Hello,
Basically I'm using a custom Jaas LoginModule to authenticate my web
application (my portlet) in a Tomcat Valve. Once authenticated, the Jaas
Subject is propagated to a remote JBoss application server.
I have already been using this mechanism successfully with a simple web
application (out of a portal context), but I can't make it within my JBoss
portal context since after the authentication succeed, I am redirected to the
Portal login page.
Following are the details of my JBoss Portal configuration:
1- I added a SSOValve
This valve does something like:
lc = new LoginContext("gubpm-server", subject,
| new
HttpAuthCallbackHandler(httpServletRequest));
|
| lc.login();
|
2- The "gubpm-server" configuration is defined in the login-config.xml file as:
<application-policy name="gubpm-server">
| <authentication>
| <login-module
| code="ch.ne.gubpm.security.auth.SSOLoginModule"
| flag="required" />
| <login-module
| code="org.jboss.security.ClientLoginModule"
| flag="required">
| <!-- Any existing security context will be
restored on logout -->
| <module-option name="restore-login-identity">
| true
| </module-option>
| </login-module>
| </authentication>
| </application-policy>
|
3- The SSOLoginModule perform a simple authentication which always succeed and
produces a Subject this way:
subject.getPrincipals().add(userPrincipal); // user
| subject.getPublicCredentials().add(password); //
password
| subject.getPrincipals().add(new
GUBPMPrincipal("Authenticated")); // role
And a GUBPMPrincipal implements java.security.Principal and only has a name
attribute
4- I did not add any security constrainst to my web application. I only defined
in the jboss-web.xml file:
<security-domain>java:/jaas/client-login</security-domain>
to propagate my credentials to the remote JBoss application server
Apparently, even with no security check made on my web pages, the JBoss portal
security is called and don't let me pass. I tried with credentials that would
normally match the portal administrator profile (userId=admin, password=admin,
role=Authenticated) with no success.
I would like to keep this mechanism since I know it will be ok to authenticate
on the remote JBoss server that way (once I'm authorized by JBoss portal!)
All I need is to skip this redirection to JBoss Portal login page. I don't care
login in the portal for this application.
Anybody knows how to skip this security checking?
One way of achieving this could be to disable the Portal security, but I could
not find a clean way of doing it without breaking the entire portal.
Thank you very much for your help!
Tanguy
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3984236#3984236
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3984236
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
