This chapter describes how to integrate Jboss Portal 2.7 with SSO framework JOSSO (Java Open Single Sign On). We will use version 1.8.0 of JOSSO and version 2.7.2 of JBoss Portal.
This is the basic scenario of integration. Both JBoss Portal and JOSSO will be deployed to the same instance of JBoss AS 4.2.X and they will be configured, so the JBoss Portal will use JOSSO for authentication and you will be able to login to JOSSO with same credentials as to JBoss Portal before integration.
You must have JBoss Portal 2.7 deployed on JBoss AS (version 4.2.2 or 4.2.3) or JBoss EAP. Description of how to do this is out of scope of this document. You should read Chapter 2 of reference guide if you are in trouble.
In rest of this scenario, we assume that $JBOSS_HOME is the location when your JBoss AS is located and JBoss Portal is deployed on default configuration of your JBoss AS.
Start JBoss server and stop it after the full start. This is necessary because of correct initialization of CMS.
Download josso-1.8.0.zip from http://www.josso.org and unzip it to some location on your computer. We assume /tmp/josso-1.8.0 in rest of this document.
Install JOSSO gateway and JOSSO agent to your default configuration of JBoss Portal. Gateway is the core component of JOSSO which acts as the web console and makes the authentication. Gateway is identity provider. JOSSO agent is somethink like listener, which redirects authentication requests to JOSSO gateway. Agent needs to be deployed in same instance like JBoss Portal.
In our case we use only one configuration for both JBoss Portal and JOSSO. So both gateway and agent will be deployed to the default configuration. Installation could be performed with josso-gsh, which you can run by command:
/tmp/josso-1.8.0/bin/josso-gsh
Now you can install gateway and agent to your JBoss AS with command:
gateway install --target $JBOSS_HOME --jboss-instance default --platform jb42
agent install --target $JBOSS_HOME --jboss-instance default --platform jb42
It's possible that you see error about missing DTD document during agent installation. But you can ignore this error. The important assumption is that you have JBoss AS version 4.2.
You have to copy two JAR libraries from $JBOSS_HOME/server/default/deploy/jboss-portal.sar/lib directory to $JBOSS_HOME/server/default/deploy/josso.war/WEB-INF/lib directory. The first file is portal-identity-lib.jar and second is portal-identity-sso-lib.jar.
Uncomment JOSSO logout valve from $JBOSS_HOME/server/default/deploy/jboss-portal.sar/portal-server.war/WEB-INF/context.xml:
<Valve className="org.jboss.portal.identity.sso.josso.JOSSOLogoutValve"/>
Edit $JBOSS_HOME/server/default/deploy/jboss-portal.sar/META-INF/jboss-service.xml and add JOSSOIdentityService mbean to configuration:
<!-- JOSSO -->
<mbean
code="org.jboss.portal.identity.sso.josso.JOSSOIdentityServiceImpl"
name="portal:service=Module,type=JOSSOIdentityService"
xmbean-dd=""
xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
<xmbean/>
<depends>portal:service=Module,type=IdentityServiceController</depends>
</mbean>
Edit $JBOSS_HOME/server/default/deploy/jboss-portal.sar/portal-server.war/login.jsp. This file should be used for redirecting to JOSSO and only this content should be inside of this file:
<%@page contentType="text/html; charset=iso-8859-1" language="java" session="true" %>
<%
response.sendRedirect(request.getContextPath() + "/josso_login/");
%>
Other stuff could be commented or deleted.
