geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: Single Sign On with Geronimo 1.0
Date Mon, 07 Aug 2006 14:45:28 GMT
Seeing your reply, I have to add the following to my original comments.

I have tested SSO with two WebApps deployed as part of an EAR.  I do not
know if enabling SSO for Web Apps deployed independently requires any
changes in their deployment plans.

Thanks,
Vamsi

On 8/7/06, Paul McMahan <paulmcmahan@gmail.com> wrote:
>
> I looked at using the Tomcat SSOValve for GERONIMO-973 and had a
> similar experience -- i.e. it works fine but may not be appropriate in
> many situations.  As I recall, what it basically does is stores the
> credentials in a cookie with higher level scope, making it visible to
> all the applications in the server instead of just the one that was
> originally authenticated.
>
> Since logging into the admin console should not grant access to other
> applications deployed in the server I ended up using a different
> approach for GERONIMO-973, which was to send all requests through a
> single context that acted as a proxy for the other context(s).  This
> works for SSO across multiple WARs in an EAR but may not work for SSO
> across EARs.  See the comments in to GERONIMO-973 for details.  Your
> idea for defining multiple hosts might be a clever way to work around
> that issue.
>
> As Jeff points out, it should not be necessary to rebuild the server
> to use the SSOValve (unless something has changed recently). I just
> enabled it in var/config/config.xml.
>
> Best wishes,
> Paul
>
> On 8/7/06, Jeff Genender <jgenender@apache.org> wrote:
> > Why does the server need to be built with the SSOValve?
> >
> > You should be able to connect the SSOValve to the TomcatEngine in the
> > config.xml.
> >
> > Jeff
> >
> > Vamsavardhana Reddy wrote:
> > > I could get SSO Working on a server build with SSOValve GBean in the
> > > tomcat plan.  In this case the application deployment plans needed no
> > > change as mentioned in the post that Krish pointed to.
> > >
> > > Here are some of my observations.
> > >
> > > An SSOValve GBean created as part of the application needs to be
> > > connected to TomcatEngine so that SSO works.  To do so, either the
> > > FirstValve in TomcatEngine needs to be replaced with this SSOValve or
> a
> > > "NextValve" attribute should be added to the FirstValve and it should
> be
> > > made point to the SSOValve.  I guess there is only one TomcatEngine
> > > GBean in the server and I don't think it should be modified to suit
> the
> > > needs of two or more applications that need SSO.
> > >
> > > Other way is to have multiple hosts defined in the tomcar plan and and
> > > one of them could have an SSOValve in the chain.  All apps that want
> SSO
> > > can use that host.
> > >
> > > In either case, the server needs to built with SSOValve GBean.
> > >
> > > With what G provides right now, there is noway that an SSOValve GBean
> is
> > > created as part of an application and hooked to the TomcatEngine.
> > >
> > > Comments?
> > >
> > > Thanks,
> > > Vamsi
> > >
> > > On 8/2/06, *Krishnakumar B* <www.bkk@gmail.com
> > > <mailto:www.bkk@gmail.com>> wrote:
> > >
> > >     Hi Joe,
> > >
> > >     I have also tried this and was able to get it to work by doing a
> build
> > >     with SSOValve GBean open.
> > >
> > >     Refer to earlier post :
> > >     http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647
> > >     <http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647>
> > >
> > >     I was not able to get it to work by deploying a new Valve along
> with 2
> > >     web applications that need SSO.
> > >
> > >     Regards
> > >     Krish.
> > >
> > >     On 8/1/06, Joe O'Pecko <opeckojo@yahoo.com
> > >     <mailto:opeckojo@yahoo.com>> wrote:
> > >     > I know this has been discussed in the past, and I
> > >     > apologize for the lengthy inquiry, however, I have
> > >     > been trying unsuccessfully to get SSO working with
> > >     > Tomcat on Geronimo v1.0 for some time. I am deploying
> > >     > an application as an ear file with two war files
> > >     > contained within. My geronimo-application.xml file
> > >     > contains a definition for a JAAS Security Realm and
> > >     > the two WAR file's geronimo-web.xml reference it via
> > >     > security-realm-name elements. Once deployed each web
> > >     > application challenges the user upon first access,
> > >     > using the configured JAAS LoginModule. I'd like to
> > >     > establish a SSO trust between the two web
> > >     > applications, if possible, so that a user is only
> > >     > challenged once for both web applications.
