geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: Single Sign On with Geronimo 1.0
Date Mon, 07 Aug 2006 14:30:37 GMT
You are right.  By "server built with SSOValve", I meant to say it should be
part of Tomcat configuration.

Thanks,
Vamsi

On 8/7/06, Jeff Genender <jgenender@apache.org> wrote:
>
> Why does the server need to be built with the SSOValve?
>
> You should be able to connect the SSOValve to the TomcatEngine in the
> config.xml.
>
> Jeff
>
> Vamsavardhana Reddy wrote:
> > I could get SSO Working on a server build with SSOValve GBean in the
> > tomcat plan.  In this case the application deployment plans needed no
> > change as mentioned in the post that Krish pointed to.
> >
> > Here are some of my observations.
> >
> > An SSOValve GBean created as part of the application needs to be
> > connected to TomcatEngine so that SSO works.  To do so, either the
> > FirstValve in TomcatEngine needs to be replaced with this SSOValve or a
> > "NextValve" attribute should be added to the FirstValve and it should be
> > made point to the SSOValve.  I guess there is only one TomcatEngine
> > GBean in the server and I don't think it should be modified to suit the
> > needs of two or more applications that need SSO.
> >
> > Other way is to have multiple hosts defined in the tomcar plan and and
> > one of them could have an SSOValve in the chain.  All apps that want SSO
> > can use that host.
> >
> > In either case, the server needs to built with SSOValve GBean.
> >
> > With what G provides right now, there is noway that an SSOValve GBean is
> > created as part of an application and hooked to the TomcatEngine.
> >
> > Comments?
> >
> > Thanks,
> > Vamsi
> >
> > On 8/2/06, *Krishnakumar B* <www.bkk@gmail.com
> > <mailto:www.bkk@gmail.com>> wrote:
> >
> >     Hi Joe,
> >
> >     I have also tried this and was able to get it to work by doing a
> build
> >     with SSOValve GBean open.
> >
> >     Refer to earlier post :
> >     http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647
> >     <http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647>
> >
> >     I was not able to get it to work by deploying a new Valve along with
> 2
> >     web applications that need SSO.
> >
> >     Regards
> >     Krish.
> >
> >     On 8/1/06, Joe O'Pecko <opeckojo@yahoo.com
> >     <mailto:opeckojo@yahoo.com>> wrote:
> >     > I know this has been discussed in the past, and I
> >     > apologize for the lengthy inquiry, however, I have
> >     > been trying unsuccessfully to get SSO working with
> >     > Tomcat on Geronimo v1.0 for some time. I am deploying
> >     > an application as an ear file with two war files
> >     > contained within. My geronimo-application.xml file
> >     > contains a definition for a JAAS Security Realm and
> >     > the two WAR file's geronimo-web.xml reference it via
> >     > security-realm-name elements. Once deployed each web
> >     > application challenges the user upon first access,
> >     > using the configured JAAS LoginModule. I'd like to
> >     > establish a SSO trust between the two web
> >     > applications, if possible, so that a user is only
> >     > challenged once for both web applications.
> >     >
> >     > I've seen a previous post on this site entitled Single
> >     > Sign On : Tomcat in Geronimo
> >     > (http://tinyurl.com/lkgjy) which seemed to provide
> >     > some information. Basically, it suggested the addition
> >     > of a SSOValve GBean to the geronimo-web.xml file. As
> >     > suggested, I've added the SSOValve to each
> >     > geronimo-web.xml and confirmed that I could see them
> >     > running in the deploy-tool web application. However,
> >     > each application has its own SSOValve GBean running
> >     > which leads me to believe that they do not share
> >     > anything between them.
> >     >
> >     > I've also seen Aaron Mulder's website which states
> >     > that Geronimo does not natively support web-based
> >     > single sign-on across web sites
> >     > (http://tinyurl.com/qa9bl).
> >     >
> >     > So is it possible to provide Single Sign On accross
> >     > web applications? I've attached my config files below
> >     > if it helps.
> >     >
> >     > Thanks in advance for any help and information you can
> >     > provide.
> >     >
> >     > Joe
> >     >
> >     > ---begin geronimo-application.xml---
> >     > <?xml version="1.0" encoding="UTF-8"?>
> >     >
> >     > <application
> >     >
> >     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/application"
> >     >
> >     > xmlns:sec=" http://geronimo.apache.org/xml/ns/security-1.1"
> >     >    configId="com/foo/test"
> >     >    parentId="geronimo/j2ee-server/1.0/car">
> >     >
> >     >    <dependency>
> >     >        <groupId>log4j</groupId>
> >     >        <artifactId>log4j</artifactId>
> >     >        <version>1.2.8</version>
> >     >    </dependency>
> >     >
> >     >    <sec:security>
> >     >        <sec:default-principal realm-name="foo-realm">
> >     >            <sec:principal
> >     >
> >     >
> >     class="
> org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> >     >                name="anonymous"/>
> >     >        </sec:default-principal>
> >     >        <sec:role-mappings>
> >     >            <!--
> >     >                this mapping maps all users in the
> >     > registeredUsers group to registered-users role
> >     >                defined in web.xml
> >     >            -->
> >     >            <sec:role role-name="FOO_ADMIN">
> >     >                <sec:realm realm-name="foo-realm">
> >     >                    <sec:principal
> >     >
> >     >
> >     class="
> org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> >     >                        name="foo_admin"/>
> >     >                </sec:realm>
> >     >            </sec:role>
> >     >            <sec:role role-name="FOO_USER">
> >     >                <sec:realm realm-name="foo-realm">
> >     >                    <sec:principal
> >     >
> >     >
> >     class="
> org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> >     >                        name="foo_user"/>
> >     >                </sec:realm>
> >     >            </sec:role>
> >     >
> >     >        </sec:role-mappings>
> >     >    </sec:security>
> >     >
> >     >    <gbean name="foo-realm"
> >     > class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> >     >        <!--
> >     >            this is the name of the Security Realm as
> >     > well as the name
> >     >            of the configuration entry used by the
> >     > application
> >     >        -->
> >     >        <attribute
> >     > name="realmName">foo-realm</attribute>
> >     >
> >     >        <!--
> >     >            reference to the head of the login module
> >     > use list
> >     >        -->
> >     >        <reference name="LoginModuleConfiguration">
> >     >            <name>foo-login</name>
> >     >        </reference>
> >     >
> >     >        <reference name="ServerInfo">
> >     >
> >     >
> >     <gbean-name>geronimo.server:J2EEApplication=null
> ,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
> >     >        </reference>
> >     >
> >     >        <reference name="LoginService">
> >     >
> >     >
> >     <gbean-name>geronimo.server:J2EEApplication=null
> ,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
> >
> >     >        </reference>
> >     >    </gbean>
> >     >
> >     >    <!--
> >     >        this is the head of the login module use list
> >     >    -->
> >     >    <gbean name="foo-login"
> >     > class=" org.apache.geronimo.security.jaas.JaasLoginModuleUse">
> >     >        <!-- login module must succeed -->
> >     >        <attribute
> >     > name="controlFlag">REQUIRED</attribute>
> >     >
> >     >        <!-- reference to the login module -->
> >     >        <reference name="LoginModule">
> >     >            <name>foo-login</name>
> >     >        </reference>
> >     >    </gbean>
> >     >
> >     >    <!-- the login module GBean -->
> >     >    <gbean name="foo-login"
> >     > class="org.apache.geronimo.security.jaas.LoginModuleGBean">
> >     >        <attribute name="loginModuleClass">
> >     >            com.foo.FooLoginModule
> >     >        </attribute>
> >     >        <attribute name="serverSide">true</attribute>
> >     >        <attribute
> >     > name="loginDomainName">foo-realm</attribute>
> >     >    </gbean>
> >     >
> >     >    <gbean name="FooServer"
> >     >           class="com.foo.FooServerGBean"
> >     >
> >     > gbeanName="com.foo.fooserver:type=Server,name=GUIServer">
> >     >        <attribute name="baseDirectory"
> >     > type="java.lang.String">
> >     >           /home/foo
> >     >        </attribute>
> >     >    </gbean>
> >     > </application>
> >     > ----end geronimo-application.xml----
> >     >
> >     >
> >     > ---begin first geronimo-web.xml---
> >     > <?xml version="1.0" encoding="UTF-8"?>
> >     > <web-app
> >     >
> >     > xmlns=" http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
> >     >    configId="com/foo/contextOne">
> >     >
> >     >    <context-root>/contextOne</context-root>
> >     >
> >     > <context-priority-classloader>false</context-priority-classloader>
> >     >
> >     >
> >     >    <container-config>
> >     >        <!--  Tomcat-specific container declarations
> >     > -->
> >     >        <tomcat
> >     > xmlns="
> http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
> >     >            <valve-chain>SSOValve</valve-chain>
> >     >        </tomcat>
> >     >    </container-config>
> >     >
> >     >
> >     > <security-realm-name>netcool-realm</security-realm-name>
> >     >
> >     >    <gbean name="SSOValve"
> >     > class=" org.apache.geronimo.tomcat.ValveGBean">
> >     >        <attribute name="className">
> >     >
> >     > org.apache.catalina.authenticator.SingleSignOn
> >     >        </attribute>
> >     >    </gbean>
> >     >
> >     > </web-app>
> >     > ----end first geronimo-web.xml----
> >     >
> >     >
> >     > ---begin second geronimo-web.xml---
> >     > <?xml version="1.0" encoding="UTF-8"?>
> >     > <web-app
> >     >
> >     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
> >     >    configId="com/foo/contextTwo">
> >     >
> >     >    <context-root>/contextTwo</context-root>
> >     >
> >     > <context-priority-classloader>false</context-priority-classloader>
> >     >
> >     >
> >     >    <container-config>
> >     >        <!--  Tomcat-specific container declarations
> >     > -->
> >     >        <tomcat
> >     > xmlns="
> http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
> >     >            <valve-chain>SSOValve</valve-chain>
> >     >        </tomcat>
> >     >    </container-config>
> >     >
> >     >
> >     > <security-realm-name>netcool-realm</security-realm-name>
> >     >
> >     >    <gbean name="SSOValve"
> >     > class=" org.apache.geronimo.tomcat.ValveGBean">
> >     >        <attribute name="className">
> >     >
> >     > org.apache.catalina.authenticator.SingleSignOn
> >     >        </attribute>
> >     >    </gbean>
> >     >
> >     > </web-app>
> >     > ----end second geronimo-web.xml----
> >     >
> >     >
> >     >
> >     >
> >     > __________________________________________________
> >     > Do You Yahoo!?
> >     > Tired of spam?  Yahoo! Mail has the best spam protection around
> >     > http://mail.yahoo.com
> >     >
> >
> >
>

Mime
View raw message