Add this application policy to the file $JBOSS_HOME/server/default/conf/login-config.xml:
<application-policy name="josso">
<authentication>
<login-module code="org.jboss.portal.identity.sso.josso.JOSSOLoginModule" flag="required">
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
Change the portal security domain to josso in $JBOSS_HOME/server/default/deploy/jboss-portal.sar/portal-server.war/WEB-INF/jboss-web.xml by edit the line with security domain:
<security-domain>java:jaas/josso</security-domain>
Add the file $JBOSS_HOME/server/default/conf/josso-gateway-portal-stores.xml with this content:
<s:beans xmlns:s="http://www.springframework.org/schema/beans"
xmlns:portal-istore="urn:org:jboss:portal:josso:identitystore"
xmlns:memory-sstore="urn:org:josso:memory:sessionstore"
xmlns:memory-astore="urn:org:josso:memory:assertionstore"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
urn:org:josso:memory:sessionstore http://www.josso.org/schema/josso-memory-sessionstore.xsd
urn:org:josso:memory:assertionstore http://www.josso.org/schema/josso-memory-assertionstore.xsd
">
<!-- ===================================================================== -->
<!-- JOSSO Identity Store, the id is very important because it is -->
<!-- referenced by the identity manager, auth schemes and who knows where -->
<!-- else. -->
<!-- ===================================================================== -->
<portal-istore:portal-store id="josso-identity-store" s:scope="singleton"/>
<!-- ===================================================================== -->
<!-- JOSSO Session Store, the id is very important because it is -->
<!-- referenced by the session manager and who knows where else -->
<!-- ===================================================================== -->
<memory-sstore:memory-store id="josso-session-store"/>
<!-- ===================================================================== -->
<!-- JOSSO Assertion Store, the id is very important because it is -->
<!-- referenced by the assertion manager and who knows where elese -->
<!-- ===================================================================== -->
<memory-astore:memory-store id="josso-assertion-store"/>
</s:beans>
Edit $JBOSS_HOME/server/default/conf/josso-gateway-config.xml file. It's the main configuration file of JOSSO gateway. You have to change two thinks in the file.
<!-- Identity, Session and Assertion Stores configuration -->
<s:import resource="josso-gateway-portal-stores.xml" />
<!--
<s:import resource="josso-gateway-memory-stores.xml" />
<s:import resource="josso-gateway-db-stores.xml" />
<s:import resource="josso-gateway-ldap-stores.xml" />
-->
<def-auth:authenticator id="josso-authenticator">
<def-auth:schemes>
<s:ref bean="josso-bind-authentication"/>
<!--
<s:ref bean="josso-basic-authentication"/>
<s:ref bean="josso-strong-authentication"/>
<s:ref bean="josso-rememberme-authentication"/>
-->
<!-- Others like NTLM and BIND go here -->
<!--
<s:ref bean="josso-bind-authentication"/>
-->
</def-auth:schemes>
</def-auth:authenticator>
Edit $JBOSS_HOME/server/default/conf/josso-gateway-auth.xml and uncomment bind authentication scheme:
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- BIND Authentication Scheme (normally LDAP) -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Requires a be a bindalble credential store ! -->
<!-- name attribute is important and must not be changed -->
<bind-authscheme:bind-auth-scheme
id="josso-bind-authentication"
name="basic-authentication"
hashAlgorithm="MD5"
hashEncoding="HEX"
ignorePasswordCase="false"
ignoreUserCase="false">
<bind-authscheme:credentialStore>
<s:ref bean="josso-identity-store"/>
</bind-authscheme:credentialStore>
<bind-authscheme:credentialStoreKeyAdapter>
<s:ref bean="josso-simple-key-adapter"/>
</bind-authscheme:credentialStoreKeyAdapter>
</bind-authscheme:bind-auth-scheme>
Edit $JBOSS_HOME/server/default/conf/josso-agent-config.xml and edit it for usage with JBoss Portal application. You should have this content inside your <agent:partner-apps> element.
<agent:partner-apps>
<agent:partner-app id="jboss_portal" context="/portal"/>
</agent:partner-apps>
All other partner-apps can be commented out or deleted unless you want to use other applications with JOSSO.
Add -Dorg.apache.commons.logging.LogFactory=org.apache.commons.logging.impl.LogFactoryImpl option to your JAVA_OPTS environment variable. The most simple way is to add the line
JAVA_OPTS="$JAVA_OPTS -Dorg.apache.commons.logging.LogFactory=org.apache.commons.logging.impl.LogFactoryImpl"
to your $JBOSS_HOME/bin/run.sh file. (Some place before Display our environment section).
