geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Genender <jgenen...@apache.org>
Subject Re: Single Sign On with Geronimo 1.0
Date Mon, 07 Aug 2006 14:51:58 GMT
It shouldn't... if you apply the SSOValve at the host or engine levels,
then all web apps underneath will then be using the SSOValve via
inheritance.

Jeff

Vamsavardhana Reddy wrote:
> Seeing your reply, I have to add the following to my original comments.
> 
> I have tested SSO with two WebApps deployed as part of an EAR.  I do not
> know if enabling SSO for Web Apps deployed independently requires any
> changes in their deployment plans.
> 
> Thanks,
> Vamsi
> 
> On 8/7/06, *Paul McMahan* <paulmcmahan@gmail.com
> <mailto:paulmcmahan@gmail.com>> wrote:
> 
>     I looked at using the Tomcat SSOValve for GERONIMO-973 and had a
>     similar experience -- i.e. it works fine but may not be appropriate in
>     many situations.  As I recall, what it basically does is stores the
>     credentials in a cookie with higher level scope, making it visible to
>     all the applications in the server instead of just the one that was
>     originally authenticated.
> 
>     Since logging into the admin console should not grant access to other
>     applications deployed in the server I ended up using a different
>     approach for GERONIMO-973, which was to send all requests through a
>     single context that acted as a proxy for the other context(s).  This
>     works for SSO across multiple WARs in an EAR but may not work for SSO
>     across EARs.  See the comments in to GERONIMO-973 for details.  Your
>     idea for defining multiple hosts might be a clever way to work around
>     that issue.
> 
>     As Jeff points out, it should not be necessary to rebuild the server
>     to use the SSOValve (unless something has changed recently). I just
>     enabled it in var/config/config.xml.
> 
>     Best wishes,
>     Paul
> 
>     On 8/7/06, Jeff Genender <jgenender@apache.org
>     <mailto:jgenender@apache.org>> wrote:
>     > Why does the server need to be built with the SSOValve?
>     >
>     > You should be able to connect the SSOValve to the TomcatEngine in the
>     > config.xml.
>     >
>     > Jeff
>     >
>     > Vamsavardhana Reddy wrote:
>     > > I could get SSO Working on a server build with SSOValve GBean in
>     the
>     > > tomcat plan.  In this case the application deployment plans
>     needed no
>     > > change as mentioned in the post that Krish pointed to.
>     > >
>     > > Here are some of my observations.
>     > >
>     > > An SSOValve GBean created as part of the application needs to be
>     > > connected to TomcatEngine so that SSO works.  To do so, either the
>     > > FirstValve in TomcatEngine needs to be replaced with this
>     SSOValve or a
>     > > "NextValve" attribute should be added to the FirstValve and it
>     should be
>     > > made point to the SSOValve.  I guess there is only one TomcatEngine
>     > > GBean in the server and I don't think it should be modified to
>     suit the
>     > > needs of two or more applications that need SSO.
>     > >
>     > > Other way is to have multiple hosts defined in the tomcar plan
>     and and
>     > > one of them could have an SSOValve in the chain.  All apps that
>     want SSO
>     > > can use that host.
>     > >
>     > > In either case, the server needs to built with SSOValve GBean.
>     > >
>     > > With what G provides right now, there is noway that an SSOValve
>     GBean is
>     > > created as part of an application and hooked to the TomcatEngine.
>     > >
>     > > Comments?
>     > >
>     > > Thanks,
>     > > Vamsi
>     > >
>     > > On 8/2/06, *Krishnakumar B* < www.bkk@gmail.com
>     <mailto:www.bkk@gmail.com>
>     > > <mailto:www.bkk@gmail.com <mailto:www.bkk@gmail.com>>> wrote:
>     > >
>     > >     Hi Joe,
>     > >
>     > >     I have also tried this and was able to get it to work by
>     doing a build
>     > >     with SSOValve GBean open.
>     > >
>     > >     Refer to earlier post :
>     > >     http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647
>     <http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647>
>     > >     <http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647>
>     > >
>     > >     I was not able to get it to work by deploying a new Valve
>     along with 2
>     > >     web applications that need SSO.
>     > >
>     > >     Regards
>     > >     Krish.
