I'd like to add the OpenAM/OpenSSO SSO feature to JBoss EAP 6 or JBoss AS 7. This means I must install an SSO Java EE agent on JBoss. Forgerock's OpenAM download page gives the opportunity to get agents for previous versions of JBoss, but new JBoss EAP 6 / JBoss AS 7 are not supported (for the moment).
Do you know if such an agent is available somewhere, or will be available in short future? If not, do you know how to change JBoss configuration to make it work with OpenAM?
It seems there is no official agent for JBoss EAP 6 for the moment.
However, I could make it work with OpenAM SSO by configuring my JBoss instance manually. To do it, I started with existing jboss_v42_agent.zip available on forgerock download site. Using the jars agent.jar, openssoclientsdk.jar and agent configuration files, I could build a JBoss module using this module.xml:
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="openam.agents">
<resources>
<resource-root path="agent.jar"/>
<resource-root path="openssoclientsdk.jar"/>
<resource-root path="."/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.servlet.api" />
<module name="org.picketbox"/>
</dependencies>
</module>
Then I must update standalone.xml by adding a security domain:
<security-domain name="AMRealm" cache-type="default">
<authentication>
<login-module code="com.sun.identity.agents.jboss.v40.AmJBossLoginModule" flag="required">
<module-option name="unauthenticatedIdentity" value="anonymous"/>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<module-option name="restore-login-identity" value="true"/>
</login-module>
</authentication>
</security-domain>
Finaly I deployed the agentapp.war on JBoss after having modified the MANIFEST.MF by adding a line:
Dependencies: openam.agents
where openam.agents is the name of my module.
Now for the application I want to enable SSO for, I also must perform some updates:
web.xml: Add the and nodes:
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>OpenAM Tomcat Policy Agent Filter</description>
<filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
jboss-web.xml: Declare the security-domain to be used
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>AMRealm</security-domain>
</jboss-web>
MANIFEST.MF: Apply same modification than in agentapp.was (add "Dependencies: openam.agents" line)
I'm not sure if it's the best way to enable SSO on JBoss EAP 6 / AS 7 (I'm not a expert), but it seems to work well.
One idea is putting an Apache http server with the OpenAM policy agent installed getting the requests in front of Jboss 7.
This is known as the reverse proxy integration. You can find out more here:
http://developers.sun.com/identity/reference/techart/app-integration.html
and http://docs.oracle.com/cd/E19575-01/820-3746/gjbna/index.html
Using the reverse proxy aproach you don't have to care about the application's runtime environment.
I noticed some days ago that forgerock has now released a J2EE Agent for JBoss 7.x but I haven't tested it yet. See http://forgerock.org/openam.html
Related
We are upgrading our ColdFusion 9 non-ssl application to ColdFusion 11 ssl enabled setup using Websphere.
We have a few flex components that utilize Flex2Gateway to call remote services. The application/Flex2gateway calls work fine with http but not on https.
The following urls give me a blank page which as per Adobe forums mean that Flex2Gateway is setup right:
http://example.com/flex2gateway
https://example.com/flex2gateway
The app calls the non-ssl url(not sure why):
http://example.com/flex2gateway and then gets redirected to
https://example.com/flex2gateway
When I look at the browser developer tools(IE, Chrome) the redirection from
http://example.com/flex2gateway to https://example.com/flex2gateway
seems to be working fine. Can anybody provide some insights on a possible solution?
Here is my remoting-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<service id="remoting-service"
class="flex.messaging.services.RemotingService"
messageTypes="flex.messaging.messages.RemotingMessage">
<adapters>
<adapter-definition id="cf-object"
class="coldfusion.flash.messaging.ColdFusionAdapter" default="true"/>
<adapter-definition id="java-object"
class="flex.messaging.services.remoting.adapters.JavaAdapter"/>
</adapters>
<default-channels>
<channel ref="my-cfamf-secure"/>
</default-channels>
<destination id="ColdFusion">
<channels>
<channel ref="my-cfamf-secure"/>
</channels>
<properties>
<source>*</source>
</properties>
</destination>
I do see the following in services-config.xml and I did uncomment the WebsphereLoginCommand option but saw no difference.
<security>
<login-command class="flex.messaging.security.JRunLoginCommand" server="JRun"/>
<!-- Uncomment the correct app server
<login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/>
<login-command class="flex.messaging.security.WeblogicLoginCommand" server="Weblogic"/>
<login-command class="flex.messaging.security.WebSphereLoginCommand" server="WebSphere"/>
-->
UPDATE: I got https disabled on our server and receive the below error now when I try to access flex component:
faultCode:Client.Error.MessageSend faultString:'Send Failed' faultDetail:'Channel.Connect.Failed error NetConection.Call.Failed: HTTP: Failed:url: 'http://example.com/flex2gateway/"
I realized my implementation of Loginmodule. Installed into WildFly 8.2.0.Final as module. Configure Security Domain.
add jboss-web.xml into my WebApplication in WEB-INF directory, with name of security-domain.
And when I initiate login at web form, I had this error in wildfly:
PBOX000206: Login failure: javax.security.auth.login.LoginException: unable to find LoginModule class: my.webapp.auth.WildLoginModule from [Module "deployment.MyWebApp.war:main" from Service Module Loader]
Why it cannot find my class? when this class resides in jar in wildfly modules.
What is more strange, it woks a couple weeks ago!
At last I've found my answer. I thought mistake should be in configuration of Wildfly, after long reserch and many ways of testing, I've found that my implementation of LoginModule works only if it resides in my WebApplication. But I wanted a separate module, I wanted my WebApp clean from Security realization.
So this is why 'it woks a couple weeks ago!', cause this loginModule was inside my webapp.
Steps to use you own JAAS loginModule:
By the way, this resource JBoss AS7 helped me a lot in my situation
Implement your own Principals, Login module (how to do this you may find in i-net)
Pack this to jar
Install like module into Wildfly (if you need to use it in many projects)
Using CLI install jar as module
hint from resource
Things to remember
When you create your own module, do not forget to add dependency on "org.picketbox" and "javax.api" in the module.xml of your custom module.
module add --name=my.security.module --resources=/path/to/MyLoginModule.jar --dependencies=javax.api,org.picketbox,my.dependencies
Add Security Domain in Wildfly (GUI, CLI or manual edition standalone.xml)
And my mistake was at this step. My sec.domain looks like this:
<security-domain name="mysecdomain" cache-type="default">
<authentication>
<login-module code="my.code.MyLoginModule" flag="required">
<module-option name="jndiDb" value="java:/datasources/myDataSource"/>
<module-option name="userQuery" value=""/>
<module-option name="roleQuery" value=""/>
</login-module>
</authentication>
</security-domain>
This is why it couldn't find my code, it doesn't know in what module to find my code. So this part of standalone.xml should look like this:
<security-domain name="mysecdomain" cache-type="default">
<authentication>
<login-module code="my.code.MyLoginModule" flag="required" ___module="my.security.module"___ >
<module-option name="jndiDb" value="java:/datasources/myDataSource"/>
<module-option name="userQuery" value=""/>
<module-option name="roleQuery" value=""/>
</login-module>
</authentication>
</security-domain>
I didn't configure, or I missed some params in CLI for this param, but this module="my.security.module" should be in your config.
After that my webapp could make login and use this security module.
We have an app that is being deployed as an ear. Within this ear, there is a war that needs to use a specific security domain.
To achieve this, we have configured the standalone-full-ha.xml with the following security section
<security-domain name="ourDomain" cache-type="default">
<authentication>
<login-module code="blah.blah.OurDomain" flag="required" />
</authentication>
</security-domain>
ear/war/WEB-INF/jboss-web.xml is configured as follows:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>Quark</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
With this configuration, the app tries to authenticate against the "other" domain which is there in JBoss by default.
log entries as follows:
TRACE [org.jboss.security] (http-/127.0.0.1:8080-6) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
ControlFlag: LoginModuleControlFlag: optional
Options:
name=password-stacking, value=useFirstPass
[1]
LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=password-stacking, value=useFirstPass
When trying to define this as part of the ear in ear/META-INF/jboss-app.xml, that made the whole thing blow up pretty spectacularly - so figured that was less likely to be the way to resolve this.
If the default security domain is changed to ourDomain however, it all works as expected.
This doesn't seem to be a big deal - however, it feels better to be able to leave as much of the configuration in the app as possible.
Any pointers to resolve this appreciated.
Your security domain name specified in jboss-web.xml needs to match the name of some security domain in your JBoss config, in your case the web descriptor specifies Quark while the security subsystem defined domain named ourDomain.
Whenever JBoss can not find the security domain you request in your jboss-web.xml, it will fallback to the default security domain, which in case of 7.x is named other.
I need to form a infinispan cluster in distributed mode. This cache is used for storing session data. Currently I am using tomcatInfinispanSessionManager developed by Manik from Jboss team.
I have created the infinispan xml in distributed mode and using two tomcats for testing. Using apache as a load balancer. Each machine has its own copy of infinispan cache entry. When any of the tomcat is shut down the session is retrieved from other infinispan cache.
My question is: how to make this cache entry into an infinispan server (either using hotrod/memcached) that is running on a separate machine?
