Why does the server need to be built with the SSOValve? You should be able to connect the SSOValve to the TomcatEngine in the config.xml.
Jeff Vamsavardhana Reddy wrote: > I could get SSO Working on a server build with SSOValve GBean in the > tomcat plan. In this case the application deployment plans needed no > change as mentioned in the post that Krish pointed to. > > Here are some of my observations. > > An SSOValve GBean created as part of the application needs to be > connected to TomcatEngine so that SSO works. To do so, either the > FirstValve in TomcatEngine needs to be replaced with this SSOValve or a > "NextValve" attribute should be added to the FirstValve and it should be > made point to the SSOValve. I guess there is only one TomcatEngine > GBean in the server and I don't think it should be modified to suit the > needs of two or more applications that need SSO. > > Other way is to have multiple hosts defined in the tomcar plan and and > one of them could have an SSOValve in the chain. All apps that want SSO > can use that host. > > In either case, the server needs to built with SSOValve GBean. > > With what G provides right now, there is noway that an SSOValve GBean is > created as part of an application and hooked to the TomcatEngine. > > Comments? > > Thanks, > Vamsi > > On 8/2/06, *Krishnakumar B* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Hi Joe, > > I have also tried this and was able to get it to work by doing a build > with SSOValve GBean open. > > Refer to earlier post : > http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647 > <http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647> > > I was not able to get it to work by deploying a new Valve along with 2 > web applications that need SSO. > > Regards > Krish. > > On 8/1/06, Joe O'Pecko <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > I know this has been discussed in the past, and I > > apologize for the lengthy inquiry, however, I have > > been trying unsuccessfully to get SSO working with > > Tomcat on Geronimo v1.0 for some time. I am deploying > > an application as an ear file with two war files > > contained within. My geronimo-application.xml file > > contains a definition for a JAAS Security Realm and > > the two WAR file's geronimo-web.xml reference it via > > security-realm-name elements. Once deployed each web > > application challenges the user upon first access, > > using the configured JAAS LoginModule. I'd like to > > establish a SSO trust between the two web > > applications, if possible, so that a user is only > > challenged once for both web applications. > > > > I've seen a previous post on this site entitled Single > > Sign On : Tomcat in Geronimo > > (http://tinyurl.com/lkgjy) which seemed to provide > > some information. Basically, it suggested the addition > > of a SSOValve GBean to the geronimo-web.xml file. As > > suggested, I've added the SSOValve to each > > geronimo-web.xml and confirmed that I could see them > > running in the deploy-tool web application. However, > > each application has its own SSOValve GBean running > > which leads me to believe that they do not share > > anything between them. > > > > I've also seen Aaron Mulder's website which states > > that Geronimo does not natively support web-based > > single sign-on across web sites > > (http://tinyurl.com/qa9bl). > > > > So is it possible to provide Single Sign On accross > > web applications? I've attached my config files below > > if it helps. > > > > Thanks in advance for any help and information you can > > provide. > > > > Joe > > > > ---begin geronimo-application.xml--- > > <?xml version="1.0" encoding="UTF-8"?> > > > > <application > > > > xmlns="http://geronimo.apache.org/xml/ns/j2ee/application"; > > > > xmlns:sec=" http://geronimo.apache.org/xml/ns/security-1.1"; > > configId="com/foo/test" > > parentId="geronimo/j2ee-server/1.0/car"> > > > > <dependency> > > <groupId>log4j</groupId> > > <artifactId>log4j</artifactId> > > <version>1.2.8</version> > > </dependency> > > > > <sec:security> > > <sec:default-principal realm-name="foo-realm"> > > <sec:principal > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" > > name="anonymous"/> > > </sec:default-principal> > > <sec:role-mappings> > > <!