[Acegisecurity-developer] Extend J2EE Form authentication to achieve container based Single Sign-On
Hi,I am doing a project that uses Acegi in the Web container level, so that Acegi becomes complementary to J2EE container based security model. The goal is Web applications can use J2EE security features such as Form authentication, role based access control together with Acegi enabled security features with minimum changes.Here I introduce how Single Sing-On (SSO) can be done on the Web container level by extending the J2EE FORM based authentication.Problem to solve:To achieve SSO in a Web application, we need to cover two use cases:Use Case 1. A HTTP request without a valid SSO token needs to be redirected to the common login page, once the authentication is succeeded, a SSO token is issued to the corresponding Web client. The Web client is then redirected back to the original Web container. The Web container tries to validate the SSO token and recreate the authentication context from the SSO token as explained in scenario 2 below. After that the "original HTTP request" is processed. Notice it is the "original HTTP request" that should be processed. For example, if the Web client asks for https://x.x.x.x/worldHistoryByYear/2006. The HTTP response content being returned to the Web client after successful authentication should be https://x.x.x.x/worldHistoryByYear/2006, not the index.jsp file for https://x.x.x.xUse Case 2. A HTTP request with a valid SSO token tries to access a Web container. The Web container detects there is no valid session id for the Web client. The Web container tries to validate the SSO token and recreate the authentication context from the SSO token. The Web container creates a new session for the Web client, then the "HTTP request" is processed.Existing CAS-ACEGI based SSO solution: WAR designers have to add/modify ACEGI and CAS specific filters and other Spring bean stuff in their web.xml and Spring application context file. In short, all the WAR files must be ACEGI enabled even if they just want to achieve SSO.Goal of container based SSO solution: WAR files designed for normal J2EE enviroment can be deployed into the Web container and SSO is enabled automatically for the WAR files by default.Decouple the specific SSO technologies being used from WAR files. For example, we should be able to switch from CAS to JOSSO without affecting the How the container based SSO extends the J2EE form authentication:J2EE FORM authentication is a passive authentication model very similar to the above scenario 1. The difference is in SSO mode, the login page is typically provides by an external servlet that take the original Web container's URL as some kind of "goto" query string parameter. Here is roughly how J2EE form authentication works (based on Tomcat source code):1. An unauthenticated HTTP request tries to access a protected resource.2. The FORM authenticator saves the "original HTTP request".3. The FORM authenticator redirects the Web client to the login page.4. When the login page is submitted, the FORM authenticator uses a special filter to intercept HTTP request for URL /j_security_check?j_username=someName&j_password=anyPasword.5. If the given user name and password are correct. The FORM authenticator restores the "original HTTP request" so that it can be processed after authentication.To extend the FORM authentication work flow for container based SSO, the following steps are required. 1. In web.xml, point the FORM login page to a special servlet "loginProxy". This is the only change required for WAR files. Notice if you are using Tomcat like me, you can modify the generic web.xml on the container level, then you don't need to touch each individual WAR file as long as they don't override the generic web.xml settings.2. The logic of the "loginProxy" servlet goes like this:If the current HTTP request contains the SSO token, redirect to j_security_check?j_username=x&j_password=x. Notice the value of the user name and password are not important in this case. We just give some dummy values here.If the current HTTP request does NOT contains the SSO token, redirect to the central SSO token issuer's login page. The URL of the central login page should be configurable. For example like this, "https://ssoIssuer.com/loginServlet?goto=" the value of the "goto" parameter is "current base URL" + "current httpRequest.getContextPath() + "/j_security_check?j_username=x&j_password=x", notice the " /j_security_check?j_username=x&j_password=x" is critical to make sure the original HTTP request saved by the FORM authenticator is being processed after authenticationOn the Web container, a authentication provider must be provided so that:If the current HTTP request contains the SSO token, ignore user name and password submitted to j_security_check, (In this case it is going to be dummy value x and x anyway) in stead, validate the SSO token, recreate the authentication context using the SSO token.If the current HTTP request does NOT contain the SSO token, authenticate using the user name and password
Re: [Acegisecurity-developer] OpenSSO integration... what do you think?
