Ji Jaron,
Yes, as Æde already explained, leveraging the PortalFilter solution is the
easiest way to provide such an SSO integration.
We've done that numerous times already for many different federated security systems like DigiD, A-Select Agent (behind
DigiD), Shibboleth, NTLM (Windows) etc.
We'll also going to do the same shortly for NetIdentity Manager.
The procedure is very simple:
- extend the PortalFilter class to identify your SSO system provided userid
(cookies/headers/parameters/attributes etc.)
- if the user is known within the Jetspeed security system, use the UserManager
to instantiate a User object
and retrieve its Subject (User.getSubject())
- if the user is unknown, you can create your own Subject and provide it with a
UserSubjectPrincipalImpl for the userid
and any other (Jetspeed) RolePricipalImpl or GroupPrincipalImpl instances
you'd need
- store the Subject in the session (not the request as Æde said):
session.setAttribute(PortalReservedParameters.SESSION_KEY_SUBJECT, subject);
- wrap the current request with a PortalRequestWrapper
- proceed with the filterchain
The provided PortalFilter class already gives a good example of this but uses request parameters to actually
authenticate the user within Jetspeed. In your case you don't need that so you'll have to provide your own version of
the PortalFilter but the procudure is quit easy to follow and adapt. And you might not need the Audit logic within the
PortalFilter either.
Additionally, you probably won't/shouldn't need several of the default configured valve's in the jetspeed pipeline
(pipelines.xml), like the securityValve, passwordCredentialValve and loginValidationValve as those all deal with
authentication managed by Jetspeed.
HTH,
Ate
Æde van der Weij wrote:
Jaron,
I have had to to a similar thing. Although the SSO system did set a 'regular'
request header instead of a cookie. Ate Douma pointed me in the direction of
using a solution based on the org.apache.jetspeed.login.filter.PortalFilter.
As long as you can construct a Subject and add it to the request it will be
sufficient. I guess the you could use the UserManager to check weather the
user has a profile.
In case you go for the filter solution you could get rid off some security
realted valves in Jetspeed's pipeline. That will probably create a better
overview of what is happening to your request when it goes through the Portal.
Regards,
Æde van der Weij
Subject: SSO integration
Date: Thu, 28 Aug 2008 16:55:07 +0200
From: [EMAIL PROTECTED]
To: [email protected]
CC: [EMAIL PROTECTED]
Hello,
I would like advice as to what is the easiest / best way to automate
logon in jetspeed.
Jetspeed will be running behind a SSO / filter that is on a different
machine. This SSO application places a cookie in the request which means
that the request comes from an authenticated user. The name and the
contents of the cookie cannot be changed as it is created and used by
other applications. That the user has been authenticated does not mean
that the user exists as a user in the jetspeed portal. There are 2 types
of users for the portal to handle: "authenticated non members" and
"authenticated members".
Based on the loginid that is in the cookie the portal has to look in a
ldap server to check wether that loginid is present. If it is not
present the user is apparently an "authenticated non member", and should
be able to see the portal as a guest without any credentials. In case
the loginid is present, jetspeed portal credentials should be created
and the user should be able to see the portal as someone that is logged
in. The portal never checks any password credentials! It just checks if
the user is in the list of registered user in the ldap server.
Based on the above requirements, what are the possible ways to implement
this and what is the best way to follow?
As far as I have read through the jetspeed documentation, it usually
assumes that the jetspeed portal is the SSO implementing component
instead of the SSO client that is is in this case.
Kind regards,
Jaron Schut
DISCLAIMER:
Dit bericht (met bijlagen) is zorgvuldig samengesteld. Voor eventuele
onjuistheid en/of onvolledigheid van de hierin verstrekte informatie aanvaardt
Kennisnet geen aansprakelijkheid. Aan de inhoud van dit bericht (met bijlagen)
kunnen geen rechten worden ontleend. De inhoud van dit bericht (met bijlagen)
kan vertrouwelijke informatie bevatten en is uitsluitend bestemd voor de
geadresseerde van dit bericht.
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
