geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Genender <jgenen...@apache.org>
Subject Re: Single Sign On with Geronimo 1.0
Date Mon, 07 Aug 2006 14:19:53 GMT
Why does the server need to be built with the SSOValve?

You should be able to connect the SSOValve to the TomcatEngine in the
config.xml.

Jeff

Vamsavardhana Reddy wrote:
> I could get SSO Working on a server build with SSOValve GBean in the
> tomcat plan.  In this case the application deployment plans needed no
> change as mentioned in the post that Krish pointed to.
> 
> Here are some of my observations.
> 
> An SSOValve GBean created as part of the application needs to be
> connected to TomcatEngine so that SSO works.  To do so, either the
> FirstValve in TomcatEngine needs to be replaced with this SSOValve or a
> "NextValve" attribute should be added to the FirstValve and it should be
> made point to the SSOValve.  I guess there is only one TomcatEngine
> GBean in the server and I don't think it should be modified to suit the
> needs of two or more applications that need SSO.
> 
> Other way is to have multiple hosts defined in the tomcar plan and and
> one of them could have an SSOValve in the chain.  All apps that want SSO
> can use that host.
> 
> In either case, the server needs to built with SSOValve GBean.
> 
> With what G provides right now, there is noway that an SSOValve GBean is
> created as part of an application and hooked to the TomcatEngine.
> 
> Comments?
> 
> Thanks,
> Vamsi
> 
> On 8/2/06, *Krishnakumar B* <www.bkk@gmail.com
> <mailto:www.bkk@gmail.com>> wrote:
> 
>     Hi Joe,
> 
>     I have also tried this and was able to get it to work by doing a build
>     with SSOValve GBean open.
> 
>     Refer to earlier post :
>     http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647
>     <http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647>
> 
>     I was not able to get it to work by deploying a new Valve along with 2
>     web applications that need SSO.
> 
>     Regards
>     Krish.
> 
>     On 8/1/06, Joe O'Pecko <opeckojo@yahoo.com
>     <mailto:opeckojo@yahoo.com>> wrote:
>     > I know this has been discussed in the past, and I
>     > apologize for the lengthy inquiry, however, I have
>     > been trying unsuccessfully to get SSO working with
>     > Tomcat on Geronimo v1.0 for some time. I am deploying
>     > an application as an ear file with two war files
>     > contained within. My geronimo-application.xml file
>     > contains a definition for a JAAS Security Realm and
>     > the two WAR file's geronimo-web.xml reference it via
>     > security-realm-name elements. Once deployed each web
>     > application challenges the user upon first access,
>     > using the configured JAAS LoginModule. I'd like to
>     > establish a SSO trust between the two web
>     > applications, if possible, so that a user is only
>     > challenged once for both web applications.
>     >
>     > I've seen a previous post on this site entitled Single
>     > Sign On : Tomcat in Geronimo
>     > (http://tinyurl.com/lkgjy) which seemed to provide
>     > some information. Basically, it suggested the addition
>     > of a SSOValve GBean to the geronimo-web.xml file. As
>     > suggested, I've added the SSOValve to each
>     > geronimo-web.xml and confirmed that I could see them
>     > running in the deploy-tool web application. However,
>     > each application has its own SSOValve GBean running
>     > which leads me to believe that they do not share
>     > anything between them.
>     >
>     > I've also seen Aaron Mulder's website which states
>     > that Geronimo does not natively support web-based
>     > single sign-on across web sites
>     > (http://tinyurl.com/qa9bl).
>     >
>     > So is it possible to provide Single Sign On accross
>     > web applications? I've attached my config files below
>     > if it helps.
>     >
>     > Thanks in advance for any help and information you can
>     > provide.
>     >
>     > Joe
>     >
>     > ---begin geronimo-application.xml---
>     > <?xml version="1.0" encoding="UTF-8"?>
>     >
>     > <application
>     >
>     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/application"
>     >
>     > xmlns:sec=" http://geronimo.apache.org/xml/ns/security-1.1"
>     >    configId="com/foo/test"
>     >    parentId="geronimo/j2ee-server/1.0/car">
>     >
>     >    <dependency>
>     >        <groupId>log4j</groupId>
>     >        <artifactId>log4j</artifactId>
>     >        <version>1.2.8</version>
>     >    </dependency>
>     >
>     >    <sec:security>
>     >        <sec:default-principal realm-name="foo-realm">
>     >            <sec:principal
>     >
>     >
>     class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
>     >                name="anonymous"/>
>     >        </sec:default-principal>
>     >        <sec:role-mappings>
>     >            <!--
>     >                this mapping maps all users in the
>     > registeredUsers group to registered-users role
>     >                defined in web.xml
>     >            -->
>     >            <sec:role role-name="FOO_ADMIN">
>     >                <sec:realm realm-name="foo-realm">
>     >                    <sec:principal
>     >
>     >
>     class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>     >                        name="foo_admin"/>
