2 Replies Latest reply on Jan 15, 2008 12:10 AM by Anil Saldanha

    SSO with Multiple Roles

    Chris Carcel Newbie

      Hello - I am using JBoss 422 with embedded tomcat. I've written my own custom login module which extends org.jboss.security.auth.spi.AbstractServerLoginModule. The module validates the user name and password from 1 system, then retrieves domain groups from an ldap system and maps those groups to application specific roles in the web apps I am working on (so for example I am a member of 'WebAdmins' group in LDAP domain which maps to 'ADMINS' role in 1 web app and 'SuperUser' role in a 2nd app).

      I have configured /deploy/custom-login-config.service.xml and /conf/custom-login-config.xml. The custom-login-config.xml contains 2 applications policies, say P1 and P2. I've setup 1 web app in 1 ear and another web app in 2nd ear and setup the /META-INF/jboss-app with the security domain in app 1 going to P1 and the security-domain in app 2 going to P2. This is all working fine. I can login to both and get the correct roles setup.

      The issue is that I have to login to each specific ear file on the server. When I do that all is well, my login module authenticates me, gets the ldap groups I am a member of and maps those to application roles. Obviously though I do not want our users logging into each ear file. To work around that I enabled

      <Valve className="org.apache.catalina.authenticator.SingleSignOn" />

      in /deploy/jboss-web.deployer/server.xml file. When I do that I do not have to login again but my login module does not run, so I cannot map the domain groups the application roles.

      Is there any setup that will allow me to both login to a server once and map domain groups to application roles on an ear by ear basis? I've tried using multiple application-policy elements in the login-config and using only 1. I've tried that with and without the SingleSignOn valve and am stumped.

      We should be moving to a 2 server clustered jboss setup also, so if there is a setup that would users to hit any web app on any server and be authenticated to all web apps on all servers that would be the best.

      Thanks in advance,

      chris