geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe O'Pecko <opeck...@yahoo.com>
Subject Single Sign On with Geronimo 1.0
Date Tue, 01 Aug 2006 14:38:54 GMT
I know this has been discussed in the past, and I
apologize for the lengthy inquiry, however, I have
been trying unsuccessfully to get SSO working with
Tomcat on Geronimo v1.0 for some time. I am deploying
an application as an ear file with two war files
contained within. My geronimo-application.xml file
contains a definition for a JAAS Security Realm and
the two WAR file's geronimo-web.xml reference it via
security-realm-name elements. Once deployed each web
application challenges the user upon first access,
using the configured JAAS LoginModule. I'd like to
establish a SSO trust between the two web
applications, if possible, so that a user is only
challenged once for both web applications.

I've seen a previous post on this site entitled Single
Sign On : Tomcat in Geronimo
(http://tinyurl.com/lkgjy) which seemed to provide
some information. Basically, it suggested the addition
of a SSOValve GBean to the geronimo-web.xml file. As
suggested, I've added the SSOValve to each
geronimo-web.xml and confirmed that I could see them
running in the deploy-tool web application. However,
each application has its own SSOValve GBean running
which leads me to believe that they do not share
anything between them.

I've also seen Aaron Mulder's website which states
that Geronimo does not natively support web-based
single sign-on across web sites
(http://tinyurl.com/qa9bl).

So is it possible to provide Single Sign On accross
web applications? I've attached my config files below
if it helps.

Thanks in advance for any help and information you can
provide.

Joe

---begin geronimo-application.xml---
<?xml version="1.0" encoding="UTF-8"?>

<application
   
xmlns="http://geronimo.apache.org/xml/ns/j2ee/application"
   
xmlns:sec="http://geronimo.apache.org/xml/ns/security-1.1"
    configId="com/foo/test"
    parentId="geronimo/j2ee-server/1.0/car">

    <dependency>
        <groupId>log4j</groupId>
        <artifactId>log4j</artifactId>
        <version>1.2.8</version>
    </dependency>

    <sec:security>
        <sec:default-principal realm-name="foo-realm">
            <sec:principal
               
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
                name="anonymous"/>
        </sec:default-principal>
        <sec:role-mappings>
            <!--
                this mapping maps all users in the
registeredUsers group to registered-users role
                defined in web.xml
            --> 
            <sec:role role-name="FOO_ADMIN">
                <sec:realm realm-name="foo-realm">
                    <sec:principal
                       
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
                        name="foo_admin"/>
                </sec:realm>
            </sec:role>
            <sec:role role-name="FOO_USER">
                <sec:realm realm-name="foo-realm">
                    <sec:principal
                       
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
                        name="foo_user"/>
                </sec:realm>
            </sec:role>

        </sec:role-mappings>
    </sec:security>

    <gbean name="foo-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
        <!--
            this is the name of the Security Realm as
well as the name
            of the configuration entry used by the
application
        -->
        <attribute
name="realmName">foo-realm</attribute>

        <!--
            reference to the head of the login module
use list
        -->
        <reference name="LoginModuleConfiguration">
            <name>foo-login</name>
        </reference>

        <reference name="ServerInfo">
           
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
        </reference>

        <reference name="LoginService">
           
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
        </reference>
    </gbean>

    <!--
        this is the head of the login module use list
    -->
    <gbean name="foo-login"
class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
        <!-- login module must succeed -->
        <attribute
name="controlFlag">REQUIRED</attribute>

        <!-- reference to the login module -->
        <reference name="LoginModule">
            <name>foo-login</name>
        </reference>
    </gbean>

    <!-- the login module GBean -->
    <gbean name="foo-login"
class="org.apache.geronimo.security.jaas.LoginModuleGBean">
        <attribute name="loginModuleClass">
            com.foo.FooLoginModule
        </attribute>
        <attribute name="serverSide">true</attribute>
        <attribute
name="loginDomainName">foo-realm</attribute>
    </gbean>
   
    <gbean name="FooServer"
           class="com.foo.FooServerGBean"
          
gbeanName="com.foo.fooserver:type=Server,name=GUIServer">
        <attribute name="baseDirectory"
type="java.lang.String">
           /home/foo
        </attribute>
    </gbean>
</application>
----end geronimo-application.xml----


---begin first geronimo-web.xml---
<?xml version="1.0" encoding="UTF-8"?>
<web-app 
   
xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
    configId="com/foo/contextOne">

    <context-root>/contextOne</context-root>
   
<context-priority-classloader>false</context-priority-classloader>


    <container-config>
        <!--  Tomcat-specific container declarations
-->
        <tomcat
xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
            <valve-chain>SSOValve</valve-chain>
        </tomcat>
    </container-config>

   
<security-realm-name>netcool-realm</security-realm-name>

    <gbean name="SSOValve"
class="org.apache.geronimo.tomcat.ValveGBean">
        <attribute name="className">
           
org.apache.catalina.authenticator.SingleSignOn
        </attribute>
    </gbean>

</web-app>
----end first geronimo-web.xml----


---begin second geronimo-web.xml---
<?xml version="1.0" encoding="UTF-8"?>
<web-app 
   
xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
    configId="com/foo/contextTwo">

    <context-root>/contextTwo</context-root>
   
<context-priority-classloader>false</context-priority-classloader>


    <container-config>
        <!--  Tomcat-specific container declarations
-->
        <tomcat
xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
            <valve-chain>SSOValve</valve-chain>
        </tomcat>
    </container-config>

   
<security-realm-name>netcool-realm</security-realm-name>

    <gbean name="SSOValve"
class="org.apache.geronimo.tomcat.ValveGBean">
        <attribute name="className">
           
org.apache.catalina.authenticator.SingleSignOn
        </attribute>
    </gbean>

</web-app>
----end second geronimo-web.xml----




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Mime
View raw message