>     >                </sec:realm>
>     >            </sec:role>
>     >            <sec:role role-name="FOO_USER">
>     >                <sec:realm realm-name="foo-realm">
>     >                    <sec:principal
>     >
>     >
>     class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>     >                        name="foo_user"/>
>     >                </sec:realm>
>     >            </sec:role>
>     >
>     >        </sec:role-mappings>
>     >    </sec:security>
>     >
>     >    <gbean name="foo-realm"
>     > class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>     >        <!--
>     >            this is the name of the Security Realm as
>     > well as the name
>     >            of the configuration entry used by the
>     > application
>     >        -->
>     >        <attribute
>     > name="realmName">foo-realm</attribute>
>     >
>     >        <!--
>     >            reference to the head of the login module
>     > use list
>     >        -->
>     >        <reference name="LoginModuleConfiguration">
>     >            <name>foo-login</name>
>     >        </reference>
>     >
>     >        <reference name="ServerInfo">
>     >
>     >
>     <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
>     >        </reference>
>     >
>     >        <reference name="LoginService">
>     >
>     >
>     <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
> 
>     >        </reference>
>     >    </gbean>
>     >
>     >    <!--
>     >        this is the head of the login module use list
>     >    -->
>     >    <gbean name="foo-login"
>     > class=" org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>     >        <!-- login module must succeed -->
>     >        <attribute
>     > name="controlFlag">REQUIRED</attribute>
>     >
>     >        <!-- reference to the login module -->
>     >        <reference name="LoginModule">
>     >            <name>foo-login</name>
>     >        </reference>
>     >    </gbean>
>     >
>     >    <!-- the login module GBean -->
>     >    <gbean name="foo-login"
>     > class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>     >        <attribute name="loginModuleClass">
>     >            com.foo.FooLoginModule
>     >        </attribute>
>     >        <attribute name="serverSide">true</attribute>
>     >        <attribute
>     > name="loginDomainName">foo-realm</attribute>
>     >    </gbean>
>     >
>     >    <gbean name="FooServer"
>     >           class="com.foo.FooServerGBean"
>     >
>     > gbeanName="com.foo.fooserver:type=Server,name=GUIServer">
>     >        <attribute name="baseDirectory"
>     > type="java.lang.String">
>     >           /home/foo
>     >        </attribute>
>     >    </gbean>
>     > </application>
>     > ----end geronimo-application.xml----
>     >
>     >
>     > ---begin first geronimo-web.xml---
>     > <?xml version="1.0" encoding="UTF-8"?>
>     > <web-app
>     >
>     > xmlns=" http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
>     >    configId="com/foo/contextOne">
>     >
>     >    <context-root>/contextOne</context-root>
>     >
>     > <context-priority-classloader>false</context-priority-classloader>
>     >
>     >
>     >    <container-config>
>     >        <!--  Tomcat-specific container declarations
>     > -->
>     >        <tomcat
>     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
>     >            <valve-chain>SSOValve</valve-chain>
>     >        </tomcat>
>     >    </container-config>
>     >
>     >
>     > <security-realm-name>netcool-realm</security-realm-name>
>     >
>     >    <gbean name="SSOValve"
>     > class=" org.apache.geronimo.tomcat.ValveGBean">
>     >        <attribute name="className">
>     >
>     > org.apache.catalina.authenticator.SingleSignOn
>     >        </attribute>
>     >    </gbean>
>     >
>     > </web-app>
>     > ----end first geronimo-web.xml----
>     >
>     >
>     > ---begin second geronimo-web.xml---
>     > <?xml version="1.0" encoding="UTF-8"?>
>     > <web-app
>     >
>     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
>     >    configId="com/foo/contextTwo">
>     >
>     >    <context-root>/contextTwo</context-root>
>     >
>     > <context-priority-classloader>false</context-priority-classloader>
>     >
>     >
>     >    <container-config>
>     >        <!--  Tomcat-specific container declarations
>     > -->
>     >        <tomcat
>     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
>     >            <valve-chain>SSOValve</valve-chain>
>     >        </tomcat>
>     >    </container-config>
>     >
>     >
>     > <security-realm-name>netcool-realm</security-realm-name>
>     >
>     >    <gbean name="SSOValve"
>     > class=" org.apache.geronimo.tomcat.ValveGBean">
>     >        <attribute name="className">
>     >
>     > org.apache.catalina.authenticator.SingleSignOn
>     >        </attribute>
>     >    </gbean>
>     >
>     > </web-app>
>     > ----end second geronimo-web.xml----
>     >
>     >
>     >
>     >
>     > __________________________________________________
>     > Do You Yahoo!?
>     > Tired of spam?  Yahoo! Mail has the best spam protection around
>     > http://mail.yahoo.com
>     >
> 
> 

Mime
View raw message