Start JBoss again and now you should be able to test the integration. Go to http://localhost:8080/portal and click to login link. You should be redirected to josso gateway web console. You should be able to login with your portal credentials (for example: admin/admin or user/user). After login, you should be redirected back to Portal and be logged into portal.
This scenario will show you how to secure your JBoss AS instance with JOSSO server and how to authenticate to JOSSO in secure way with usage of HTTPS protocol. Access to JOSSO gateway is secured and access to SOAP web services, which are used for communication between JOSSO gateway and JOSSO agent, is secured too. The assumption is that you did the previous scenario 2.1 and now you have JOSSO and JBoss Portal on the same host.
You have to enable HTTPS in your default configuration, where is JBoss Portal and JOSSO deployed. You should go through steps 1, 2, 3 of CAS guide - section 1.2.
Now only think you have to change is securing access to gateway and web services in file $JBOSS_HOME/server/default/conf/josso-agent-config.xml:
<!-- Gateway LOGIN and LOGOUT URLs -->
<gatewayLoginUrl>https://localhost:8443/josso/signon/login.do</gatewayLoginUrl>
<gatewayLogoutUrl>https://localhost:8443/josso/signon/logout.do</gatewayLogoutUrl>
<!-- Gateway service locator -->
<gatewayServiceLocator>
<!-- Other properties for ws-service-locator :
username, password, servicesWebContext, transportSecurity
-->
<protocol:ws-service-locator endpoint="localhost:8443" transportSecurity="confidential" />
</gatewayServiceLocator>
Now you should restart your JBoss AS, but you have to run it with special option -Djavax.net.ssl.trustStore. This Java option is really important because you are saying where is file with certificates, which should be trusted by Java. This is needed for correct usage of secured communication between web services.
The whole command for starting JBoss should look like this:
./run.sh -Djavax.net.ssl.trustStore=$JBOSS_HOME/server/default/conf/server.keystore
When server is started, you can go to http://localhost:8080/portal and try to click to Login link. You shoud be redirected to JOSSO login screen and you can see that HTTPS is used for accessing JOSSO gateway. After successfull login, you should be redirected to JBoss Portal default page on http://localhost:8080/portal/auth/portal/default and you should see sign Logged in as: admin or Logged in as: user in right up corner.
You can also use HTTPS for accessing JBoss Portal. HTTPS can be used on both sides of communication - on JBoss Portal side and on JOSSO side too.
Next scenario simulates situation when two instances of JBoss Portal are deployed on different hosts and both are configured to authenticate against one JOSSO server. In this tutorial, we will simulate this scenario simply on one computer but we will use different configurations of JBoss AS (EAP) and we will use different host names for each configuration. In later text, the josso-01 will be the name of the host and JBoss AS configuration where we will have JBoss Portal and JOSSO deployed. The josso-02 will be the name of the host and JBoss AS configuration where we will have second JBoss Portal deployed. This second portal will be configured for authentication against JOSSO on josso-01.
Create new virtual hosts on your system and use some different names for them. In this scenario, We willl use names josso-01 and josso-02. On linux systems, it can be donne by add these two lines
127.0.1.2 josso-01
127.0.1.3 josso-02
to your /etc/hosts file. You must have root privileges to do this. If you don't have root privileges, than you have to use IP addresses instead of host names in rest of this tutorial (For example: Running of JBoss Portal can be performed by ./run.sh -c josso-01 -b 127.0.1.2 instead of ./run.sh -c josso-01 -b josso-01. You must use IP addresses in your configuration files too.).
Create JBoss AS configuration called josso-01 and deploy JBoss Portal and JOSSO to it. We assume that you did previous scenario 2.2 and you have JBoss Portal with JOSSO properly configured in your default configuration. So only think you have to do is copy your default configuration to new josso-01 configuration. This can be donne with command
cp -r $JBOSS_HOME/server/default $JBOSS_HOME/server/josso-01
on linux systems.
Create JBoss AS configuration called josso-02 and deploy JBoss Portal to it. It's good to start josso-02 (before installing of JOSSO agent) first without -Dorg.apache.commons.logging.LogFactory option to properly initialization of CMS. Then you can stop it. And then we will configure this portal to authenticate against JOSSO on josso-01 host.