> > >     >
> > >     > I've seen a previous post on this site entitled Single
> > >     > Sign On : Tomcat in Geronimo
> > >     > (http://tinyurl.com/lkgjy) which seemed to provide
> > >     > some information. Basically, it suggested the addition
> > >     > of a SSOValve GBean to the geronimo-web.xml file. As
> > >     > suggested, I've added the SSOValve to each
> > >     > geronimo-web.xml and confirmed that I could see them
> > >     > running in the deploy-tool web application. However,
> > >     > each application has its own SSOValve GBean running
> > >     > which leads me to believe that they do not share
> > >     > anything between them.
> > >     >
> > >     > I've also seen Aaron Mulder's website which states
> > >     > that Geronimo does not natively support web-based
> > >     > single sign-on across web sites
> > >     > (http://tinyurl.com/qa9bl).
> > >     >
> > >     > So is it possible to provide Single Sign On accross
> > >     > web applications? I've attached my config files below
> > >     > if it helps.
> > >     >
> > >     > Thanks in advance for any help and information you can
> > >     > provide.
> > >     >
> > >     > Joe
> > >     >
> > >     > ---begin geronimo-application.xml---
> > >     > <?xml version="1.0" encoding="UTF-8"?>
> > >     >
> > >     > <application
> > >     >
> > >     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/application"
> > >     >
> > >     > xmlns:sec=" http://geronimo.apache.org/xml/ns/security-1.1"
> > >     >    configId="com/foo/test"
> > >     >    parentId="geronimo/j2ee-server/1.0/car">
> > >     >
> > >     >    <dependency>
> > >     >        <groupId>log4j</groupId>
> > >     >        <artifactId>log4j</artifactId>
> > >     >        <version>1.2.8</version>
> > >     >    </dependency>
> > >     >
> > >     >    <sec:security>
> > >     >        <sec:default-principal realm-name="foo-realm">
> > >     >            <sec:principal
> > >     >
> > >     >
> > >     class="
> org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> > >     >                name="anonymous"/>
> > >     >        </sec:default-principal>
> > >     >        <sec:role-mappings>
> > >     >            <!--
> > >     >                this mapping maps all users in the
> > >     > registeredUsers group to registered-users role
> > >     >                defined in web.xml
> > >     >            -->
> > >     >            <sec:role role-name="FOO_ADMIN">
> > >     >                <sec:realm realm-name="foo-realm">
> > >     >                    <sec:principal
> > >     >
> > >     >
> > >     class="
> org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> > >     >                        name="foo_admin"/>
> > >     >                </sec:realm>
> > >     >            </sec:role>
> > >     >            <sec:role role-name="FOO_USER">
> > >     >                <sec:realm realm-name="foo-realm">
> > >     >                    <sec:principal
> > >     >
> > >     >
> > >     class="
> org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> > >     >                        name="foo_user"/>
> > >     >                </sec:realm>
> > >     >            </sec:role>
> > >     >
> > >     >        </sec:role-mappings>
> > >     >    </sec:security>
> > >     >
> > >     >    <gbean name="foo-realm"
> > >     > class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> > >     >        <!--
> > >     >            this is the name of the Security Realm as
> > >     > well as the name
> > >     >            of the configuration entry used by the
> > >     > application
> > >     >        -->
> > >     >        <attribute
> > >     > name="realmName">foo-realm</attribute>
> > >     >
> > >     >        <!--
> > >     >            reference to the head of the login module
> > >     > use list
> > >     >        -->
> > >     >        <reference name="LoginModuleConfiguration">
> > >     >            <name>foo-login</name>
> > >     >        </reference>
> > >     >
> > >     >        <reference name="ServerInfo">
> > >     >
> > >     >
> > >     <gbean-name>geronimo.server:J2EEApplication=null
> ,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
> > >     >        </reference>
> > >     >
> > >     >        <reference name="LoginService">
> > >     >
> > >     >
> > >     <gbean-name>geronimo.server:J2EEApplication=null
> ,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