I've done SSO with Sun Access Manager using Acegi, which I think is the commercial side of the JOSSO.I am thinking a plug-in model to provide generic SSO solutions:How about a framework that allow plug-in to :1. Retrieve SSO token from HTTP request (usually SSO cookie)2. Validate SSO token 3. Recreate authentication context from a valid SSO token.4. Terminate a SSO token (global sign off)Cheers,Jin- Original Message From: Ben Alex <[EMAIL PROTECTED]>To: acegisecurity-developer@lists.sourceforge.netSent: Saturday, November 4, 2006 5:17:33 PMSubject: Re: [Acegisecurity-developer] OpenSSO integration... what do you think?Jose Luis Huertas Fernández wrote:>> I was thinking about developing a new module to integrate Acegi with> OpenSSO (https://opensso.dev.java.net/) in a similar way that the> existing CAS integration.>>Hi JoseYou'd be very welcome to take this on. It would be good to add anotherSSO alternative to the present CAS and SiteMinder options. The other oneis JOSSO, although I've not heard any demand from the community for JOSSO.CheersBen-Using Tomcat but need to do more? Need to support web services, security?Get stuff done quickly with pre-integrated technology to make your job easierDownload IBM WebSphere Application Server v.1.0.1 based on Apache Geronimohttp://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642___Home: http://acegisecurity.orgAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] OpenSSO integration... what do you think?
Thanks Ben,I'll take a further look at the current CAS SSO code. I did the Single Sign On using a Tomcat Valve. Maybe I was reinventing the wheel after all. But my requirement was little bit different. I need to enable SSO for all the WAR running in my Web container whithout changing the WAR files...By the way I was wrong saying Sun Access Manager is related to JOSSO. It seems OpenSSO is actually from Sun.Cheers,Jin- Original Message From: Ben Alex <[EMAIL PROTECTED]>To: acegisecurity-developer@lists.sourceforge.netSent: Tuesday, November 7, 2006 6:24:47 AMSubject: Re: [Acegisecurity-developer] OpenSSO integration... what do you think?Hi JinI think there are already plugin points for each of these steps.Jin Peng wrote:>> 1. Retrieve SSO token from HTTP request (usually SSO cookie)Authentication mechanism (usually a filter).> 2. Validate SSO token> 3. Recreate authentication context from a valid SSO token.Authentication provider and generally an Authentication object to passbetween the authentication mechanism and authentication provider.> 4. Terminate a SSO token (global sign off)Logout handler.A couple of weeks ago I wrote the above at a client site and it tookabout twenty minutes (including unit tests). It could be simplifiedfurther by having an Authentication object contain a field to denote thesource authentication mechanism class, and a generalAuthenticationProvider which automatically accepts such objects (theauthentication mechanism would still need to be written, but you couldinclude an abstract method that contains the HttpServletRequestparameter and returns an Authentication object).CheersBen-Using Tomcat but need to do more? Need to support web services, security?Get stuff done quickly with pre-integrated technology to make your job easierDownload IBM WebSphere Application Server v.1.0.1 based on Apache Geronimohttp://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642___Home: http://acegisecurity.orgAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Two proposals on acls
In my project, I need more than 100 permissions for some secure objects, I simply use Hash table to store the permission and its value. For example, "PERM_reboot has value allow or deny", "PERM_patch has value allow or deny" All you need is to implement your own AccessDecisionVoter so that it knows how to resolve the current secure object ( or domain object), then base on the prefix "PERM_", you know it is asking for Access Control decision specific to the secure object. I actually hook in the Sun Access Manager 7.0 to centralize the authorization decision making. I can not directly send the code until my company clears the way, but the idea is pretty straightforward. Hope this helps, Jin - Original Message From: "Giles, Bear" <[EMAIL PROTECTED]> To: acegisecurity-developer@lists.sourceforge.net Sent: Tuesday, February 27, 2007 11:26:32 AM Subject: [Acegisecurity-developer] Two proposals on acls Two proposals on ACLs. Both straightforward, but I dont know if my employer would be happy with me sending actual patches. 1) AclImpl#isGranted() should use Permission#equals(Object) instead of explicitly comparing bit masks. The latter quietly ties the standard impl to specific Permission classes. 2) There can be an additional standard Permission, one that contains both a bit mask and a class (or classname). BasePermission gives you a set of global permissions, this new permission gives you a set of per-class permissions. Our project requires more than 32 permissions, but no individual class should ever require close to that number. Bear - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