We need to deploy JOSSO agent to josso-02 configuration. You can use josso-gsh in similar way, described in 2.1 - point 4. Only change is, that you will deploy only agent but not gateway. You can install JOSSO agent with command:
agent install --target $JBOSS_HOME --jboss-instance josso-02 --platform jb42
You should configure your JBoss Portal on josso-02 to authentication with JOSSO server on josso-01. Do steps 6, 8, 9, 10 of 2.1 scenario in josso-02 configuration.
Configure JOSSO agent on josso-02 against JOSSO gateway on josso-01. Edit $JBOSS_HOME/server/josso-02/conf/josso-agent-config.xml and edit it for usage with JBoss Portal application. You should have this content inside your <agent:partner-apps> element.
<agent:partner-apps> <agent:partner-app id="jboss_portal" context="/portal"/> </agent:partner-apps>
And gateway should be configured this way:
<!-- Gateway LOGIN and LOGOUT URLs -->
<gatewayLoginUrl>https://josso-01:8443/josso/signon/login.do</gatewayLoginUrl>
<gatewayLogoutUrl>https://josso-01:8443/josso/signon/logout.do</gatewayLogoutUrl>
<!-- Gateway service locator -->
<gatewayServiceLocator>
<!-- Other properties for ws-service-locator :
username, password, servicesWebContext, transportSecurity
-->
<protocol:ws-service-locator endpoint="josso-01:8443" transportSecurity="confidential" />
</gatewayServiceLocator>
You should generate new self-signed certificate for host josso-01 because previous certificate was CN attribute with value localhost. Now we will use host josso-01 for this configuration, so we have to generate new certificate with CN value josso-01.
So go to directory $JBOSS_HOME/server/josso-01/conf and delete file server.keystore if one is here. Now you should generate new certificate with usage of command
keytool -genkey -alias jbosskey -keypass changeit -keyalg RSA -keystore server.keystore
Answer changeit as value for keystore password and answer josso-01 as answer for question about your first and second name. Other answers are not so important.
For secure communication between Web services on josso-01 side (gateway) and josso-02 (agent) you need to enable SSL in josso-02 too. You should go through steps 1, 2, 3 of CAS guide - section 1.2 but you have to use josso-02 instead of default configuration and you should use CN name josso-02 during certificate generation with keytool.
Configure JOSSO agent on josso-01 against JOSSO gateway on josso-01. Edit $JBOSS_HOME/server/josso-01/conf/josso-agent-config.xml and edit it properly:
<!-- Gateway LOGIN and LOGOUT URLs -->
<gatewayLoginUrl>https://josso-01:8443/josso/signon/login.do</gatewayLoginUrl>
<gatewayLogoutUrl>https://josso-01:8443/josso/signon/logout.do</gatewayLogoutUrl>
<!-- Gateway service locator -->
<gatewayServiceLocator>
<!-- Other properties for ws-service-locator :
username, password, servicesWebContext, transportSecurity
-->
<protocol:ws-service-locator endpoint="josso-01:8443" transportSecurity="confidential" />
</gatewayServiceLocator>
Run josso-01 configuration and bind it to josso-01 host.
./run.sh -c josso-01 -b josso-01 -Djavax.net.ssl.trustStore=$JBOSS_HOME/server/josso-01/conf/server.keystore
Run josso-02 configuration and bind it to josso-02 host. You have to trust certificate from josso-01 host.
./run.sh -c josso-02 -b josso-02 -Djavax.net.ssl.trustStore=$JBOSS_HOME/server/josso-01/conf/server.keystore
Test SSO. Go to http://josso-01:8080/portal and click to login link. You should be redirected to JOSSO login page on https://josso-01:8443/josso/signon/login.do?josso_back_to=http://josso-01:8080/portal/josso_security_check. Then you can check Remember me checkbox. After login and validating of your credentials, you should be logged and after that you are redirected back to portal on http://josso-01:8080/portal/auth/portal/default. Now try second JBoss Portal on josso-02 host. Go to http://josso-02:8080/portal and click to login link. You are redirected directly to http://josso-02:8080/portal/auth/portal/default without need of filling any credentials. You can see that you are logged on josso-02 with same user as on josso-01.
