Author: woonsan
Date: Tue Sep 29 16:05:40 2009
New Revision: 820005
URL: http://svn.apache.org/viewvc?rev=820005&view=rev
Log:
JS2-1071: Adding documentation on SSOReverseProxyIFrame portlet.
Modified:
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-admin/src/site/xdoc/sso.xml
Modified:
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-admin/src/site/xdoc/sso.xml
URL:
http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-admin/src/site/xdoc/sso.xml?rev=820005&r1=820004&r2=820005&view=diff
==============================================================================
---
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-admin/src/site/xdoc/sso.xml
(original)
+++
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-admin/src/site/xdoc/sso.xml
Tue Sep 29 16:05:40 2009
@@ -1,54 +1,271 @@
<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<document>
- <properties>
- <title>SSO Administration Guide</title>
- <subtitle>Guide to Administering Single Signon</subtitle>
- <authors>
- <person name="David Sean Taylor"
email="[email protected]" />
- <person name="Jody McAlister"
email="[email protected]" />
- </authors>
- </properties>
- <body>
-
-<section name="Jetspeed Single Signon">
-<p>Jetspeed-2 (J2) Single Sign-on (SSO) feature is a credential store
implemented as a component. It uses J2 security implementation for storing
credentials. A management portlet allows the editing of SSO sites and remote
credentials. It supports Basic Authentication and Form Based authentication and
supports cookies.</p>
-<p>The SSO Management feature enables you to create "single sign-on" access, a
permission-based access to applications and underlying tools, which provides an
added layer of security and administarative control of Jetspeed-2 content. SSO
Management enables the Users of Groups (several Users initially defined in the
Group Management tab) to sign-on a single time for jetspeed-2 portal and
specified sites and databases.</p>
-</section>
-<section name="SSOProxy Portlet">
-<para>As the name indicates the SSOProxy portlet is the proxy between the
portal and authenticated sites. In the preferences a user defines the
destination page which might need authentication itself or has links to
authenticated pages (inside or outside the portal).</para>
-<para>The SSOProxy Portlet authenticates all SSO sites for the user before it
goes to the destination URL defined in the preferences. The SSOProxy keeps a
cache of of the proxy client so that the authentication only takes place the
first time.</para>
-<para/>
-</section>
-<section name="SSO Provider service">
-<para>The SSO Provider is a part of the jetspeed service framework and is
available to any portlet and not just the SSOProxy Portlet. The component takes
care of storing the sites and credentials and has an API to get content from a
url.</para>
-<para/>
-</section>
-<section name="SSO Management">
-<para>The SSO management portlet helps to administer SSO credentials and
assigning them to Portal Users.</para>
-<p>
- <img src="images/sso-manage.png" />
-</p>
-<p>
- The Portal Principal field may be populated by clicking on either the
user icon or the group icon. A pop up window will display to allow you to
- select your user or group.
-</p>
+ <!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version
+ 2.0 (the "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
-</section>
- </body>
+ http://www.apache.org/licenses/LICENSE-2.0 Unless required by
+ applicable law or agreed to in writing, software distributed under
+ the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+ OR CONDITIONS OF ANY KIND, either express or implied. See the
+ License for the specific language governing permissions and
+ limitations under the License.
+ -->
+<document>
+ <properties>
+ <title>SSO Administration Guide</title>
+ <subtitle>Guide to Administering Single Sign-on</subtitle>
+ <authors>
+ <person name="David Sean Taylor" email="[email protected]" />
+ <person name="Jody McAlister" email="[email protected]" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Jetspeed Single Sign On">
+ <p>Jetspeed-2 (J2) Single Sign-on (SSO) feature is a
+ credential store implemented as a component. It uses J2 security
+ implementation for storing credentials. A management portlet
+ allows the editing of SSO sites and remote credentials. It
+ supports Basic Authentication and Form Based authentication and
+ supports cookies.</p>
+ <p>The SSO Management feature enables you to create "single
+ sign-on" access, a permission-based access to applications and
+ underlying tools, which provides an added layer of security and
+ administarative control of Jetspeed-2 content. SSO Management
+ enables the Users of Groups (several Users initially defined in
+ the Group Management tab) to sign-on a single time for
+ jetspeed-2 portal and specified sites and databases.</p>
+ </section>
+ <section name="SSOProxy Portlet">
+ <para>As the name indicates the SSOProxy portlet is the proxy
+ between the portal and authenticated sites. In the preferences a
+ user defines the destination page which might need
+ authentication itself or has links to authenticated pages
+ (inside or outside the portal).</para>
+ <para>The SSOProxy Portlet authenticates all SSO sites for the
+ user before it goes to the destination URL defined in the
+ preferences. The SSOProxy keeps a cache of of the proxy client
+ so that the authentication only takes place the first time.