> > >
> > >     >        </reference>
> > >     >    </gbean>
> > >     >
> > >     >    <!--
> > >     >        this is the head of the login module use list
> > >     >    -->
> > >     >    <gbean name="foo-login"
> > >     > class=" org.apache.geronimo.security.jaas.JaasLoginModuleUse">
> > >     >        <!-- login module must succeed -->
> > >     >        <attribute
> > >     > name="controlFlag">REQUIRED</attribute>
> > >     >
> > >     >        <!-- reference to the login module -->
> > >     >        <reference name="LoginModule">
> > >     >            <name>foo-login</name>
> > >     >        </reference>
> > >     >    </gbean>
> > >     >
> > >     >    <!-- the login module GBean -->
> > >     >    <gbean name="foo-login"
> > >     > class="org.apache.geronimo.security.jaas.LoginModuleGBean">
> > >     >        <attribute name="loginModuleClass">
> > >     >            com.foo.FooLoginModule
> > >     >        </attribute>
> > >     >        <attribute name="serverSide">true</attribute>
> > >     >        <attribute
> > >     > name="loginDomainName">foo-realm</attribute>
> > >     >    </gbean>
> > >     >
> > >     >    <gbean name="FooServer"
> > >     >           class="com.foo.FooServerGBean"
> > >     >
> > >     > gbeanName="com.foo.fooserver:type=Server,name=GUIServer">
> > >     >        <attribute name="baseDirectory"
> > >     > type="java.lang.String">
> > >     >           /home/foo
> > >     >        </attribute>
> > >     >    </gbean>
> > >     > </application>
> > >     > ----end geronimo-application.xml----
> > >     >
> > >     >
> > >     > ---begin first geronimo-web.xml---
> > >     > <?xml version="1.0" encoding="UTF-8"?>
> > >     > <web-app
> > >     >
> > >     > xmlns=" http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
> > >     >    configId="com/foo/contextOne">
> > >     >
> > >     >    <context-root>/contextOne</context-root>
> > >     >
> > >     >
> <context-priority-classloader>false</context-priority-classloader>
> > >     >
> > >     >
> > >     >    <container-config>
> > >     >        <!--  Tomcat-specific container declarations
> > >     > -->
> > >     >        <tomcat
> > >     > xmlns="
> http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
> > >     >            <valve-chain>SSOValve</valve-chain>
> > >     >        </tomcat>
> > >     >    </container-config>
> > >     >
> > >     >
> > >     > <security-realm-name>netcool-realm</security-realm-name>
> > >     >
> > >     >    <gbean name="SSOValve"
> > >     > class=" org.apache.geronimo.tomcat.ValveGBean">
> > >     >        <attribute name="className">
> > >     >
> > >     > org.apache.catalina.authenticator.SingleSignOn
> > >     >        </attribute>
> > >     >    </gbean>
> > >     >
> > >     > </web-app>
> > >     > ----end first geronimo-web.xml----
> > >     >
> > >     >
> > >     > ---begin second geronimo-web.xml---
> > >     > <?xml version="1.0" encoding="UTF-8"?>
> > >     > <web-app
> > >     >
> > >     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
> > >     >    configId="com/foo/contextTwo">
> > >     >
> > >     >    <context-root>/contextTwo</context-root>
> > >     >
> > >     >
> <context-priority-classloader>false</context-priority-classloader>
> > >     >
> > >     >
> > >     >    <container-config>
> > >     >        <!--  Tomcat-specific container declarations
> > >     > -->
> > >     >        <tomcat
> > >     > xmlns="
> http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
> > >     >            <valve-chain>SSOValve</valve-chain>
> > >     >        </tomcat>
> > >     >    </container-config>
> > >     >
> > >     >
> > >     > <security-realm-name>netcool-realm</security-realm-name>
> > >     >
> > >     >    <gbean name="SSOValve"
> > >     > class=" org.apache.geronimo.tomcat.ValveGBean">
> > >     >        <attribute name="className">
> > >     >
> > >     > org.apache.catalina.authenticator.SingleSignOn
> > >     >        </attribute>
> > >     >    </gbean>
> > >     >
> > >     > </web-app>
> > >     > ----end second geronimo-web.xml----
> > >     >
> > >     >
> > >     >
> > >     >
> > >     > __________________________________________________
> > >     > Do You Yahoo!?
> > >     > Tired of spam?  Yahoo! Mail has the best spam protection around
> > >     > http://mail.yahoo.com
> > >     >
> > >
> > >
> >
>

Mime
View raw message