quite frequently. As The Loginprovider getRoles method solves my purpose and i can fetch roles from Database or LDAP.


          The LoginProvider is more of a data access component to get your authentication data and role information. This has to be integrated with a component that actually uses this data. The JAAS module is provided as a standard integration out-of-the-box. JAAS is the standard way to perform authentication in a J2EE environment so that the logged in Subject is then identified by other systems of the application server like EJB layer, Web layer etc. The tomcat valves provide this JAAS integration.


          2) In the context.xml of my web application
          When I define the URL of my Logout page, Do I have to do anything specific in that page?


          This is the URL that performs the logout functionality of your application. This is used by the Federated Single Sign Out function of the framework. You don't have to do anything special on this page except make sure the user is logged out when this URL is called.


          3) In the context.xml when I define
          assertingParty="{uniqueId to identify this web application in the federation}"


          Asserting Party identifies your node as a partner in the Federation. It is a free form value and is not processed by the application. It shows up in the SAML token that is propagated within the Federation. It identifies the node that actually authenticated the user and issued the SAML token



          4) Is there any agent code whcih I can use in my web application whcih tells me if user is logged in or not ? I maen how can I find out if this user has already logged on some other web application


          There are many ways depending on your environment. If you use JAAS based authentication you can tell by the presence of the Principal object.
          In this framework, the presence of the SAML token as a cookie on the incoming http request also tells you if the user has been authenticated. The SAML token is available when another web application performs the authentication and issues the token

          I would recommend using JAAS as your authentication system.


          5) What exactly is this
          application-policy name="{your web application identifier}"


          This is part of JAAS module configuration. It identifies the web application that this module should be applied to. For details on JAAS configuration please look at : http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX

          Also, for example of JAAS setup you can refer to the component/jboss_sso_test module for ideas

          Thanks
          Sohil

          • 2. Re: Jboss SSO Web Application
            Nipun Batra Newbie

            Hi Sohil

            Thanks for your response, But I am confused now

            As discussed in documents I wrote my own LoginProvider where I validate username and password, Now in that code I do not use any kind of JAAS LoginModule and I am not setting any Principal in the subject after validating user.

            If I write JAAS based Authentication in my application where exactly I can link it with JBoss SSO. Also as per my understanding the Identity manager shd be on one central server and rest of the application on remote server should contact identity manager to validate any user.

            Looking at the code, if I call following on my remote application
            LoginProvider provider = IdentityManager.findLoginProvider();
            boolean loginSuccess = provider.login("passwordTester","password2006".getBytes());


            the login methid in this case will be invokes at local server or central server ?

            Thanks again for your help
            Nipun

            • 3. Re: Jboss SSO Web Application
              Sohil Shah Master

               


              If I write JAAS based Authentication in my application where exactly I can link it with JBoss SSO. Also as per my understanding the Identity manager shd be on one central server and rest of the application on remote server should contact identity manager to validate any user.


              You don't need to write a JAAS module. As long as you provide the implementation of LoginProvider which you are, you can use the org.jboss.security.idm.UsernameAndPasswordLoginModule which ships with the Identity Manager component of the framework. Only thing you will need to do is get your JAAS configuration right. For info on the configuration look at:
              http://labs.jboss.com/portal/index.html?ctrl:cmd=render&ctrl:window=default.wiki.WikiPortletWindow&page=IdentityManagement&language=EN or better yet refer to the JAAS setup in components/jboss_sso_test.

              Also the LoginProvider does not use the JAAS module, but the JAAS module is the one that hooks in to the LoginProvider


              Also as per my understanding the Identity manager shd be on one central server and rest of the application on remote server should contact identity manager to validate any user.


              Actually the IdentityManager framework of the system is an abstraction for an IdentityManagement system like an LDAP store, SiteMinder, or in your case a JDBC database.

              The IdentityManager runs locally on each partner node of the application, but the implementation of your LoginProvider can connect to a remote data store/server where the Identity Credentials are stored.


              the login methid in this case will be invokes at local server or central server


              Technically the LoginProvider methods execute locally on each partner node, but their implementation is free to extract the actual data from a central data store...as per my explanation above.


              The whole idea behind an IdentityManager abstraction is so that it can hook in to other components of the SSO system like the Federation Server, Trust Server, JAAS modules etc without having to program to any proprietary API of an Identity system.






