Re: Single Sign On with Geronimo 1.0
I could get SSO Working on a server build with SSOValve GBean in the tomcat plan. In this case the application deployment plans needed no change as mentioned in the post that Krish pointed to. Here are some of my observations. An SSOValve GBean created as part of the application needs to be connected to TomcatEngine so that SSO works. To do so, either the FirstValve in TomcatEngine needs to be replaced with this SSOValve or a NextValve attribute should be added to the FirstValve and it should be made point to the SSOValve. I guess there is only one TomcatEngine GBean in the server and I don't think it should be modified to suit the needs of two or more applications that need SSO. Other way is to have multiple hosts defined in the tomcar plan and and one of them could have an SSOValve in the chain. All apps that want SSO can use that host. In either case, the server needs to built with SSOValve GBean. With what G provides right now, there is noway that an SSOValve GBean is created as part of an application and hooked to the TomcatEngine. Comments? Thanks, VamsiOn 8/2/06, Krishnakumar B [EMAIL PROTECTED] wrote: Hi Joe,I have also tried this and was able to get it to work by doing a buildwith SSOValve GBean open.Refer to earlier post :http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 I was not able to get it to work by deploying a new Valve along with 2web applications that need SSO.RegardsKrish.On 8/1/06, Joe O'Pecko [EMAIL PROTECTED] wrote: I know this has been discussed in the past, and I apologize for the lengthy inquiry, however, I have been trying unsuccessfully to get SSO working with Tomcat on Geronimo v1.0 for some time. I am deploying an application as an ear file with two war files contained within. My geronimo-application.xml file contains a definition for a JAAS Security Realm and the two WAR file's geronimo-web.xml reference it via security-realm-name elements. Once deployed each web application challenges the user upon first access, using the configured JAAS LoginModule. I'd like to establish a SSO trust between the two web applications, if possible, so that a user is only challenged once for both web applications. I've seen a previous post on this site entitled Single Sign On : Tomcat in Geronimo (http://tinyurl.com/lkgjy) which seemed to provide some information. Basically, it suggested the addition of a SSOValve GBean to the geronimo-web.xml file. As suggested, I've added the SSOValve to each geronimo-web.xml and confirmed that I could see them running in the deploy-tool web application. However, each application has its own SSOValve GBean running which leads me to believe that they do not share anything between them. I've also seen Aaron Mulder's website which states that Geronimo does not natively support web-based single sign-on across web sites (http://tinyurl.com/qa9bl). So is it possible to provide Single Sign On accross web applications? I've attached my config files below if it helps. Thanks in advance for any help and information you can provide. Joe ---begin geronimo-application.xml--- ?xml version=1.0 encoding=UTF-8? application xmlns=http://geronimo.apache.org/xml/ns/j2ee/application xmlns:sec= http://geronimo.apache.org/xml/ns/security-1.1configId=com/foo/testparentId=geronimo/j2ee-server/1.0/cardependencygroupIdlog4j/groupId artifactIdlog4j/artifactIdversion1.2.8/version/dependencysec:securitysec:default-principal realm-name=foo-realm sec:principal class=org.apache.geronimo.security.realm.providers.GeronimoUserPrincipalname=anonymous//sec:default-principal sec:role-mappings!--this mapping maps all users in the registeredUsers group to registered-users roledefined in web.xml--sec:role role-name=FOO_ADMIN sec:realm realm-name=foo-realmsec:principal class=org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipalname=foo_admin/ /sec:realm/sec:rolesec:role role-name=FOO_USERsec:realm realm-name=foo-realmsec:principal class=org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipalname=foo_user/ /sec:realm/sec:role/sec:role-mappings/sec:securitygbean name=foo-realm class=org.apache.geronimo.security.realm.GenericSecurityRealm!--this is the name of the Security Realm as well as the nameof the configuration entry used by the application--attribute name=realmNamefoo-realm/attribute!--reference to the head of the login module use list--reference name=LoginModuleConfigurationnamefoo-login/name/referencereference name=ServerInfo gbean-namegeronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo/gbean-name/reference reference name=LoginService gbean-namegeronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService/gbean-name /reference/gbean!--this is the head of the login module use list--gbean name=foo-login class= org.apache.geronimo.security.jaas.JaasLoginModuleUse!-- login module