-- > > this mapping maps all users in the > > registeredUsers group to registered-users role > > defined in web.xml > > --> > > <sec:role role-name="FOO_ADMIN"> > > <sec:realm realm-name="foo-realm"> > > <sec:principal > > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > > name="foo_admin"/> > > </sec:realm> > > </sec:role> > > <sec:role role-name="FOO_USER"> > > <sec:realm realm-name="foo-realm"> > > <sec:principal > > > > > > class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" > > name="foo_user"/> > > </sec:realm> > > </sec:role> > > > > </sec:role-mappings> > > </sec:security> > > > > <gbean name="foo-realm" > > class="org.apache.geronimo.security.realm.GenericSecurityRealm"> > > <!-- > > this is the name of the Security Realm as > > well as the name > > of the configuration entry used by the > > application > > --> > > <attribute > > name="realmName">foo-realm</attribute> > > > > <!-- > > reference to the head of the login module > > use list > > --> > > <reference name="LoginModuleConfiguration"> > > <name>foo-login</name> > > </reference> > > > > <reference name="ServerInfo"> > > > > > > <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name> > > </reference> > > > > <reference name="LoginService"> > > > > > > <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name> > > > </reference> > > </gbean> > > > > <!-- > > this is the head of the login module use list > > --> > > <gbean name="foo-login" > > class=" org.apache.geronimo.security.jaas.JaasLoginModuleUse"> > > <!-- login module must succeed --> > > <attribute > > name="controlFlag">REQUIRED</attribute> > > > > <!-- reference to the login module --> > > <reference name="LoginModule"> > > <name>foo-login</name> > > </reference> > > </gbean> > > > > <!-- the login module GBean --> > > <gbean name="foo-login" > > class="org.apache.geronimo.security.jaas.LoginModuleGBean"> > > <attribute name="loginModuleClass"> > > com.foo.FooLoginModule > > </attribute> > > <attribute name="serverSide">true</attribute> > > <attribute > > name="loginDomainName">foo-realm</attribute> > > </gbean> > > > > <gbean name="FooServer" > > class="com.foo.FooServerGBean" > > > > gbeanName="com.foo.fooserver:type=Server,name=GUIServer"> > > <attribute name="baseDirectory" > > type="java.lang.String"> > > /home/foo > > </attribute> > > </gbean> > > </application> > > ----end geronimo-application.xml---- > > > > > > ---begin first geronimo-web.xml--- > > <?xml version="1.0" encoding="UTF-8"?> > > <web-app > > > > xmlns=" http://geronimo.apache.org/xml/ns/j2ee/web-1.0"; > > configId="com/foo/contextOne"> > > > > <context-root>/contextOne</context-root> > > > > <context-priority-classloader>false</context-priority-classloader> > > > > > > <container-config> > > <!-- Tomcat-specific container declarations > > --> > > <tomcat > > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config";> > > <valve-chain>SSOValve</valve-chain> > > </tomcat> > > </container-config> > > > > > > <security-realm-name>netcool-realm</security-realm-name> > > > > <gbean name="SSOValve" > > class=" org.apache.geronimo.tomcat.ValveGBean"> > > <attribute name="className"> > > > > org.apache.catalina.authenticator.SingleSignOn > > </attribute> > > </gbean> > > > > </web-app> > > ----end first geronimo-web.xml---- > > > > > > ---begin second geronimo-web.xml--- > > <?xml version="1.0" encoding="UTF-8"?> > > <web-app > > > > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"; > > configId="com/foo/contextTwo"> > > > > <context-root>/contextTwo</context-root> > > > > <context-priority-classloader>false</context-priority-classloader> > > > > > > <container-config> > > <!-- Tomcat-specific container declarations > > --> > > <tomcat > > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config";> > > <valve-chain>SSOValve</valve-chain> > > </tomcat> > > </container-config> > > > > > > <security-realm-name>netcool-realm</security-realm-name> > > > > <gbean name="SSOValve" > > class=" org.apache.geronimo.tomcat.ValveGBean"> > > <attribute name="className"> > > > > org.apache.catalina.authenticator.SingleSignOn > > </attribute> > > </gbean> > > > > </web-app> > > ----end second geronimo-web.xml---- > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > >
