Here are some of my observations.
An SSOValve GBean created as part of the application needs to be connected to TomcatEngine so that SSO works. To do so, either the FirstValve in TomcatEngine needs to be replaced with this SSOValve or a "NextValve" attribute should be added to the FirstValve and it should be made point to the SSOValve. I guess there is only one TomcatEngine GBean in the server and I don't think it should be modified to suit the needs of two or more applications that need SSO.
Other way is to have multiple hosts defined in the tomcar plan and and one of them could have an SSOValve in the chain. All apps that want SSO can use that host.
In either case, the server needs to built with SSOValve GBean.
With what G provides right now, there is noway that an SSOValve GBean is created as part of an application and hooked to the TomcatEngine.
Comments?
Thanks,
Vamsi
On 8/2/06, Krishnakumar B <[EMAIL PROTECTED]> wrote:
Hi Joe,
I have also tried this and was able to get it to work by doing a build
with SSOValve GBean open.
Refer to earlier post :
http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647
I was not able to get it to work by deploying a new Valve along with 2
web applications that need SSO.
Regards
Krish.
On 8/1/06, Joe O'Pecko <[EMAIL PROTECTED] > wrote:
> I know this has been discussed in the past, and I
> apologize for the lengthy inquiry, however, I have
> been trying unsuccessfully to get SSO working with
> Tomcat on Geronimo v1.0 for some time. I am deploying
> an application as an ear file with two war files
> contained within. My geronimo-application.xml file
> contains a definition for a JAAS Security Realm and
> the two WAR file's geronimo-web.xml reference it via
> security-realm-name elements. Once deployed each web
> application challenges the user upon first access,
> using the configured JAAS LoginModule. I'd like to
> establish a SSO trust between the two web
> applications, if possible, so that a user is only
> challenged once for both web applications.
>
> I've seen a previous post on this site entitled Single
> Sign On : Tomcat in Geronimo
> (http://tinyurl.com/lkgjy) which seemed to provide
> some information. Basically, it suggested the addition
> of a SSOValve GBean to the geronimo-web.xml file. As
> suggested, I've added the SSOValve to each
> geronimo-web.xml and confirmed that I could see them
> running in the deploy-tool web application. However,
> each application has its own SSOValve GBean running
> which leads me to believe that they do not share
> anything between them.
>
> I've also seen Aaron Mulder's website which states
> that Geronimo does not natively support web-based
> single sign-on across web sites
> (http://tinyurl.com/qa9bl).
>
> So is it possible to provide Single Sign On accross
> web applications? I've attached my config files below
> if it helps.
>
> Thanks in advance for any help and information you can
> provide.
>
> Joe
>
> ---begin geronimo-application.xml---
> <?xml version="1.0" encoding="UTF-8"?>
>
> <application
>
> xmlns="http://geronimo.apache.org/xml/ns/j2ee/application"
>
> xmlns:sec=" http://geronimo.apache.org/xml/ns/security-1.1"
> configId="com/foo/test"
> parentId="geronimo/j2ee-server/1.0/car">
>
> <dependency>
> <groupId>log4j</groupId>
> <artifactId>log4j</artifactId>
> <version>1.2.8</version>
> </dependency>
>
> <sec:security>
> <sec:default-principal realm-name="foo-realm">
> <sec:principal
>
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> name="anonymous"/>
> </sec:default-principal>
> <sec:role-mappings>
> <!--
> this mapping maps all users in the
> registeredUsers group to registered-users role
> defined in web.xml
> -->
> <sec:role role-name="FOO_ADMIN">
> <sec:realm realm-name="foo-realm">
> <sec:principal
>
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="foo_admin"/>
> </sec:realm>
> </sec:role>
> <sec:role role-name="FOO_USER">
> <sec:realm realm-name="foo-realm">
> <sec:principal
>
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="foo_user"/>
> </sec:realm>
> </sec:role>
>
> </sec:role-mappings>
> </sec:security>
>
> <gbean name="foo-realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <!--
> this is the name of the Security Realm as
> well as the name
> of the configuration entry used by the
> application
> -->
> <attribute
> name="realmName">foo-realm</attribute>
>
> <!--
> reference to the head of the login module
> use list
> -->
> <reference name="LoginModuleConfiguration">
> <name>foo-login</name>
> </reference>
>
> <reference name="ServerInfo">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
> </reference>
>
> <reference name="LoginService">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
> </reference>
> </gbean>
>
> <!--
> this is the head of the login module use list
> -->
> <gbean name="foo-login"
> class=" org.apache.geronimo.security.jaas.JaasLoginModuleUse">
> <!-- login module must succeed -->
> <attribute
> name="controlFlag">REQUIRED</attribute>
>
> <!-- reference to the login module -->
> <reference name="LoginModule">
> <name>foo-login</name>
> </reference>
> </gbean>
>
> <!-- the login module GBean -->
> <gbean name="foo-login"
> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
> <attribute name="loginModuleClass">
> com.foo.FooLoginModule
> </attribute>
> <attribute name="serverSide">true</attribute>
> <attribute
> name="loginDomainName">foo-realm</attribute>
> </gbean>
>
> <gbean name="FooServer"
> class="com.foo.FooServerGBean"
>
> gbeanName="com.foo.fooserver:type=Server,name=GUIServer">
> <attribute name="baseDirectory"
> type="java.lang.String">
> /home/foo
> </attribute>
> </gbean>
> </application>
> ----end geronimo-application.xml----
>
>
> ---begin first geronimo-web.xml---
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app
>
> xmlns=" http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
> configId="com/foo/contextOne">
>
> <context-root>/contextOne</context-root>
>
> <context-priority-classloader>false</context-priority-classloader>
>
>
> <container-config>
> <!-- Tomcat-specific container declarations
> -->
> <tomcat
> xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
> <valve-chain>SSOValve</valve-chain>
> </tomcat>
> </container-config>
>
>
> <security-realm-name>netcool-realm</security-realm-name>
>
> <gbean name="SSOValve"
> class=" org.apache.geronimo.tomcat.ValveGBean">
> <attribute name="className">
>
> org.apache.catalina.authenticator.SingleSignOn
> </attribute>
> </gbean>
>
> </web-app>
> ----end first geronimo-web.xml----
>
>
> ---begin second geronimo-web.xml---
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app
>
> xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
> configId="com/foo/contextTwo">
>
> <context-root>/contextTwo</context-root>
>
> <context-priority-classloader>false</context-priority-classloader>
>
>
> <container-config>
> <!-- Tomcat-specific container declarations
> -->
> <tomcat
> xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config">
> <valve-chain>SSOValve</valve-chain>
> </tomcat>
> </container-config>
>
>
> <security-realm-name>netcool-realm</security-realm-name>
>
> <gbean name="SSOValve"
> class=" org.apache.geronimo.tomcat.ValveGBean">
> <attribute name="className">
>
> org.apache.catalina.authenticator.SingleSignOn
> </attribute>
> </gbean>
>
> </web-app>
> ----end second geronimo-web.xml----
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
