Hi, I have been trying to fix a problem with single sign-on (SSO) security in
JBoss 4.0.4 GA. The issue is that I cannot restrict some applications from
taking part in the SSO domain. No matter what settings I use, once a user
successfully authenticates in an SSO application, he has access to ALL JBoss
apps, even if they are listed in a different security domain. Here are the
details:
Single sign-on is activated with the following in
deploy/jbossweb-tomcat55.sar/server.xml:
All liferay components are in this security domain:
<jboss-web>
<security-domain>java:/jaas/PortalRealm</security-domain>
...
</jboss-web>
I have a few applications (xforms) that I want to participate in the SSO
domain. These work perfectly.
I have another application (/axis) in a different security domain, which is
still accessible to SSO users.
<jboss-web>
<security-domain>java:/jaas/axis</security-domain>
</jboss-web>
In conf/login-config.xml:
<application-policy name = "axis">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option
name="usersProperties">props/axis-users.properties</module-option>
<module-option
name="rolesProperties">props/axis-roles.properties</module-option>
</login-module>
</application-policy>
and
<application-policy name = "PortalRealm">
<login-module code
="com.liferay.portal.security.jaas.PortalLoginModule"
flag = "required">
<module-option
name="userClassNames">com.liferay.portal.security.jaas.PortalPrincipal</module-option>
<module-option
name="roleClassNames">com.liferay.portal.security.jaas.PortalRole</module-option>
</login-module>
</application-policy>
The above block is not necessary to make Liferay security work. I added it
myself, but it did not change any noticeable behavior.
I intend to make /axis only available to those with a specific username and
password, however JBoss currently allows all Liferay users to have access to
axis despite it being in a different security domain. I have had problems with
the java:/blah/blah naming convention, and I have seen a few posts indicating
this might be an issue. Does anyone have a suggestion for how I might limit
SSO access to certain apps? Thanks! -Ben
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4124962#4124962
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4124962
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