If you add a remote cache loader to the cache configuration you have, it'll back up the data in a remote Hot Rod server, assuming you configure the IP:Port address of the Hot Rod server(s) correctly.
However, if you're trying to cluster your session data, I'd highly recommend you download JBoss EAP 6.1, which comes with Infinispan-based cluster-ready session data storage out of the box. The session cache can still be configured with a remote cache loader too, but the configuration will be slightly different since it uses JBoss EAP configuration format.
I am using ispn 5.1 version and started the server in hotrod mode. My cache config xml is as follows.
<?xml version="1.0" encoding="UTF-8"?>
<infinispan xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:infinispan:config:5.3 http://www.infinispan.org/schemas/infinispan-config-5.3.xsd
urn:infinispan:config:remote:5.3 http://www.infinispan.org/schemas/infinispan-cachestore-remote-config-5.3.xsd"
xmlns="urn:infinispan:config:5.3" xmlns:remote="urn:infinispan:config:remote:5.3">
<global>
<transport clusterName="tomcatSession">
<properties>
<property name="configurationFile"
value="E:/Software/apache-tomcat-7.0.34/conf/jgroups.xml">
</property>
</properties>
</transport>
<globalJmxStatistics enabled="true" />
</global>
<namedCache name="tc_session_ispn-sess-mgr">
<clustering mode="distribution">
<l1 enabled="true" lifespan="600000" />
</clustering>
<loaders>
<remoteStore xmlns="urn:infinispan:config:remote:5.3"
fetchPersistentState="false" ignoreModifications="false"
purgeOnStartup="false" remoteCache="myCache" rawValues="true">
<servers>
<server host="10.145.4.172" port="11222" />
</servers>
<connectionPool maxActive="10" exhaustedAction="CREATE_NEW" />
<async enabled="true" />
</remoteStore>
</loaders>
</namedCache>
</infinispan>
While using this cache config xml I am gettong the following exception
Exception in thread "main" org.infinispan.config.ConfigurationException: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[39,104]
Message: Unexpected element '{urn:infinispan:config:remote:5.3}remoteStore' encountered
at org.infinispan.configuration.parsing.Parser.parse(Parser.java:168)
at org.infinispan.configuration.parsing.Parser.parse(Parser.java:130)
at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:368)
at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:340)
at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:327)
Kindly correct me if I am wrong and suggest how to proceed further?
I'm looking for a solution similar to this:
httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)
I want to turn the HTTP headers: http-only and Secure off so that authentication with https carries across to http requests.
However,
1 Relating to the other post. I am not using servlet 3.0. I may be willing to try to use servlet 3.0 if there was decent documentation somewhere on how to migrate an intellij project from serverl 2.5 to 3.0. It does not seem obvious how to use this. Changing my maven pom to javax.servlet 3.0 and then editing my web.xml version to 3.0 doesn't work. Gives a facet-error on the 3.0 version. Sigh.
This is my primary approach to solve this. I edited domains/domain1/config for default-web.xml and domain.xml to what I thought would work but it doesn't. Oracle's documentation does not seem very clear to me on this.
domain.xml
<web-container>
<session-config>
<session-manager>
<manager-properties></manager-properties>
<store-properties></store-properties>
</session-manager>
<session-properties>
<property name="cookieSecure" value="false"></property>
<property name="cookieHttpOnly" value="false"></property>
</session-properties>
</session-config>
</web-container>
....
<configs>
<config name="server-config">
<http-service sso-enabled="true">
<access-log></access-log>
<virtual-server id="server" sso-cookie-secure="false" sso-cookie-http-only="false" network-listeners="http-listener-1,http-listener-2"></virtual-server>
<virtual-server id="__asadmin" sso-cookie-http-only="false" network-listeners="admin-listener"></virtual-server>
</http-service>
default-web.xml
<session-config>
<session-timeout>60</session-timeout>
<cookie-config>
<http-only>false</http-only>
<secure>false</secure>
</cookie-config>
<cookie-properties>
<property name="cookieSecure" value="false" />
<property name="cookieHttpOnly" value="false" />
</cookie-properties>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Okay I feel a bit stupid but I generally have never written to a specific container before to make sure that my code was portable across containers. However, after some research, I discovered that you can put a WEB-INF/glassfish-web.xml file that looks like this to control your security cookie setting for each WAR file under glassfish.
http://blogs.oracle.com/jluehe/entry/ow_to_configure_the_security
<?xml version="1.0" encoding="UTF-8"?>
<glassfish-web-app>
<session-config>
<cookie-properties>
<b><property name="cookieSecure" value="[true|false|dynamic]"/></b>
</cookie-properties>
</session-config>
</glassfish-web-app>