Thanks,
Vamsi
On 8/7/06, Jeff Genender <[EMAIL PROTECTED]> wrote:
Why does the server need to be built with the SSOValve?
You should be able to connect the SSOValve to the TomcatEngine in the
config.xml.
Jeff
Vamsavardhana Reddy wrote:
> I could get SSO Working on a server build with SSOValve GBean in the
> tomcat plan. In this case the application deployment plans needed no
> change as mentioned in the post that Krish pointed to.
>
> Here are some of my observations.
>
> An SSOValve GBean created as part of the application needs to be
> connected to TomcatEngine so that SSO works. To do so, either the
> FirstValve in TomcatEngine needs to be replaced with this SSOValve or a
> "NextValve" attribute should be added to the FirstValve and it should be
> made point to the SSOValve. I guess there is only one TomcatEngine
> GBean in the server and I don't think it should be modified to suit the
> needs of two or more applications that need SSO.
>
> Other way is to have multiple hosts defined in the tomcar plan and and
> one of them could have an SSOValve in the chain. All apps that want SSO
> can use that host.
>
> In either case, the server needs to built with SSOValve GBean.
>
> With what G provides right now, there is noway that an SSOValve GBean is
> created as part of an application and hooked to the TomcatEngine.
>
> Comments?
>
> Thanks,
> Vamsi
>
> On 8/2/06, *Krishnakumar B* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
> Hi Joe,
>
> I have also tried this and was able to get it to work by doing a build
> with SSOValve GBean open.
>
> Refer to earlier post :
> http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647
> <http://www.nabble.com/SSO-in-Tomcat-tf1478623.html#a4001647>
>
> I was not able to get it to work by deploying a new Valve along with 2
> web applications that need SSO.
>
> Regards
> Krish.
>
> On 8/1/06, Joe O'Pecko < [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
> > I know this has been discussed in the past, and I
> > apologize for the lengthy inquiry, however, I have
> > been trying unsuccessfully to get SSO working with
> > Tomcat on Geronimo v1.0 for some time. I am deploying
> > an application as an ear file with two war files
> > contained within. My geronimo-application.xml file
> > contains a definition for a JAAS Security Realm and
> > the two WAR file's geronimo-web.xml reference it via
> > security-realm-name elements. Once deployed each web
> > application challenges the user upon first access,
> > using the configured JAAS LoginModule. I'd like to
> > establish a SSO trust between the two web
> > applications, if possible, so that a user is only
> > challenged once for both web applications.
> >
> > I've seen a previous post on this site entitled Single
> > Sign On : Tomcat in Geronimo
> > ( http://tinyurl.com/lkgjy) which seemed to provide
> > some information. Basically, it suggested the addition
> > of a SSOValve GBean to the geronimo-web.xml file. As
> > suggested, I've added the SSOValve to each
> > geronimo-web.xml and confirmed that I could see them
> > running in the deploy-tool web application. However,
> > each application has its own SSOValve GBean running
> > which leads me to believe that they do not share
> > anything between them.
> >
> > I've also seen Aaron Mulder's website which states
> > that Geronimo does not natively support web-based
> > single sign-on across web sites
> > (http://tinyurl.com/qa9bl).
> >
> > So is it possible to provide Single Sign On accross
> > web applications? I've attached my config files below
> > if it helps.
> >
> > Thanks in advance for any help and information you can
> > provide.
> >
> > Joe
> >
> > ---begin geronimo-application.xml---
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> > <application
> >
> > xmlns=" http://geronimo.apache.org/xml/ns/j2ee/application"
> >
> > xmlns:sec=" http://geronimo.apache.org/xml/ns/security-1.1"
> > configId="com/foo/test"
> > parentId="geronimo/j2ee-server/1.0/car">
> >
> > <dependency>
> > <groupId>log4j</groupId>
> > <artifactId>log4j</artifactId>
> > <version>1.2.8</version>
> > </dependency>
> >
> > <sec:security>
> > <sec:default-principal realm-name="foo-realm">
> > <sec:principal
> >
> >
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> > name="anonymous"/>
> > </sec:default-principal>
> > <sec:role-mappings>
> > <!--
> > this mapping maps all users in the
> > registeredUsers group to registered-users role
> > defined in web.xml
> > -->
> > <sec:role role-name="FOO_ADMIN">
> > <sec:realm realm-name="foo-realm">
> > <sec:principal
> >
> >
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> > name="foo_admin"/>
> > </sec:realm>
> > </sec:role>
> > <sec:role role-name="FOO_USER">
> > <sec:realm realm-name="foo-realm">
> > <sec:principal
> >
> >
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> > name="foo_user"/>
> > </sec:realm>
> > </sec:role>
> >
> > </sec:role-mappings>
> > </sec:security>
> >
> > <gbean name="foo-realm"
> > class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> > <!--
> > this is the name of the Security Realm as
> > well as the name
> > of the configuration entry used by the
> > application
> > -->
> > <attribute
> > name="realmName">foo-realm</attribute>
> >
> > <!--
> > reference to the head of the login module
> > use list
> > -->
> > <reference name="LoginModuleConfiguration">
> > <name>foo-login</name>
> > </reference>
> >
> > <reference name="ServerInfo">
> >
> >
> <gbean-name> geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
> > </reference>
> >
> > <reference name="LoginService">
> >
> >
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
>
> > </reference>
> > </gbean>
> >
> > <!--
> > this is the head of the login module use list
> > -->
> > <gbean name="foo-login"
> > class=" org.apache.geronimo.security.jaas.JaasLoginModuleUse">
> > <!-- login module must succeed -->
> > <attribute
> > name="controlFlag">REQUIRED</attribute>
> >
> > <!-- reference to the login module -->
> > <reference name="LoginModule">
> > <name>foo-login</name>
> > </reference>
> > </gbean>
> >
> > <!-- the login module GBean -->
> > <gbean name="foo-login"
> > class="org.apache.geronimo.security.jaas.LoginModuleGBean">
> > <attribute name="loginModuleClass">
> > com.foo.FooLoginModule
> > </attribute>
> > <attribute name="serverSide">true</attribute>
> > <attribute
> > name="loginDomainName">foo-realm</attribute>
> > </gbean>
> >
> > <gbean name="FooServer"
> > class="com.foo.FooServerGBean"
> >
> > gbeanName=" com.foo.fooserver:type=Server,name=GUIServer">
> > <attribute name="baseDirectory"
> > type="java.lang.String">
> > /home/foo
> > </attribute>
> > </gbean>
> > </application>
> > ----end geronimo-application.xml----
> >
> >
> > ---begin first geronimo-web.xml---
> > <?xml version=" 1.0" encoding="UTF-8"?>
> > <web-app
> >
> > xmlns=" http://geronimo.apache.org/xml/ns/j2ee/web-1.0 "
> > configId="com/foo/contextOne">
> >
> > <context-root>/contextOne</context-root>
> >
> > <context-priority-classloader>false</context-priority-classloader>
> >
> >
> > <container-config>
> > <!-- Tomcat-specific container declarations
> > -->
> > <tomcat
> > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config ">
> > <valve-chain>SSOValve</valve-chain>
> > </tomcat>
> > </container-config>
> >
> >
> > <security-realm-name>netcool-realm</security-realm-name>
> >
> > <gbean name="SSOValve"
> > class=" org.apache.geronimo.tomcat.ValveGBean">
> > <attribute name="className">
> >
> > org.apache.catalina.authenticator.SingleSignOn
> > </attribute>
> > </gbean>
> >
> > </web-app>
> > ----end first geronimo-web.xml----
> >
> >
> > ---begin second geronimo-web.xml---
> > <?xml version="1.0" encoding="UTF-8"?>
> > <web-app
> >
> > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.0"
> > configId="com/foo/contextTwo">
> >
> > <context-root>/contextTwo</context-root>
> >
> > <context-priority-classloader>false</context-priority-classloader>
> >
> >
> > <container-config>
> > <!-- Tomcat-specific container declarations
> > -->
> > <tomcat
> > xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.0/config ">
> > <valve-chain>SSOValve</valve-chain>
> > </tomcat>
> > </container-config>
> >
> >
> > <security-realm-name>netcool-realm</security-realm-name>
> >
> > <gbean name="SSOValve"
> > class=" org.apache.geronimo.tomcat.ValveGBean">
> > <attribute name="className">
> >
> > org.apache.catalina.authenticator.SingleSignOn
> > </attribute>
> > </gbean>
> >
> > </web-app>
> > ----end second geronimo-web.xml----
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
>
>
