geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: Single Sign On with Geronimo 1.0
Date Mon, 07 Aug 2006 13:42:26 GMT
I could get SSO Working on a server build with SSOValve GBean in the tomcat
plan.  In this case the application deployment plans needed no change as
mentioned in the post that Krish pointed to.

Here are some of my observations.

An SSOValve GBean created as part of the application needs to be connected
to TomcatEngine so that SSO works.  To do so, either the FirstValve in
TomcatEngine needs to be replaced with this SSOValve or a "NextValve"
attribute should be added to the FirstValve and it should be made point to
the SSOValve.  I guess there is only one TomcatEngine GBean in the server
and I don't think it should be modified to suit the needs of two or more
applications that need SSO.

Other way is to have multiple hosts defined in the tomcar plan and and one
of them could have an SSOValve in the chain.  All apps that want SSO can use
that host.

In either case, the server needs to built with SSOValve GBean.

With what G provides right now, there is noway that an SSOValve GBean is
created as part of an application and hooked to the TomcatEngine.

Comments?

Thanks,
Vamsi

On 8/2/06, Krishnakumar B <www.bkk@gmail.com> wrote:
>
> Hi Joe,
>
> I have also tried this and was able to get it to work by doing a build
> with SSOValve GBean open.
>
> Refer to earlier post :
> http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647
>
> I was not able to get it to work by deploying a new Valve along with 2
> web applications that need SSO.
>
> Regards
> Krish.
>
> On 8/1/06, Joe O'Pecko <opeckojo@yahoo.com> wrote:
> > I know this has been discussed in the past, and I
> > apologize for the lengthy inquiry, however, I have
> > been trying unsuccessfully to get SSO working with
> > Tomcat on Geronimo v1.0 for some time. I am deploying
> > an application as an ear file with two war files
> > contained within. My geronimo-application.xml file
> > contains a definition for a JAAS Security Realm and
> > the two WAR file's geronimo-web.xml reference it via
> > security-realm-name elements. Once deployed each web
> > application challenges the user upon first access,
> > using the configured JAAS LoginModule. I'd like to
> > establish a SSO trust between the two web
> > applications, if possible, so that a user is only
> > challenged once for both web applications.
> >
> > I've seen a previous post on this site entitled Single
> > Sign On : Tomcat in Geronimo
> > (http://tinyurl.com/lkgjy) which seemed to provide
> > some information. Basically, it suggested the addition
> > of a SSOValve GBean to the geronimo-web.xml file. As
> > suggested, I've added the SSOValve to each
> > geronimo-web.xml and confirmed that I could see them
> > running in the deploy-tool web application. However,
> > each application has its own SSOValve GBean running
> > which leads me to believe that they do not share
> > anything between them.
> >
> > I've also seen Aaron Mulder's website which states
> > that Geronimo does not natively support web-based
> > single sign-on across web sites
> > (http://tinyurl.com/qa9bl).
> >
> > So is it possible to provide Single Sign On accross
> > web applications? I've attached my config files below
> > if it helps.
> >
> > Thanks in advance for any help and information you can
> > provide.
> >
> > Joe
> >
> > ---begin geronimo-application.xml---
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> > <application
> >
> > xmlns="http://geronimo.apache.org/xml/ns/j2ee/application"
> >
> > xmlns:sec="http://geronimo.apache.org/xml/ns/security-1.1"
> >    configId="com/foo/test"
> >    parentId="geronimo/j2ee-server/1.0/car">
> >
> >    <dependency>
> >        <groupId>log4j</groupId>
> >        <artifactId>log4j</artifactId>
> >        <version>1.2.8</version>
> >    </dependency>
> >
> >    <sec:security>
> >        <sec:default-principal realm-name="foo-realm">
> >            <sec:principal
> >
> > class="
> org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> >                name="anonymous"/>
> >        </sec:default-principal>
> >        <sec:role-mappings>
> >            <!--
> >                this mapping maps all users in the
> > registeredUsers group to registered-users role
> >                defined in web.xml
> >            -->
> >            <sec:role role-name="FOO_ADMIN">
> >                <sec:realm realm-name="foo-realm">
> >                    <sec:principal
> >
> > class="
> org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> >                        name="foo_admin"/>
> >                </sec:realm>
> >            </sec:role>
> >            <sec:role role-name="FOO_USER">
> >                <sec:realm realm-name="foo-realm">
> >                    <sec:principal
> >
> > class="
> org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> >                        name="foo_user"/>
> >                </sec:realm>
> >            </sec:role>
> >
> >        </sec:role-mappings>
> >    </sec:security>
> >
> >    <gbean name="foo-realm"
> > class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> >        <!--
> >            this is the name of the Security Realm as
> > well as the name
> >            of the configuration entry used by the
> > application
> >        -->
> >        <attribute
> > name="realmName">foo-realm</attribute>
> >
> >        <!--
> >            reference to the head of the login module
> > use list
> >        -->
> >        <reference name="LoginModuleConfiguration">
> >            <name>foo-login</name>
> >        </reference>
> >
> >        <reference name="ServerInfo">
> >
> > <gbean-name>geronimo.server:J2EEApplication=null
> ,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
> >        </reference>
> >
> >        <reference name="LoginService">
> >
> > <gbean-name>geronimo.server:J2EEApplication=null
> ,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
> >        </reference>
> >    </gbean>
> >
> >    <!--
> >        this is the head of the login module use list
> >    -->
> >    <gbean name="foo-login"
> > class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
> >        <!-- login module must succeed -->
> >        <attribute
> > name="controlFlag">REQUIRED</attribute>
> >
> >        <!-- reference to the login module -->
> >        <reference name="LoginModule">
> >            <name>foo-login</name>
> >        </reference>
> >    </gbean>
> >
> >    <!-- the login module GBean -->
> >    <gbean name="foo-login"
> > class="org.apache.geronimo.security.jaas.LoginModuleGBean">
> >        <attribute name="loginModuleClass">
> >            com.foo.FooLoginModule
> >        </attribute>
> >        <attribute name="serverSide">true</attribute>
> >        <attribute
> > name="loginDomainName">foo-realm</attribute>
> >    </gbean>
> >
> >    <gbean name="FooServer"
> >           class="com.foo.FooServerGBean"
> >
> > gbeanName="com.foo.fooserver:type=Server,name=GUIServer">
> >        <attribute name="baseDirectory"
> > type="java.lang.String">
> >           /home/foo
> >        </attribute>
> >    </gbean>
> > </application>
> > ----end geronimo-application.xml----
> >
> >
> > ---begin first geronimo-web.xml---
> > <?xml version="1.0" encoding="UTF-8"?>
> > <web-app
> >
> > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
> >    configId="com/foo/contextOne">
> >
> >    <context-root>/contextOne</context-root>
> >
> > <context-priority-classloader>false</context-priority-classloader>
> >
> >
> >    <container-config>
> >        <!--  Tomcat-specific container declarations
> > -->
> >        <tomcat
> > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
> >            <valve-chain>SSOValve</valve-chain>
> >        </tomcat>
> >    </container-config>
> >
> >
> > <security-realm-name>netcool-realm</security-realm-name>
> >
> >    <gbean name="SSOValve"
> > class="org.apache.geronimo.tomcat.ValveGBean">
> >        <attribute name="className">
> >
> > org.apache.catalina.authenticator.SingleSignOn
> >        </attribute>
> >    </gbean>
> >
> > </web-app>
> > ----end first geronimo-web.xml----
> >
> >
> > ---begin second geronimo-web.xml---
> > <?xml version="1.0" encoding="UTF-8"?>
> > <web-app
> >
> > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
> >    configId="com/foo/contextTwo">
> >
> >    <context-root>/contextTwo</context-root>
> >
> > <context-priority-classloader>false</context-priority-classloader>
> >
> >
> >    <container-config>
> >        <!--  Tomcat-specific container declarations
> > -->
> >        <tomcat
> > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
> >            <valve-chain>SSOValve</valve-chain>
> >        </tomcat>
> >    </container-config>
> >
> >
> > <security-realm-name>netcool-realm</security-realm-name>
> >
> >    <gbean name="SSOValve"
> > class="org.apache.geronimo.tomcat.ValveGBean">
> >        <attribute name="className">
> >
> > org.apache.catalina.authenticator.SingleSignOn
> >        </attribute>
> >    </gbean>
> >
> > </web-app>
> > ----end second geronimo-web.xml----
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
>

Mime
View raw message