>     > >
>     > >     On 8/1/06, Joe O'Pecko <opeckojo@yahoo.com
>     <mailto:opeckojo@yahoo.com>
>     > >     <mailto:opeckojo@yahoo.com <mailto:opeckojo@yahoo.com>>>
wrote:
>     > >     > I know this has been discussed in the past, and I
>     > >     > apologize for the lengthy inquiry, however, I have
>     > >     > been trying unsuccessfully to get SSO working with
>     > >     > Tomcat on Geronimo v1.0 for some time. I am deploying
>     > >     > an application as an ear file with two war files
>     > >     > contained within. My geronimo-application.xml file
>     > >     > contains a definition for a JAAS Security Realm and
>     > >     > the two WAR file's geronimo-web.xml reference it via
>     > >     > security-realm-name elements. Once deployed each web
>     > >     > application challenges the user upon first access,
>     > >     > using the configured JAAS LoginModule. I'd like to
>     > >     > establish a SSO trust between the two web
>     > >     > applications, if possible, so that a user is only
>     > >     > challenged once for both web applications.
>     > >     >
>     > >     > I've seen a previous post on this site entitled Single
>     > >     > Sign On : Tomcat in Geronimo
>     > >     > (http://tinyurl.com/lkgjy) which seemed to provide
>     > >     > some information. Basically, it suggested the addition
>     > >     > of a SSOValve GBean to the geronimo-web.xml file. As
>     > >     > suggested, I've added the SSOValve to each
>     > >     > geronimo-web.xml and confirmed that I could see them
>     > >     > running in the deploy-tool web application. However,
>     > >     > each application has its own SSOValve GBean running
>     > >     > which leads me to believe that they do not share
>     > >     > anything between them.
>     > >     >
>     > >     > I've also seen Aaron Mulder's website which states
>     > >     > that Geronimo does not natively support web-based
>     > >     > single sign-on across web sites
>     > >     > (http://tinyurl.com/qa9bl).
>     > >     >
>     > >     > So is it possible to provide Single Sign On accross
>     > >     > web applications? I've attached my config files below
>     > >     > if it helps.
>     > >     >
>     > >     > Thanks in advance for any help and information you can
>     > >     > provide.
>     > >     >
>     > >     > Joe
>     > >     >
>     > >     > ---begin geronimo-application.xml---
>     > >     > <?xml version="1.0" encoding="UTF-8"?>
>     > >     >
>     > >     > <application
>     > >     >
>     > >     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/application"
>     > >     >
>     > >     > xmlns:sec=" http://geronimo.apache.org/xml/ns/security-1.1"
>     > >     >    configId="com/foo/test"
>     > >     >    parentId="geronimo/j2ee-server/1.0/car">
>     > >     >
>     > >     >    <dependency>
>     > >     >        <groupId>log4j</groupId>
>     > >     >        <artifactId>log4j</artifactId>
>     > >     >        <version> 1.2.8</version>
>     > >     >    </dependency>
>     > >     >
>     > >     >    <sec:security>
>     > >     >        <sec:default-principal realm-name="foo-realm">
>     > >     >            <sec:principal
>     > >     >
>     > >     >
>     > >    
>     class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal
>     "
>     > >     >                name="anonymous"/>
>     > >     >        </sec:default-principal>
>     > >     >        <sec:role-mappings>
>     > >     >            <!--
>     > >     >                this mapping maps all users in the
>     > >     > registeredUsers group to registered-users role
>     > >     >                defined in web.xml
>     > >     >            -->
>     > >     >            <sec:role role-name="FOO_ADMIN">
>     > >     >                <sec:realm realm-name="foo-realm">
>     > >     >                    <sec:principal
>     > >     >
>     > >     >
>     > >    
>     class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>     > >     >                        name="foo_admin"/>
>     > >     >                </sec:realm>
>     > >     >            </sec:role>
>     > >     >            <sec:role role-name="FOO_USER">
>     > >     >                <sec:realm realm-name="foo-realm">
>     > >     >                    <sec:principal
>     > >     >
>     > >     >
>     > >    
>     class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>     > >     >                        name="foo_user"/>
>     > >     >                </sec:realm>
>     > >     >            </sec:role>
>     > >     >
>     > >     >        </sec:role-mappings>
>     > >     >    </sec:security>
>     > >     >
>     > >     >    <gbean name="foo-realm"
>     > >     >
>     class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>     > >     >        <!--
>     > >     >            this is the name of the Security Realm as
>     > >     > well as the name
>     > >     >            of the configuration entry used by the
>     > >     > application
>     > >     >        -->
>     > >     >        <attribute
>     > >     > name="realmName">foo-realm</attribute>
>     > >     >
>     > >     >        <!--
>     > >     >            reference to the head of the login module
>     > >     > use list
>     > >     >        -->
>     > >     >        <reference name="LoginModuleConfiguration">
>     > >     >            <name>foo-login</name>
>     > >     >        </reference>
>     > >     >
>     > >     >        <reference name="ServerInfo">
>     > >     >
>     > >     >
>     > >    
>     <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
>     > >     >        </reference>
>     > >     >
>     > >     >        <reference name="LoginService">
>     > >     >
>     > >     >
>     > >    
>     <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
> 
>     > >
>     > >     >        </reference>
>     > >     >    </gbean>
>     > >     >
>     > >     >    <!--
>     > >     >        this is the head of the login module use list
>     > >     >    -->
>     > >     >    <gbean name="foo-login"
>     > >     > class=" org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>     > >     >        <!-- login module must succeed -->
>     > >     >        <attribute
>     > >     > name="controlFlag">REQUIRED</attribute>
>     > >     >
>     > >     >        <!-- reference to the login module -->
>     > >     >        <reference name="LoginModule">
>     > >     >            <name>foo-login</name>
>     > >     >        </reference>
>     > >     >    </gbean>
>     > >     >
>     > >     >    <!-- the login module GBean -->
>     > >     >    <gbean name="foo-login"
>     > >     > class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>     > >     >        <attribute name="loginModuleClass">
>     > >     >            com.foo.FooLoginModule
>     > >     >        </attribute>
>     > >     >        <attribute name="serverSide">true</attribute>
>     > >     >        <attribute
>     > >     > name="loginDomainName">foo-realm</attribute>
>     > >     >    </gbean>
>     > >     >
>     > >     >    <gbean name="FooServer"
>     > >     >           class="com.foo.FooServerGBean"
>     > >     >
>     > >     > gbeanName="com.foo.fooserver:type=Server,name=GUIServer">
>     > >     >        <attribute name="baseDirectory"
>     > >     > type="java.lang.String">
>     > >     >           /home/foo
>     > >     >        </attribute>
>     > >     >    </gbean>
>     > >     > </application>
>     > >     > ----end geronimo-application.xml----
>     > >     >
>     > >     >
>     > >     > ---begin first geronimo-web.xml---
>     > >     > <?xml version="1.0" encoding="UTF-8"?>
>     > >     > <web-app
>     > >     >
>     > >     > xmlns=" http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
>     > >     >    configId="com/foo/contextOne">
>     > >     >
>     > >     >    <context-root>/contextOne</context-root>
>     > >     >
>     > >     >
>     <context-priority-classloader>false</context-priority-classloader>
>     > >     >
>     > >     >
>     > >     >    <container-config>
>     > >     >        <!--  Tomcat-specific container declarations
>     > >     > -->
>     > >     >        <tomcat
>     > >     >
>     xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config
>     <http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config>">
>     > >     >            <valve-chain>SSOValve</valve-chain>
>     > >     >        </tomcat>
>     > >     >    </container-config>
>     > >     >
>     > >     >
>     > >     > <security-realm-name>netcool-realm</security-realm-name>
>     > >     >
>     > >     >    <gbean name="SSOValve"
>     > >     > class=" org.apache.geronimo.tomcat.ValveGBean">
>     > >     >        <attribute name="className">
>     > >     >
>     > >     > org.apache.catalina.authenticator.SingleSignOn
>     > >     >        </attribute>
>     > >     >    </gbean>
>     > >     >
>     > >     > </web-app>
>     > >     > ----end first geronimo-web.xml----
>     > >     >
>     > >     >
>     > >     > ---begin second geronimo-web.xml---
>     > >     > <?xml version="1.0" encoding="UTF-8"?>
>     > >     > <web-app
>     > >     >
>     > >     > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
>     > >     >    configId="com/foo/contextTwo">
>     > >     >
>     > >     >    <context-root>/contextTwo</context-root>
>     > >     >
>     > >     >
>     <context-priority-classloader>false</context-priority-classloader>
>     > >     >
>     > >     >
>     > >     >    <container-config>
>     > >     >        <!--  Tomcat-specific container declarations
>     > >     > -->
>     > >     >        <tomcat
>     > >     >
>     xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config
>     <http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config>">
>     > >     >            <valve-chain>SSOValve</valve-chain>
>     > >     >        </tomcat>
>     > >     >    </container-config>
>     > >     >
>     > >     >
>     > >     > <security-realm-name>netcool-realm</security-realm-name>
>     > >     >
>     > >     >    <gbean name="SSOValve"
>     > >     > class=" org.apache.geronimo.tomcat.ValveGBean">
>     > >     >        <attribute name="className">
>     > >     >
>     > >     > org.apache.catalina.authenticator.SingleSignOn
>     > >     >        </attribute>
>     > >     >    </gbean>
>     > >     >
>     > >     > </web-app>
>     > >     > ----end second geronimo-web.xml----
>     > >     >
>     > >     >
>     > >     >
>     > >     >
>     > >     > __________________________________________________
>     > >     > Do You Yahoo!?
>     > >     > Tired of spam?  Yahoo! Mail has the best spam protection
>     around
>     > >     > http://mail.yahoo.com
>     > >     >
>     > >
>     > >
>     >
> 
> 

Mime
View raw message