+ </para>
+ <para />
+ </section>
+ <section name="SSOReverseProxyIFrame Portlet">
+ <p>
+ The SSOReverseProxyIFrame portlet leverages the Reverse Proxy Service
component
+ of <a href="http://portals.apache.org/applications/webcontent/";>Apache
Portals Web Content Appplication</a>.
+ This portlet provides Single Sign-on site and credentials of the user
+ to the Reverse Proxy Service component based on the navigated URLs.
+ The Reverse Proxy Service component authenticates the site for the
+ user automatically if the site is registered as a Single Sign-on site
+ for the user in the Jetspeed-2 Single Sign-on credential store.
+ </p>
+ <p>
+ For example, if the following preferences are set,
+ <br/>
+ <table>
+ <tr>
+ <th>Preference Name</th>
+ <th>Preference Value</th>
+ </tr>
+ <tr>
+ <td>SRC</td>
+ <td>http://localhost:8080/manager/list</td>
+ </tr>
+ <tr>
+ <td>PROXYREMOTEURL</td>
+ <td>http://localhost:8080/</td>
+ </tr>
+ <tr>
+ <td>PROXYLOCALPATH</td>
+ <td>${contextPath}/rproxy/localhost/</td>
+ </tr>
+ </table>
+ <br/>
+ then the portlet tries to retrieve the registered SSO sites and SSO
remote users information
+ of the user by the SRC URL, 'http://localhost:8080/manager/list'.
+ </p>
+ <p>
+ If the user has the following SSO sites and SSO remote users
information,
+ <br/>
+ <table>
+ <tr>
+ <th>Site Name</th>
+ <th>Site URL</th>
+ <th>Site Realm</th>
+ <th>Remote Principal</th>
+ <th>Remote Credential</th>
+ </tr>
+ <tr>
+ <td>Tomcat Management</td>
+ <td>http://localhost:8080/manager/</td>
+ <td>Tomcat Manager Application</td>
+ <td>tomcat</td>
+ <td>tomcat</td>
+ </tr>
+ </table>
+ <br/>
+ then the Reverse Proxy Service component can retrieve the above
information from the portlet
+ and it would try to authenticate by the provided credentials.
+ </p>
+ <p>
+ If there are multiple SSO sites which have similar URLs, then best
URL-matched SSO sites and credentials
+ would be chosen for authentication.
+ For example, when the user has the following SSO sites and credentials
registered,
+ <br/>
+ <table>
+ <tr>
+ <th>No.</th>
+ <th>Site Name</th>
+ <th>Site URL</th>
+ <th>Site Realm</th>
+ <th>Remote Principal</th>
+ <th>Remote Credential</th>
+ <th>User Form Field</th>
+ <th>Password Form Field</th>
+ </tr>
+ <tr>
+ <td>1</td>
+ <td>My Root Website</td>
+ <td>http://localhost:8080/</td>
+ <td></td>
+ <td>user</td>
+ <td>user</td>
+ <td></td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>2</td>
+ <td>My Basic Auth Website</td>
+ <td>http://localhost:8080/basic/</td>
+ <td>ExampleBasicAuthJSP</td>
+ <td>basic</td>
+ <td>basic</td>
+ <td></td>
+ <td></td>
+ </tr>
+ <tr>
+ <td>3</td>
+ <td>My Form Auth Website</td>
+ <td>http://localhost:8080/form/</td>
+ <td></td>
+ <td>form</td>
+ <td>form</td>
+ <td>user</td>
+ <td>pass</td>
+ </tr>
+ </table>
+ <br/>
+ then the Reverse Proxy Service component will be provided best-matched
SSO sites and credentials information
+ like the following examples:
+ <br/>
+ <table>
+ <tr>
+ <th>Requested URL</th>
+ <th>No.</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>http://localhost:8080/</td>
+ <td>1</td>
+ <td>
+ This requested URL is matched to the first SSO site URL only.
+ </td>
+ </tr>
+ <tr>
+ <td>http://localhost:8080/index.html</td>
+ <td>1</td>
+ <td>
+ This requested URL starts with the first SSO site URL
+ and is matched to the first SSO site URL only.
+ </td>
+ </tr>
+ <tr>
+ <td>http://localhost:8080/somewhere/index.html</td>
+ <td>1</td>
+ <td>
+ This requested URL starts with the first SSO site URL
+ and is matched to the first SSO site URL only.
+ </td>
+ </tr>
+ <tr>
+ <td>http://localhost:8080/basic/</td>
+ <td>2, 1</td>
+ <td>
+ This requested URL starts with the first and the second SSO site
URLs.
+ Because the second one is more well-matched, the second SSO site
and credentials
+ information would be used first for authentication.
+ </td>
+ </tr>
+ <tr>
+ <td>http://localhost:8080/basic/index.html</td>
+ <td>2, 1</td>
+ <td>
+ This requested URL starts with the first and the second SSO site
URLs.
+ Because the second one is more well-matched, the second SSO site
and credentials
+ information would be used first for authentication.
+ </td>
+ </tr>
+ <tr>
+ <td>http://localhost:8080/form/</td>
+ <td>3</td>
+ <td>
+ This requested URL starts with the first and the third SSO site
URLs.
+ The third one is more well-matched.
+ However, unlike the basic authentication examples, the first one
will never be used
+ because the best-matched SSO site is configured to use
form-based authentication.
+ When the best-matched SSO site is configured to use form-based
authentication,
+ the Reverse Proxy Service component would use it only for
authentication.
+ <br/>
+ The Reverse Proxy Service component would post username form
field and password form field
+ with the specified form field names
+ only when the requested URL is equals to the URL of the SSO site.
+ <em>If the requested URL is changed by user's navigation in the
IFrame, then it would not try posting the
+ username and password form fields again.</em>
+ </td>
+ </tr>
+ <tr>
+ <td>http://localhost:8080/form/index.html</td>
+ <td>3</td>
+ <td>
+ This requested URL starts with the first and the third SSO site
URLs.
+ The third one is more well-matched.
+ However, unlike the basic authentication examples, the first one
will never be used
+ because the best-matched SSO site is configured to use
form-based authentication.
+ When the best-matched SSO site is configured to use form-based
authentication,
+ the Reverse Proxy Service component would use it only for
authentication.
+ <br/>
+ The Reverse Proxy Service component would post username form
field and password form field
+ with the specified form field names
+ only when the requested URL is equals to the URL of the SSO
site.
+ <em>If the requested URL is changed by user's navigation in the
IFrame, then it would not try posting the
+ username and password form fields again.</em>
+ </td>
+ </tr>
+ </table>
+ </p>
+ </section>
+ <section name="SSO Provider service">
+ <para>The SSO Provider is a part of the jetspeed service
+ framework and is available to any portlet and not just the
+ SSOProxy Portlet. The component takes care of storing the sites
+ and credentials and has an API to get content from a url.</para>
+ <para />
+ </section>
+ <section name="SSO Management">
+ <para>The SSO management portlet helps to administer SSO
+ credentials and assigning them to Portal Users.</para>
+ <p>
+ <img src="images/sso-manage.png" />
+ </p>
+ <p>
+ The Portal Principal field may be populated by clicking on either the
+ user icon or the group icon. A pop up window will display to
+ allow you to
+ select your user or group.
+ </p>
+ </section>
+ </body>
</document>
\ No newline at end of file
