2 Replies Latest reply on Jan 15, 2008 12:10 AM by Anil Saldanha

    SSO with Multiple Roles

    Chris Carcel Newbie

      Hello - I am using JBoss 422 with embedded tomcat. I've written my own custom login module which extends org.jboss.security.auth.spi.AbstractServerLoginModule. The module validates the user name and password from 1 system, then retrieves domain groups from an ldap system and maps those groups to application specific roles in the web apps I am working on (so for example I am a member of 'WebAdmins' group in LDAP domain which maps to 'ADMINS' role in 1 web app and 'SuperUser' role in a 2nd app).

      I have configured /deploy/custom-login-config.service.xml and /conf/custom-login-config.xml. The custom-login-config.xml contains 2 applications policies, say P1 and P2. I've setup 1 web app in 1 ear and another web app in 2nd ear and setup the /META-INF/jboss-app with the security domain in app 1 going to P1 and the security-domain in app 2 going to P2. This is all working fine. I can login to both and get the correct roles setup.

      The issue is that I have to login to each specific ear file on the server. When I do that all is well, my login module authenticates me, gets the ldap groups I am a member of and maps those to application roles. Obviously though I do not want our users logging into each ear file. To work around that I enabled

      <Valve className="org.apache.catalina.authenticator.SingleSignOn" />

      in /deploy/jboss-web.deployer/server.xml file. When I do that I do not have to login again but my login module does not run, so I cannot map the domain groups the application roles.

      Is there any setup that will allow me to both login to a server once and map domain groups to application roles on an ear by ear basis? I've tried using multiple application-policy elements in the login-config and using only 1. I've tried that with and without the SingleSignOn valve and am stumped.

      We should be moving to a 2 server clustered jboss setup also, so if there is a setup that would users to hit any web app on any server and be authenticated to all web apps on all servers that would be the best.

      Thanks in advance,