              • 4. Re: Jboss SSO Web Application
                Sohil Shah Master

                Also to add to the logic behind Identity Manager abstraction.

                Not all Federation setups can have partners sharing the same Identity Store. Typical examples being, legacy applications that are islands in themselves, or integration with external systems like business partners etc.

                In that case each one can have their own implementation of LoginProvider hooking into their respective store, but still be able to perform SSO with each other.

                Ofcourse, ideal setup is when all partners share the data store.


                For this requirement one of our roadmap items is Federated Provisioning so that Identity data can be synched between partners that don't share the same Identity Store.


                I have looked at SSO systems that absolutely require you to share the same Identity Server to the point that they even have to share the same login screen. That architecture is a bit primitive now ;)

                Can you imagine telling someone like SalesForce.com to share your login screen to enable SSO ;)

                • 5. Re: Jboss SSO Web Application
                  Nipun Batra Newbie

                  Hi Sohil

                  I agree with you it makes regarding own LoginProvider on each machine.

                  Again I am really sorry for my ignorance though I looked at jboss_sso_test directory what I am not able to figure out is this. I still need some clarifications, I hope I am not annoying you.

                  Let say suppose I have Web Application 'WA' at server A in whcih I go to login page and Authenticate user. Now this Authentication is done using LoginProvider whcih I wrote, NOT on the basis of any JAAS module. I call login method of LoginProvider and user logs in.

                  After this I go to other web application 'WB' hosted on remote Server B (remote server B has jboss-sso.sar deployed) from the same browser. Now on the index/welcome page of web application WB, I should be able to find out that this user has already logged in and this user is 'Nipun'. How can I find this information on second web application WB?


                  Thanks again for your help, really appreciate it
                  Nipun

                  • 6. Re: Jboss SSO Web Application
                    Sohil Shah Master

                    Basically, when a user is authenticated on WebApplication A, the only way WebApplication B can tell is through what we call a SAML token that is propagated in the form of a http cookie.

                    Now, if you wish to do authentication in a non-JAAS way still using the LoginProvider, you will have to write the plumbing for creating/processing this SSO SAML token in your web application, without which SSO wont happen between apps.

                    If you use the JAAS module, this token management is automatically provided by the framework so your application does not even know that its part of a SSO Federation. SSO happens automagically.

                    This is done using the SSO valves that you configure in your context.xml found in components/jboss_sso_tomcat5.


                    The valves obviuosly cannot be written to accomodate custom authentication usecases, hence they have to stick to the J2EE authentication standard which is JAAS.


                    I am sure you can look at the code in the valves and replicate it at the application level for your custom login mechanism.

                    However, I would recommend using JAAS as much as possible cause its a standard, and SSO Token management logic is maintained in the framework which will evolve as the architecture evolves. If you have custom token processing logic scattered across web apps, it can become difficult to maintain.

                    Also to answer your question about where does web application B find the authenticated user, the JAAS integration will produce a Principal object populated with the user's roles within the request object...So request.getPrincipal() should get you the user logged in via SSO

                    Thanks
                    Sohil

                    • 7. Re: Jboss SSO Web Application
                      Sohil Shah Master

                      You actually bring up a good point about not wanting to use JAAS.

                      Although I recommend JAAS for obvious benefits (standard, identity propagation through various layers in the container etc)

                      if some light weigh app wants to do custom login behavior, maybe there might be value in creating a contract very much like the IdentityManager that will let custom login usecases do what they do, but still keep token management inside the valves in the framework.


                      The key is to figure out what the contract between the framework and the custom login behavior will be....


                      thinking along the lines of what objects need to be created and place in what scope (request,session) etc


                      I will have to think about this one ;)

                      • 8. Re: Jboss SSO Web Application
                        Nipun Batra Newbie

                        Hi Sohil

                        Thanks for your response,

                        Now I have developed my own DBLoginModule class whcih implements javax.security.auth.spi.LoginModule

                        I have also added the policy entry of this login module in login-config.xml under /server/default/conf/login-config.xml

                        As per documents I have added context.xml inside WEB-INF folder.

                        Now at the login servlet I call login() method for the policy I have defined in login-config.xml

                        The user gets autheticated sucessfully but even after successful authnticatiion when I call request.getUserPrincipal() it returns null value

                        However when I call org.jboss.security.SecurityAssociation.getSubject() I get my pricipal in this subject.

                        I am not sure why I am getting request.getUserPrincipal() as null.

                        Also I noticed that there is no cookie set on my browser for my domain.
                        The web application is deployed on the same server where I deployed jboss-sso and federated-sso

                        Thanks again for ur help
                        Nipun


                        [/img]

                        • 9. Re: Jboss SSO Web Application
                          Sohil Shah Master

                          Nipun-

                          I think there is some confusion with your JAAS configuration. You don't need to write your own LoginModule. You should just be able to integrate the LoginProvider that you created and use the built-in UserNameAndPasswordLoginModule from the IDM component.


                          Just follow these steps more or less:

                          In your web application ear file create the following files jboss-service.xml, jboss-app.xml, and security-config.xml

                          jboss-service.xml

                          <?xml version="1.0" encoding="UTF-8"?>
                          <server>
                           <!-- hooking in a login module for the standalone version of JSF Forums -->
                           <!-- The custom JAAS login configuration that installs
                           a Configuration capable of dynamically updating the
                           config settings
                           -->
                           <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
                           name="jboss.security.tests:service=LoginConfig">
                           <attribute name="AuthConfig">META-INF/security-config.xml</attribute>
                           <depends optional-attribute-name="LoginConfigService">
                           jboss.security:service=XMLLoginConfig
                           </depends>
                           <depends optional-attribute-name="SecurityManagerService">
                           jboss.security:service=JaasSecurityManager
                           </depends>
                           </mbean>
                          </server>
                          


                          jboss-app.xml
                          <?xml version="1.0" encoding="UTF-8"?>
                          <jboss-app>
                           <module>
                           <service>jboss-service.xml</service>
                           </module>
                          </jboss-app>
                          


                          security-config.xml
                          <?xml version='1.0'?>
                          <!DOCTYPE policy PUBLIC
                           "-//JBoss//DTD JBOSS Security Config 3.0//EN"
                           "http://www.jboss.org/j2ee/dtd/security_config.dtd">
                          
                          <!-- The JAAS login configuration file for the java:/jaas/jbossweb-form-auth
                          security domain used by the security-spec test case
                          -->
                          <policy>
                           <application-policy name="mywebapp">
                           <authentication>
                           <login-module code="org.jboss.security.idm.UsernameAndPasswordLoginModule" flag="required">
                           <module-option name="unauthenticatedIdentity">guest</module-option>
                           <module-option name="password-stacking">useFirstPass</module-option>
                           <module-option name="authenticatedRoles">Authenticated,RegisteredUsers</module-option>
                           </login-module>
                           </authentication>
                           </application-policy>
                          </policy>
                          


                          This will setup your JAAS configuration.

                          Now inside your war file where the web application is:

                          look at the following files: context.xml, jboss-web.xml and web.xml

                          context.xml
                          <?xml version="1.0"?>
                          <Context>
                          
                           <!--
                           logoutURL - URL for performing logout/signout function in your application
                           -->
                           <Valve className="org.jboss.security.valve.SSOAutoLogout"
                           logoutURL="/test/logout.jsp"/>
                          
                           <!--
                           assertingParty - this is the partnerId of this application as a part of a federation of multiple partner sites
                           -->
                           <Valve className="org.jboss.security.valve.SSOTokenManager"
                           assertingParty="jboss_sso_tester"/>
                          
                           <!--
                           tomcat built-in AuthenticationTypes: FORM,BASIC,DIGEST,CLIENT-CERT
                           -->
                           <Valve className="org.jboss.security.valve.SSOAutoLogin"
                           authType="FORM"/>
                          </Context>
                          


                          jboss-web.xml
                          <?xml version="1.0"?>
                          <jboss-web>
                           <security-domain>java:jaas/mywebapp</security-domain>
                          </jboss-web>
                          


                          Notice the mywebapp specified in jboss-web.xml must be same as the application-ploicy name specified in security-config.xml specified earlier.

                          then in your web.xml specify the following security configuration
                          <!-- setting up the security constraint -->
                           <security-constraint>
                           <web-resource-collection>
                           <web-resource-name>Authenticated</web-resource-name>
                           <description></description>
                           <url-pattern>/secure/*</url-pattern>
                           </web-resource-collection>
                           <auth-constraint>
                           <role-name>Authenticated</role-name>
                           </auth-constraint>
                           </security-constraint>
                          
                           <!-- setup the Authentication method -->
                           <login-config>
                           <auth-method>FORM</auth-method>
                           <realm-name>My WebApps Login Mechanism</realm-name>
                           <form-login-config>
                           <form-login-page>/login.jsp</form-login-page>
                           <form-error-page>/loginError.jsp</form-error-page>
                           </form-login-config>
                           </login-config>
                          
                           <security-role>
                           <role-name>Authenticated</role-name>
                           </security-role>
                          


                          Also, JAAS logins are handled by the tomcat container and should not be called by application level components like Servlets, Filters, EJB etc...The JAAS login lifecycle is managed by the tomcat container. This is where the SSO token managenement functionality is integrated.



                          This is probably why you dont see a request.getUserPrincipal() since tomcat didnot update your environment since you called the login module from within your servlet.


                          Now how will your login screen be displayed....for that use a url like /mywebapp/secure/resource....any resource preceded by the /secure will make tomcat invoke the login usecase if you are not logged in. It does that by going to the /login.jsp you specifed in the web.xml. For an example of login.jsp look at /components/jboss_sso_test/src/resources/war/login.jsp.


                          /secure is from the web.xml configuration...
                          <url-pattern>/secure/*</url-pattern>
                          

                          you can call it /auth or whatever else you prefer.


                          Also one more thing, for your SSO domain cookie to be placed on your browser, you will need to make sure two things:

                          1) Login happens properly thorugh the JAAS lifecycle in tomcat

                          2) When you call your web app...call it with a proper domain url like http://xyz.myapp.com etc....dont use http://localhost since localhost does not equate to any domain, hence the SSO SAML token is not placed


                          Hope this helps move it along....Its more configuration related issues at this point. Maybe the Wiki docs need to have these details

                          Thanks
                          Sohil



                          • 10. Re: Jboss SSO Web Application
                            Nipun Batra Newbie

                            Hi Sohil

                            Thanks for your response,

                            Hmmm...... I think I have to write my own login module whcih I have to call from my program. Reason being I have 1 other param whcih I use with Username and password to authenticate user.

                            Also I was looking at your code org.jboss.security.idm.UsernameAndPasswordLoginModule

                            here also you have written your own LoginModule. I am trying to figure out that there should be some way to still use your own LoginModule and hooking it up Subject/Principa with Tomcat

                            Thanks again for your help
                            Nipun

                            • 11. Re: Jboss SSO Web Application
                              Sohil Shah Master

                              Yes you can write your own Login JAAS module and hook it in the same way I detailed in the previous response, if you have different login requirements.

                              Just make sure the JAAS module is managed by tomcat during login to get the proper Principal establishment and SSO token management.


                              btw- are you integrating the LoginProvider you wrote to extract username,password,roles info inside this new JAAS Module?

                              Thanks
                              Sohil

                              • 12. Re: Jboss SSO Web Application
                                Nipun Batra Newbie

                                Hi Sohil

                                No Inside JAAS Module I am not using LoginProvider, I just have our own way of Authenticating user from Database.

                                Thanks
                                Nipun

                                • 13. Re: Jboss SSO Web Application
                                  Sohil Shah Master

                                  That should be fine too.

                                  If you follow the steps detailed in the previous response to integrate JAAS in your application, you should be able to get a Principal created successfully and a SSO token should be generated and placed on your browser upon succefull JAAS login.


                                  Let me know if you still run into issues getting to that step.

                                  Thanks
                                  Sohil

                                  • 14. Re: Jboss SSO Web Application
                                    Nipun Batra Newbie

                                    Hi Sohil

                                    So finally I have some good news and bad news.

                                    I developed 2 application A and B and I am now using JbossWS policy whcih is a standard JAAS Login module used in Jboss. Both the applictions are running on same server.

                                    Now in application A I login and after sucessfull login I even see a cookie, domain cookie whose name is token and value is some thing like <response:xmlns

                                    On application A, on the web page I print request.getUserPrincipal() and I get proper value i.e. Roles and Principal.

                                    Now from same browser when I go to application B whcih is on same server (and application B is almost the replica of Application A (only contxt.xml is different) ). ,when I do request.getuserPrincipal() I get null value.

                                    I think I shd get the same pricipal in application B also


                                    Thanks
                                    Nick


                                    1 2 Previous Next