Configuring Single Signon on JBoss AS 7

This tutorial describes how to configure Single Signon for a JBoss AS 7 Web application (standalone and clustered).

 The Single Signon configuration allows a centralized login configuration for corporate sites that use different Web context. In order to cofigure single signon on JBoss AS 7 we need to operate on two configuration points:

  • The web subsystem where we are going to add a sso element in the virtual-server definition
  • The jboss-web.xml deployment file which defines the SingleSignOn Valve to be used

Here's the configuration for a standalone non-clustered JBoss AS instance:


 <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <virtual-server name="default-host" enable-welcome-root="true">
                <alias name="localhost"/>
                <sso domain="localhost" reauthenticate="false"/>
            </virtual-server>
</subsystem>

Notice the sso stanza we have added and the reauthenticate attribute.

reauthenticate attribute is a flag to determine whether each request needs to be reauthenticated to the securityRealm. Setting to true can allow web applications with different security-domain configurations to share an SSO. Default isfalse.

Please note that you can add this information via CLI as well:
/subsystem=web/virtual-server=default-host/sso=configuration:add(reauthenticate="false")

Next declare in the jboss-web.xml the Valve which will be used to handle SSO. Every request will go through this valve and it will act according to what you specified in reauthenticate flag.

<jboss-web>
    <security-domain>sso</security-domain>
          <valve>
        <class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
    </valve>
</jboss-web>

Remember that you need to define the security domain mentioned in jboss-web.xml into your security subsystem. For example supposing you are using the file based security login module:
<security-domain name="sso" cache-type="default">
    <authentication>
        <login-module code="UsersRoles" flag="required">
           <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
           <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
        </login-module>
    </authentication>
</security-domain>


Now configure define security constraints in your web application, for example here we are securing the application so that just the Manager role can access it through a FORM login:
 
    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Manager</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Sample Realm</realm-name>
        <form-login-config>
            <form-login-page>/jsp/login.jsp</form-login-page>
            <form-error-page>/jsp/login-error.jsp</form-error-page>
        </form-login-config>
    </login-config>

 
    <security-role>
        <role-name>Manager</role-name>
    </security-role>
    
And a corresponding login.jsp page:
    <form id="login_form" name="login_form" method="post"
            action="j_security_check" enctype="application/x-www-form-urlencoded">
            <center>
                 
                <p>Please login to proceed.</p>
            </center>

            <div style="margin-left: 15px;">
                <p>
                    <label for="username"> Username</label><br /> <input id="username"
                        type="text" name="j_username" size="20" />
                </p>
                <p>
                    <label for="password"> Password</label><br /> <input id="password"
                        type="password" name="j_password" value="" size="20" />
                </p>
                <center>
                    <input id="submit" type="submit" name="submit" value="Login"
                        class="buttonmed" />
                </center>
            </div>
        </form>

Now if you try to replicate the same web configuration in another Web application you should notice that once logged in the first application, you should be able to enter in the second web application without additional credentials.

 

Single Signon Domain configuration

 

If you are going to run your Single Signon application in a Domain configuration you need to provide some information about the domain name and (if clustered) the Infinispan cache you are using to store data.

<subsystem xmlns="urn:jboss:domain:web:1.1" native="true" default-virtual-server="default-host">

    <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp" redirect-port="8443" enabled="true"/>
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

    <virtual-server name="default-host" enable-welcome-root="true">
        <alias name="localhost"/>
        <sso cache-container="web" cache-name="sso" domain="myDomain" reauthenticate="true"/>
    </virtual-server>

</subsystem>

We then need to define your infinispan cache to be used for SingleSignon:
<subsystem xmlns="urn:jboss:domain:infinispan:1.1" default-cache-container="cluster">
    ...
    <replicated-cache name="sso" mode="SYNC" batching="true"/>
        <distributed-cache name="dist" mode="ASYNC" batching="true">
           <file-store/>
        </distributed-cache>
    ...
</subsystem>

Finally, here the Web server Valve needed for a clustered application:
<jboss-web>
    <security-domain>sso</security-domain>
       <valve>
           <class-name>org.jboss.as.web.sso.ClusteredSingleSignOn</class-name>
       </valve>
</jboss-web> 

Follow us on Twitter