Hey Jim,
Finally got a chance to play with your wars, and things work as I expect -- but
not as you want :(
The issue is that the Principal does not get propagated around the cluster; the
username and password do. Two reasons for this:
1) Principal does not extend Serializable, thus you can't count on being able
to replicate it.
2) The security layer requires an authentication on each server -- replicating
around a Principal that is the result of an authentication on another server
won't cut it.
If when a failover occurs you request one of your wars w/ a login config, the
replicated username/password can be used to transparently authenticate you.
Thereafter you have a Principal on that server and all is well.
If you fail over to a war w/o a login config, there is no way to authenticate
you on the new server. Hence a 403.
If I uncomment the error page element in the hello/hello2 web.xml, and then do
a failover to one of those pages, I get redirected to main. I do not, however,
have to log in to main -- the sso valve is able to log in for me, since main
has a login config.
Perhaps you can create a custom authenticator for hello/hello2.
In 4.0.4.CR2 there is the ability to pretty easily add your own authenticators.
See jbossweb-tomcat55.sar's server.xml and META-INF/jboss-service.xml for
ideas on how to configure that (there is probably a wiki page too).
Get the org.apache.catalina.authenticator.NonLoginAuthenticator as a template
to create your own, and replace the authenticate method with this:
public boolean authenticate(Request request,
| Response response,
| LoginConfig config)
| throws IOException {
|
| // Have we already authenticated someone?
| Principal principal = request.getUserPrincipal();
| String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
| if (principal != null) {
| if (log.isDebugEnabled())
| log.debug("Already authenticated '" +
| principal.getName() + "'");
| // Associate the session with any existing SSO session
| if (ssoId != null)
| associate(ssoId, request.getSessionInternal(true));
| return (true);
| }
|
| // Is there an SSO session against which we can try to
reauthenticate?
| if (ssoId != null) {
| if (log.isDebugEnabled())
| log.debug("SSO Id " + ssoId + " set; attempting " +
| "reauthentication");
| // Try to reauthenticate using data cached by SSO.
| if (reauthenticateFromSSO(ssoId, request))
| return true;
| }
|
| // No principal + no SSO = reject!
| return false;
|
| }
Note I haven't tried that; just a suggestion :)
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3935706#3935706
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3935706
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
