This chapter describes how to setup SSO in JBoss Portal
Portal as an integration and aggregation platform provides some form of SSO by itself. When you log into the portal you gain access to many systems through portlets using a single identity. Still in many cases you need to integrate the portal infrastructure with other SSO enabled systems. There are many different Identity Management solutions on the market. In most cases each SSO framework provides its own way to plug into Java EE application. For custom configurations you need to have a good understanding of JBoss Portal Identity management and authentication mechanisms.
JBoss Application Server embeds Apache Tomcat as the default servlet container. Tomcat provides a builtin SSO support using a valve. The Single Sign On Valve caches credentials on the server side, and then invisibly authenticate users when they reach different web applications. Credentials are stored in a host-wide session which means that SSO will be effective throughout the session.
To enable SSO valve in Tomcat you should edit $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml file and uncomment following line:
<Valve className=’org.apache.catalina.authenticator.SingleSignOn’/>
Lets look a little bit closer and configure SSO between portal and other web application. As an example we'll use jmx-console web-app that comes with every JBoss Application Server installation. You can find more information on how to secure jmx-console in JBoss AS wiki.
Take a clean install of JBoss Application Server 4.0.5.GA
Edit $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml file and make sure it contains following content:
<security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <url-pattern>/public/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>jmx-console</realm-name> </login-config> <security-role> <role-name>Admin</role-name> </security-role>
This will secure jmx-console web application using BASIC browser authentication and restrict access for users with Admin role only.
Edit $JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties file and make it contain:
admin=JBossAdmin,HttpInvoker,Admin
This file is a simple identity store for this web application authentication. It will make user admin belongs to Admin role.
Deploy JBoss Portal
Run JBoss Application Server
Now you can check that when you go to
you need to authenticate separately into each of those web applications.
Shutdown Application Server
Edit $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml file and uncomment following line:
<Valve className=’org.apache.catalina.authenticator.SingleSignOn’/>
Run JBoss Application Server.
Now if you log into portal as user admin with password admin, you won't be asked for credentials when accessing jmx-console. This should work in both directions.