Re: Single Sign On with Geronimo 1.0
You are right. By server built with SSOValve, I meant to say it should be part of Tomcat configuration. Thanks, Vamsi On 8/7/06, Jeff Genender [EMAIL PROTECTED] wrote: Why does the server need to be built with the SSOValve?You should be able to connect the SSOValve to the TomcatEngine in theconfig.xml.JeffVamsavardhana Reddy wrote: I could get SSO Working on a server build with SSOValve GBean in the tomcat plan.In this case the application deployment plans needed no change as mentioned in the post that Krish pointed to. Here are some of my observations. An SSOValve GBean created as part of the application needs to be connected to TomcatEngine so that SSO works.To do so, either the FirstValve in TomcatEngine needs to be replaced with this SSOValve or a NextValve attribute should be added to the FirstValve and it should be made point to the SSOValve.I guess there is only one TomcatEngine GBean in the server and I don't think it should be modified to suit the needs of two or more applications that need SSO. Other way is to have multiple hosts defined in the tomcar plan and and one of them could have an SSOValve in the chain.All apps that want SSO can use that host. In either case, the server needs to built with SSOValve GBean. With what G provides right now, there is noway that an SSOValve GBean is created as part of an application and hooked to the TomcatEngine. Comments? Thanks, Vamsi On 8/2/06, *Krishnakumar B* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi Joe, I have also tried this and was able to get it to work by doing a build with SSOValve GBean open. Refer to earlier post : http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 I was not able to get it to work by deploying a new Valve along with 2 web applications that need SSO. Regards Krish. On 8/1/06, Joe O'Pecko [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I know this has been discussed in the past, and I apologize for the lengthy inquiry, however, I have been trying unsuccessfully to get SSO working with Tomcat on Geronimo v1.0 for some time. I am deploying an application as an ear file with two war files contained within. My geronimo-application.xml file contains a definition for a JAAS Security Realm and the two WAR file's geronimo-web.xml reference it via security-realm-name elements. Once deployed each web application challenges the user upon first access, using the configured JAAS LoginModule. I'd like to establish a SSO trust between the two web applications, if possible, so that a user is only challenged once for both web applications. I've seen a previous post on this site entitled Single Sign On : Tomcat in Geronimo ( http://tinyurl.com/lkgjy) which seemed to provide some information. Basically, it suggested the addition of a SSOValve GBean to the geronimo-web.xml file. As suggested, I've added the SSOValve to each geronimo-web.xml and confirmed that I could see them running in the deploy-tool web application. However, each application has its own SSOValve GBean running which leads me to believe that they do not share anything between them. I've also seen Aaron Mulder's website which states that Geronimo does not natively support web-based single sign-on across web sites (http://tinyurl.com/qa9bl). So is it possible to provide Single Sign On accross web applications? I've attached my config files below if it helps. Thanks in advance for any help and information you can provide. Joe ---begin geronimo-application.xml--- ?xml version=1.0 encoding=UTF-8? application xmlns= http://geronimo.apache.org/xml/ns/j2ee/application xmlns:sec= http://geronimo.apache.org/xml/ns/security-1.1 configId=com/foo/test parentId=geronimo/j2ee-server/1.0/car dependency groupIdlog4j/groupId artifactIdlog4j/artifactId version1.2.8/version /dependency sec:security sec:default-principal realm-name=foo-realm sec:principal class=org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal name=anonymous/ /sec:default-principal sec:role-mappings !-- this mapping maps all users in the registeredUsers group to registered-users role defined in web.xml -- sec:role role-name=FOO_ADMIN sec:realm realm-name=foo-realm sec:principal class=org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal name=foo_admin/ /sec:realm /sec:role sec:role role-name=FOO_USER sec:realm realm-name=foo-realm sec:principal class=org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal name=foo_user/ /sec:realm /sec:role /sec:role-mappings /sec:security gbean name=foo-realm class=org.apache.geronimo.security.realm.GenericSecurityRealm !-- this is the name of the Security Realm as well as the name of the configuration entry used by the application -- attribute name=realmNamefoo-realm/attribute !-- reference to the head of the login module use list -- reference name=LoginModuleConfiguration
Re: Single Sign On with Geronimo 1.0
Seeing your reply, I have to add the following to my original comments. I have tested SSO with two WebApps deployed as part of an EAR. I do not know if enabling SSO for Web Apps deployed independently requires any changes in their deployment plans. Thanks, VamsiOn 8/7/06, Paul McMahan [EMAIL PROTECTED] wrote: I looked at using the Tomcat SSOValve for GERONIMO-973 and had asimilar experience -- i.e. it works fine but may not be appropriate inmany situations.As I recall, what it basically does is stores thecredentials in a cookie with higher level scope, making it visible to all the applications in the server instead of just the one that wasoriginally authenticated.Since logging into the admin console should not grant access to otherapplications deployed in the server I ended up using a different approach for GERONIMO-973, which was to send all requests through asingle context that acted as a proxy for the other context(s).Thisworks for SSO across multiple WARs in an EAR but may not work for SSOacross EARs.See the comments in to GERONIMO-973 for details.Your idea for defining multiple hosts might be a clever way to work aroundthat issue.As Jeff points out, it should not be necessary to rebuild the serverto use the SSOValve (unless something has changed recently). I just enabled it in var/config/config.xml.Best wishes,PaulOn 8/7/06, Jeff Genender [EMAIL PROTECTED] wrote: Why does the server need to be built with the SSOValve? You should be able to connect the SSOValve to the TomcatEngine in the config.xml. Jeff Vamsavardhana Reddy wrote: I could get SSO Working on a server build with SSOValve GBean in the tomcat plan.In this case the application deployment plans needed no change as mentioned in the post that Krish pointed to. Here are some of my observations. An SSOValve GBean created as part of the application needs to be connected to TomcatEngine so that SSO works.To do so, either the FirstValve in TomcatEngine needs to be replaced with this SSOValve or a NextValve attribute should be added to the FirstValve and it should be made point to the SSOValve.I guess there is only one TomcatEngine GBean in the server and I don't think it should be modified to suit the needs of two or more applications that need SSO. Other way is to have multiple hosts defined in the tomcar plan and and one of them could have an SSOValve in the chain.All apps that want SSO can use that host. In either case, the server needs to built with SSOValve GBean. With what G provides right now, there is noway that an SSOValve GBean is created as part of an application and hooked to the TomcatEngine. Comments? Thanks, Vamsi On 8/2/06, *Krishnakumar B* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi Joe, I have also tried this and was able to get it to work by doing a build with SSOValve GBean open. Refer to earlier post : http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 I was not able to get it to work by deploying a new Valve along with 2 web applications that need SSO. Regards Krish. On 8/1/06, Joe O'Pecko [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I know this has been discussed in the past, and I apologize for the lengthy inquiry, however, I have been trying unsuccessfully to get SSO working with Tomcat on Geronimo v1.0 for some time. I am deploying an application as an ear file with two war files contained within. My geronimo-application.xml file contains a definition for a JAAS Security Realm and the two WAR file's geronimo-web.xml reference it via security-realm-name elements. Once deployed each web application challenges the user upon first access, using the configured JAAS LoginModule. I'd like to establish a SSO trust between the two web applications, if possible, so that a user is only challenged once for both web applications. I've seen a previous post on this site entitled Single Sign On : Tomcat in Geronimo (http://tinyurl.com/lkgjy) which seemed to provide some information. Basically, it suggested the addition of a SSOValve GBean to the geronimo-web.xml file. As suggested, I've added the SSOValve to each geronimo-web.xml and confirmed that I could see them running in the deploy-tool web application. However, each application has its own SSOValve GBean running which leads me to believe that they do not share anything between them. I've also seen Aaron Mulder's website which states that Geronimo does not natively support web-based single sign-on across web sites (http://tinyurl.com/qa9bl). So is it possible to provide Single Sign On accross web applications? I've attached my config files below if it helps. Thanks in advance for any help and information you can provide. Joe ---begin geronimo-application.xml--- ?xml version=1.0 encoding=UTF-8? application
Re: Single Sign On with Geronimo 1.0
It shouldn't... if you apply the SSOValve at the host or engine levels, then all web apps underneath will then be using the SSOValve via inheritance. Jeff Vamsavardhana Reddy wrote: Seeing your reply, I have to add the following to my original comments. I have tested SSO with two WebApps deployed as part of an EAR. I do not know if enabling SSO for Web Apps deployed independently requires any changes in their deployment plans. Thanks, Vamsi On 8/7/06, *Paul McMahan* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I looked at using the Tomcat SSOValve for GERONIMO-973 and had a similar experience -- i.e. it works fine but may not be appropriate in many situations. As I recall, what it basically does is stores the credentials in a cookie with higher level scope, making it visible to all the applications in the server instead of just the one that was originally authenticated. Since logging into the admin console should not grant access to other applications deployed in the server I ended up using a different approach for GERONIMO-973, which was to send all requests through a single context that acted as a proxy for the other context(s). This works for SSO across multiple WARs in an EAR but may not work for SSO across EARs. See the comments in to GERONIMO-973 for details. Your idea for defining multiple hosts might be a clever way to work around that issue. As Jeff points out, it should not be necessary to rebuild the server to use the SSOValve (unless something has changed recently). I just enabled it in var/config/config.xml. Best wishes, Paul On 8/7/06, Jeff Genender [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Why does the server need to be built with the SSOValve? You should be able to connect the SSOValve to the TomcatEngine in the config.xml. Jeff Vamsavardhana Reddy wrote: I could get SSO Working on a server build with SSOValve GBean in the tomcat plan. In this case the application deployment plans needed no change as mentioned in the post that Krish pointed to. Here are some of my observations. An SSOValve GBean created as part of the application needs to be connected to TomcatEngine so that SSO works. To do so, either the FirstValve in TomcatEngine needs to be replaced with this SSOValve or a NextValve attribute should be added to the FirstValve and it should be made point to the SSOValve. I guess there is only one TomcatEngine GBean in the server and I don't think it should be modified to suit the needs of two or more applications that need SSO. Other way is to have multiple hosts defined in the tomcar plan and and one of them could have an SSOValve in the chain. All apps that want SSO can use that host. In either case, the server needs to built with SSOValve GBean. With what G provides right now, there is noway that an SSOValve GBean is created as part of an application and hooked to the TomcatEngine. Comments? Thanks, Vamsi On 8/2/06, *Krishnakumar B* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi Joe, I have also tried this and was able to get it to work by doing a build with SSOValve GBean open. Refer to earlier post : http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 I was not able to get it to work by deploying a new Valve along with 2 web applications that need SSO. Regards Krish. On 8/1/06, Joe O'Pecko [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I know this has been discussed in the past, and I apologize for the lengthy inquiry, however, I have been trying unsuccessfully to get SSO working with Tomcat on Geronimo v1.0 for some time. I am deploying an application as an ear file with two war files contained within. My geronimo-application.xml file contains a definition for a JAAS Security Realm and the two WAR file's geronimo-web.xml reference it via security-realm-name elements. Once deployed each web application challenges the user upon first access, using the configured JAAS LoginModule. I'd like to establish a SSO trust between the two web applications, if possible,