You can use JOSSO to authentication among many different web applications on different hosts. Only important condition is that you have these applications configured against same JOSSO server and you have properly configured them.
In next scenario we will deploy sample application and we will check that after login to this application, you are logged to JBoss Portal too. JOSSO came with sample application called Partner application. We will use it in this scenario. Go through these steps (assuming that you did previous scenario 2.3):
Install sample partner JOSSO application. You can use josso-gsh in similar way, described in 2.1 - point 4. You can install JOSSO partner application with command:
samples install --target $JBOSS_HOME --jboss-instance josso-01 --platform jb42
Enable your applications in $JBOSS_HOME/server/josso-01/conf/josso-agent-config.xml file:
<agent:partner-apps> <agent:partner-app id="jboss_portal" context="/portal"/> <agent:partner-app id="MyPartnerApp1" context="/partnerapp" /> </agent:partner-apps>
Test SSO. Go to http://josso-01:8080/partnerapp and click to login link. You should be redirected to JOSSO login page on https://josso-01:8443/josso/signon/login.do?josso_back_to=http://josso-01:8080/partnerapp/josso_security_check. Then you can check Remember me checkbox. After login and validating of your credentials (you should use same credentials as for login to JBoss Portal), you should be logged and after that you are redirected back to partner application and you can see that you are logged in. You can see that you are in same roles as portal user with same name and you should be in Authenticated role as well.
Now try JBoss Portal. Go to http://josso-01:8080/portal and click to login link. You are redirected directly to http://josso-01:8080/portal/auth/portal/default without need of filling any credentials. You can see that you are logged on josso-01 with same user as in partner application.
The last scenario describes situation, when we want to deploy JBoss Portal in a host portal-host and we want to deploy JOSSO server to different host josso-host. Configuration of this scenario is slightly different especially the configuration of JOSSO gateway. We need to configure JOSSO gateway to authenticate directly against same Database, which is used by JBoss Portal.
In this scenario we will configure JBoss Portal with database and we will configure JOSSO to access directly the same database. JOSSO comes with set of standard identity stores and we will use one of them to bind Mysql database.
Create new virtual hosts on your system and use some different names for them. In this scenario, We will use names portal-host and josso-host. On linux systems, it can be donne by add these two lines
127.0.1.6 portal-host
127.0.1.8 josso-host
to your /etc/hosts file. You must have root privileges to do this. If you don't have root privileges, than you have to use IP addresses instead of host names in rest of this tutorial. In later text, josso-host will be a host where JOSSO server will be deployed (JBoss configuration will be josso-conf) and portal-host will be the host where JBoss Portal will be deployed (default configuration).
Take a fresh JBoss AS or JBoss EAP (JBoss-4.2.3.GA is good). Then create new configuration called josso-conf where JOSSO will be deployed. You can use this command in linux:
cp -r $JBOSS_HOME/server/default $JBOSS_HOME/server/josso-conf
Deploy JBoss Portal 2.7.2 to the default configuration of JBoss AS. We assume that you use Mysql database on localhost. So your datasource could look like this:
<datasources>
<local-tx-datasource>
<jndi-name>PortalDS</jndi-name>
<connection-url>jdbc:mysql://localhost/jboss_portal?jdbcCompliantTruncation=false</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<user-name>jboss_portal</user-name>
<password>password</password>
</local-tx-datasource>
</datasources>You can use any other database than Mysql. Only important think is, that you must configure JOSSO against the same database as JBoss Portal in later steps of this scenario. You can read Chapter 2 of portal reference guide if you have some troubles with deploying JBoss Portal configured against custom datasource.
Install JOSSO gateway to josso-conf and JOSSO agent to default configuration. Agent should be in same configuration where JBoss Portal is. Run this in josso-gsh:
gateway install --target $JBOSS_HOME --jboss-instance josso-conf --platform jb42 agent install --target $JBOSS_HOME --jboss-instance default --platform jb42
Do steps 6, 8, 9, 10 of Section 2.1, “Integration of JBoss Portal and JOSSO deployed on the same host with usage of HTTP protocol” in default configuration to Jossify JBoss Portal.
Configure JOSSO agent on default against JOSSO gateway on josso-conf. Edit $JBOSS_HOME/server/default/conf/josso-agent-config.xml and edit it for usage with JBoss Portal application. You should have this content inside your <agent:partner-apps> element.
<agent:partner-apps> <agent:partner-app id="jboss_portal" context="/portal"/> </agent:partner-apps>
And gateway should be configured this way:
<!-- Gateway LOGIN and LOGOUT URLs -->
<gatewayLoginUrl>http://josso-host:8080/josso/signon/login.do</gatewayLoginUrl>
<gatewayLogoutUrl>http://josso-host:8080/josso/signon/logout.do</gatewayLogoutUrl>
<!-- Gateway service locator -->
<gatewayServiceLocator>
<!-- Other properties for ws-service-locator :
username, password, servicesWebContext, transportSecurity
-->
<protocol:ws-service-locator endpoint="josso-host:8080" />
</gatewayServiceLocator>
Now we need to configure JOSSO gateway properly. First edit $JBOSS_HOME/server/josso-conf/conf/josso-gateway-config.xml and uncomment josso-db-stores.xml in Stores section:
<!-- Identity, Session and Assertion Stores configuration --> <!--<s:import resource="josso-gateway-memory-stores.xml" />--> <s:import resource="josso-gateway-db-stores.xml" /> <!--<s:import resource="josso-gateway-ldap-stores.xml" />-->
In Authenticator section, you should uncomment basic authentication and others could be commented out:
<!-- ===================================================================== -->
<!-- SSO Authenticator, all authentication schemes must be configured here -->
<!-- ===================================================================== -->
<def-auth:authenticator id="josso-authenticator">
<def-auth:schemes>
<!--<s:ref bean="josso-bind-authentication"/>-->
<s:ref bean="josso-basic-authentication"/>
<!--<s:ref bean="josso-strong-authentication"/>
<s:ref bean="josso-rememberme-authentication"/>
-->
<!-- Others like NTLM and BIND go here -->
</def-auth:schemes>
</def-auth:authenticator>
Configure JOSSO gateway to authenticate against Database. You should edit $JBOSS_HOME/server/josso-conf/conf/josso-gateway-db-stores.xml. Comment db-istore:datasource-store section and uncomment and properly configure db-istore:jdbc-store. You need to configure database options and couple of SQL queries which are used by josso-db-identity-store:
<!--<db-istore:datasource-store id="josso-identity-store"
dsJndiName="java:/DefaultDS"
userQueryString="SELECT NAME FROM JOSSO_USER WHERE LOGIN = ?;"
rolesQueryString="SELECT ROLE FROM JOSSO_USER_ROLE WHERE LOGIN = ?;"
credentialsQueryString="SELECT LOGIN AS USERNAME, PASSWORD FROM JOSSO_USER WHERE LOGIN = ?;"
userPropertiesQueryString="SELECT NAME, VALUE FROM JOSSO_USER_PROPERTY WHERE LOGIN = ?;"
resetCredentialDml="UPDATE JOSSO_USER SET PASSWORD = ? WHERE LOGIN = ?;"
relayCredentialQueryString="SELECT LOGIN FROM JOSSO_USER WHERE #?# = ?;"
/>-->
<db-istore:jdbc-store
id="josso-identity-store"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost:3306/jboss_portal"
connectionName="jboss_portal"
connectionPassword="password"
userQueryString="SELECT jbp_uname AS NAME FROM jbp_users WHERE jbp_uname = ?;"
rolesQueryString="SELECT jbp_roles.jbp_name AS ROLE FROM jbp_roles INNER JOIN jbp_role_membership AS jrm ON jrm.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users AS users ON users.jbp_uid = jrm.jbp_uid WHERE users.jbp_uname = ? UNION SELECT 'Authenticated' AS ROLE;"
credentialsQueryString="SELECT jbp_uname AS USERNAME, jbp_password AS PASSWORD FROM jbp_users WHERE jbp_uname = ?;"
userPropertiesQueryString="SELECT jbp_name AS NAME, jbp_value AS VALUE FROM jbp_user_prop AS props INNER JOIN jbp_users AS users ON users.jbp_uid = props.jbp_uid WHERE jbp_uname = ?;"
resetCredentialDml="UPDATE jbp_users SET jbp_password = ? WHERE jbp_uname = ?;"
relayCredentialQueryString="SELECT jbp_uname AS LOGIN FROM jbp_users WHERE #?# = ?;"
/>
Configure $JBOSS_HOME/server/josso-conf/conf/josso-gateway-auth.xml. Uncomment and edit basic authentication:
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Basic Authentication Scheme -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<basic-authscheme:basic-auth-scheme
id="josso-basic-authentication"
hashAlgorithm="MD5"
hashEncoding="HEX"
ignorePasswordCase="false"
ignoreUserCase="false">
<basic-authscheme:credentialStore>
<s:ref bean="josso-identity-store"/>
</basic-authscheme:credentialStore>
<basic-authscheme:credentialStoreKeyAdapter>
<s:ref bean="josso-simple-key-adapter"/>
</basic-authscheme:credentialStoreKeyAdapter>
</basic-authscheme:basic-auth-scheme>Bind authentication should be commented out:
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- BIND Authentication Scheme (normally LDAP) -->
<!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<!-- Requires a be a bindalble credential store ! -->
<!-- name attribute is important and must not be changed -->
<!--<bind-authscheme:bind-auth-scheme
id="josso-bind-authentication"
name="basic-authentication"
hashAlgorithm="MD5"
hashEncoding="HEX"
ignorePasswordCase="false"
ignoreUserCase="false">
<bind-authscheme:credentialStore>
<s:ref bean="josso-identity-store"/>
</bind-authscheme:credentialStore>
<bind-authscheme:credentialStoreKeyAdapter>
<s:ref bean="josso-simple-key-adapter"/>
</bind-authscheme:credentialStoreKeyAdapter>
</bind-authscheme:bind-auth-scheme>-->
Don't forget to add Mysql JDBC driver to $JBOSS_HOME/server/josso-conf/deploy/josso.war/WEB-INF/lib directory.
Start both configurations of JBoss AS and bind them to different hosts. First the default configuration with JBoss Portal:
./run.sh -c default -b portal-host
and then josso-conf configuration with JOSSO:
./run.sh -c josso-conf -b josso-host
First take a look to CAS FAQ in previous chapter. Many scenarios are similar to JOSSO.
Which versions of JBoss Portal and JOSSO should I use?
All scenarios are tested with JBoss Portal 2.7.2 branch version (http://anonsvn.jboss.org/repos/portal/branches/JBoss_Portal_Branch_2_7) deployed on JBoss AS 4.2.3.GA. Version of JOSSO is 1.8.0. Configurations is different if you use different versions of components. For JOSSO 1.7.0 the configuration is very different and JBoss Portal 2.7.1 integrates only with JOSSO 1.7.0.
I have JBoss Portal configured against LDAP and I want to use JOSSO server for authentication deployed on different host than Portal
You can use LDAP identity store instead of Database identity store described in 2.5. Take a look to http://www.josso.org/confluence/display/JOSSO1/josso-ldap-identitystore for more informations.
I have JBoss Portal integrated with JOSSO. But JOSSO server is unreachable right now
That's bad because when you attempt to login, then you are redirected to JOSSO login screen. And if this screen is unreachable you end with 404 error. So you are not able to login if JOSSO server is out.
How the JBoss Portal behaves when session timeout occurs?
When session timeout occurs in JBoss Portal, then session is invalidated. But after click to some link in JBoss Portal, the user is directly logged in without need to fill any credentials. The reason is, that if JOSSO gateway have a cookie with your credentials, then gateway informs JOSSO agent about it and the system logges you directly in. You are not forced to fill credentials again. So you are directly logged even if session attributes (and all portlet session attributes from portlet scope or application scope) are deleted.