This chapter describes how to setup SSO in JBoss Portal
Portal as an integration and aggregation platform provides some form of SSO by itself. When you log into the portal you gain access to many systems through portlets using a single identity. Still in many cases you need to integrate the portal infrastructure with other SSO enabled systems. There are many different Identity Management solutions on the market. In most cases each SSO framework provides its own way to plug into Java EE application. For custom configurations you need to have a good understanding of JBoss Portal Identity management and authentication mechanisms.
JBoss Application Server embeds Apache Tomcat as the default servlet container. Tomcat provides a builtin SSO support using a valve. The Single Sign On Valve caches credentials on the server side, and then invisibly authenticate users when they reach different web applications. Credentials are stored in a host-wide session which means that SSO will be effective throughout the session.
To enable SSO valve in Apache Tomcat you should uncomment the following line
<Valve className=’org.apache.catalina.authenticator.SingleSignOn’/>
in the $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml file. More information can be found here.
Lets look a little bit closer and configure SSO between portal and other web application. As an example we'll use jmx-console web-app that comes with every JBoss Application Server installation. You can find more information on how to secure jmx-console in JBoss AS wiki.
Take a clean install of JBoss Application Server
Edit $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml file and make sure it contains following content:
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <url-pattern>/public/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>jmx-console</realm-name> </login-config> <security-role> <role-name>Admin</role-name> </security-role>
This will secure jmx-console web application using BASIC browser authentication and restrict access for users with Admin role only.
Edit $JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties file and make it contain:
admin=JBossAdmin,HttpInvoker,Admin
This file is a simple identity store for this web application authentication. It will make user admin belongs to Admin role.
Deploy JBoss Portal
Run JBoss Application Server
Now you can check that when you go to
you need to authenticate separately into each of those web applications.
Shutdown Application Server
Uncomment the following line
<Valve className=’org.apache.catalina.authenticator.SingleSignOn’/>
in the $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml file. More information can be found here.
Run JBoss Application Server.
Now if you log into portal as user admin with password admin, you won't be asked for credentials when accessing jmx-console. This should work in both directions.
This Single Sign On plugin enables seamless integration between JBoss Portal and the CAS Single Sign On Framework. Details about CAS can be found here
<Valve className="org.jboss.portal.identity.sso.cas.CASAuthenticationValve" casLogin="https://localhost/cas/login" casValidate="https://localhost/cas/serviceValidate" casServerName="localhost" authType="FORM" />Update valve options as follow:
<mbean code="org.jboss.portal.identity.sso.cas.CASAuthenticationService" name="portal:service=Module,type=CASAuthenticationService" xmbean-dd="" xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean"> <xmbean/> <depends>portal:service=Module,type=IdentityServiceController</depends> <attribute name="HavingRole"></attribute> </mbean>This will expose special service in JBoss Portal that can be leveraged by CAS AuthenticationHandler if the server is deployed on the same application server instance. This AuthenticationHandler will be enabled in next 2 steps.
<bean class="org.jboss.portal.identity.sso.cas.CASAuthenticationHandler" />This can replace default SimpleTestUsernamePasswordAuthenticationHandler so whole part of this config file can look as follows:
<property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> <property name="httpClient" ref="httpClient" /> </bean> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. +--> <bean class="org.jboss.portal.identity.sso.cas.CASAuthenticationHandler" /> </list> </property>
To test the integration:
JBoss Portal enables seamless integration with JOSSO server. More details on JOSSO can be found here
<Valve className="org.jboss.portal.identity.sso.josso.JOSSOLogoutValve"/>
<partner-apps> ... <partner-app> <context>/portal</context> </partner-app> ... </partner-apps>Complete config file can look as follows:
<?xml version="1.0" encoding="ISO-8859-1" ?> <agent> <class>org.josso.jb4.agent.JBossCatalinaSSOAgent</class> <gatewayLoginUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginUrl> <gatewayLogoutUrl>http://localhost:8080/josso/signon/logout.do</gatewayLogoutUrl> <service-locator> <class>org.josso.gateway.WebserviceGatewayServiceLocator</class> <endpoint>localhost:8080</endpoint> </service-locator> <partner-apps> <partner-app> <context>/partnerapp</context> </partner-app> <partner-app> <context>/portal</context> </partner-app> </partner-apps> </agent>
<% response.sendRedirect(request.getContextPath() + "/josso_login/"); %>(make sure to remove java style comment '/* */' - not the xml one).
<mbean code="org.jboss.portal.identity.sso.josso.JOSSOIdentityServiceImpl" name="portal:service=Module,type=JOSSOIdentityService" xmbean-dd="" xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean"> <xmbean/> <depends>portal:service=Module,type=IdentityServiceController</depends> </mbean>This will expose a special service in JBoss Portal that can be leveraged by JOSSO Credential and Identity Stores if the server is deployed on the same application server instance.
<!-- Basic Authentication Scheme --> <authentication-scheme> <name>basic-authentication</name> <class>org.josso.auth.scheme.BindUsernamePasswordAuthScheme</class> <!-- ================================================= --> <!-- JBoss Portal Credential Store --> <!-- ================================================= --> <credential-store> <class>org.jboss.portal.identity.sso.josso.JOSSOIdentityStore</class> </credential-store> <!-- ================================================= --> <!-- Credential Store Key adapter --> <!-- ================================================= --> <credential-store-key-adapter> <class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter</class> </credential-store-key-adapter> </authentication-scheme>
<sso-identity-manager> <class>org.josso.gateway.identity.service.SSOIdentityManagerImpl</class> <!-- ================================================= --> <!-- JBoss Portal Credential Store --> <!-- ================================================= --> <sso-identity-store> <class>org.jboss.portal.identity.sso.josso.JOSSOIdentityStore</class> </sso-identity-store> <!-- ================================================= --> <!-- Identity Store Key adapter --> <!-- ================================================= --> <sso-identity-store-key-adapter> <class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter</class> </sso-identity-store-key-adapter> </sso-identity-manager>
To test the integration: