Hi, we have standardized our web applications on the wicket framework (from a myriad of different frameworks), and are now looking to integrate authentication/authorization with conainter based Single Sign On using a valve in jboss/tomcats pipeline.
We use wicket-auth-roles for authorization in wicket, and everything is configured so that the authorization requests end up in servlet requests isUserInRole() method. Everything regarding the SSO and authorization works fine, but we're having trouble to actually authenticate using a wicket based login page. Following the strategy from http://cwiki.apache.org/WICKET/servlet-container-authentication.html our web.xml setup is like this: web.xml setup <filter-mapping> <filter-name>wicket</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <security-constraint> <display-name>Login page</display-name> <web-resource-collection> <web-resource-name>Login page</web-resource-name> <url-pattern>/login</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>sso</realm-name> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login</form-error-page> </form-login-config> </login-config> /login is our wicket login page that dispatches(using requestdispatcher.include()) the input to the j_security_check?j_username&j_password&j_profile check, and then checks the request for a principal and redirect to the originally intercepted page (ignoring response from the dispatched request). The problem is that this setup works as a dream in Jetty, but in JBoss the current web.xml setup do not work, since the protected login page and the form-login-page is the same. In other words, the "solution" on wickets wiki do not seem to work well on JBoss containers. A option is to make the form-login-page a pure jsp, but this would be the last resort, since we rely heavily on wickets ajax support in this page (we use custom JAAS security modules to support more than just username/password authentication). To support the <role-name>*</role-name> we have configured <jacc-star-role-allow>true</jacc-star-role-allow> in jboss-web.xml. Any advice or solutions would be appreciated! -- View this message in context: http://www.nabble.com/Container-managed-authentication-tp21088523p21088523.html Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
