1 2 Previous Next 25 Replies Latest reply: Feb 13, 2012 4:57 PM by Marek Posolda RSS

GateIn 3.2.0-Beta01 + OpenAM

ssl oss Newbie

Hi everyone.

 

I am trying to integrate GateIn(3.2.0-Beta01) + OpenAM(9.5.3), but it doesn't work yet.

I followed all the steps at Chapter 6.6.5 in the Reference Guide, and changed a few things like these:

 

1.Fixed syntax error in jaas.conf

2.Fixed OpenAM URL and GateIN URL in web.xml

  OpenAM URL

    localhost:8888/opensso -> openam.example.com:8080/openam

  GateIn URL

    localhost:8080 -> gatein.example.com:8080

 

 

After setting, I tried to login GateIn page with root account, but

"java.lang.ClassNotFoundException: org.apache.commons.httpclient.HttpMethod" error occurred,

so I installed "commons-httpclient-3.1.jar" to ${GATEIN_HOME}/lib.

 

But, still an error occurred below.

----------------------

javax.security.auth.login.LoginException: Login failed for root

        at org.exoplatform.services.security.jaas.DefaultLoginModule.login(DefaultLoginModule.java:134)

        at sun.reflect.GeneratedMethodAccessor157.invoke(Unknown Source)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:616)

        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)

        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)

        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)

----------------------

 

Does someone know this issue?

Am I missing some settings or procedures?

 

Thanks for your help.

 

ssloss

  • 1. Re: GateIn 3.2.0-Beta01 + OpenAM
    macois Newbie

    Hello,

     

    Could you describe exactly which files you have modified and which files you have added/deleted please !

    You know SSO is terriby complicated, many things could cause troubles so we need all informations in order to debug your problem.

     

    • jaas.conf,
    • web.xml,
    • ...

     

    The only thing I can tell for the moment is : "You seem to use localhost as a domain ??? and in order ton access to OpenAM and to GateIN ??? Do you declare localhost as a synonym domain as the real FQDN in the OpenAM configuration ? Because, OpenAM per default can only work with FQDN."

     

    Regards,

     

    Thanks,

     

    Macois.

  • 2. Re: GateIn 3.2.0-Beta01 + OpenAM
    ssl oss Newbie

    Hi Macois

     

    Thanks for your reply.

     

    I use the domain below, and those work on the GateIn 3.1.0-FINAL + OpenAM9.5.3.

     

    Domain

    OpenAM:openam.example.com

    GateIn:gatein.example.com

     

    And I use latest SSO library(sso-packaging-1.1.0-GA.zip).

     

    All the steps I did are

     

    1. Copy AuthenticationPlugin.xml in gatein-sso-1.1.0-GA/opensso/plugin/config/auth/default

       to TOMCAT_HOME/webapps/openam/config/auth/default/

     

    2. Copy all the jar files in gatein-sso-1.1.0-GA/opensso/plugin/WEB-INF/lib/

       to TOMCAT_HOME/webapps/openam/WEB-INF/lib

     

    3. Copy gatein.properties in gatein-sso-1.1.0-GA/opensso/plugin/WEB-INF/classes

       to TOMCAT_HOME/webapps/openam/WEB-INF/classes

     

    4. Copy all the jar files in gatein-sso-1.1.0-GA/opensso/gatein.ear/lib

       to GATEIN_HOME/lib

     

    5. Configure "gatein" realm in the Reference Guide)

     

    6. Modify GATEIN_HOME/conf/jaas.conf file like this:

    ------------------

    gatein-domain {

      //org.gatein.wci.security.WCILoginModule optional;

      //org.exoplatform.services.security.jaas.SharedStateLoginModule required;

      //org.exoplatform.services.security.j2ee.TomcatLoginModule required;

     

      // Uncomment the following part (and comment the other part for CAS integration

      org.gatein.sso.agent.login.SSOLoginModule required;

      org.exoplatform.services.security.j2ee.TomcatLoginModule required

        portalContainerName="portal"

        realmName="gatein-domain";

     

    };

    ------------------

     

    7. Access to http://openam.example.com:8080/openam/UI/Login?realm=gatein and

       login with the username root and the password gtn.

     

    8. Modify the GATEIN_HOME/webapps/web/groovy/groovy/webui/component/UIBannerPortlet.gtml file like this:

    ------------------

    <!--

    <a class="Login" onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>

    -->

    <a class="Login" href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>

    ------------------

     

    9. Modify the GATEIN_HOME/webapps/web/groovy/portal/webui/component/UILogoPortlet.gtmpl file like this:

    ------------------

    <!--

    <a onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>

    -->

    <a href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>

    ------------------

     

    10. Replace the entire contents of GATEIN_HOME/webapps/portal/login/jsp/login.jsp with:

    ------------------

    <html>

      <head>

        <script type="text/javascript">

         window.location = '/portal/sso';

        </script>

      </head>

      <body>

      </body>

    </html>

    ------------------

     

    11. Add the following Filters at the top of the filter chain in GATEIN_HOME/webapps/portal/WEB-INF/web.xml

    ------------------

    <filter>

       <filter-name>LoginRedirectFilter</filter-name>

       <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>

       <init-param>

          <!-- This should point to your SSO authentication server -->

          <param-name>LOGIN_URL</param-name>

          <param-value>http://openam.example.com:8080/openam/UI/Login?realm=gatein&amp;goto=http://gatein.example.com:8080/portal/initiatessologin</param-value>

       </init-param>

    </filter>

    <filter>

       <filter-name>OpenSSOLogoutFilter</filter-name>

       <filter-class>org.gatein.sso.agent.filter.OpenSSOLogoutFilter</filter-class>

       <init-param>

          <!-- This should point to your SSO authentication server -->

          <param-name>LOGOUT_URL</param-name>

          <param-value>http://openam.example.com:8080/openam/UI/Logout</param-value>

       </init-param>

    </filter>

    <filter>

       <filter-name>InitiateLoginFilter</filter-name>

       <filter-class>org.gatein.sso.agent.filter.InitiateLoginFilter</filter-class>

       <init-param>

          <param-name>ssoServerUrl</param-name>

          <param-value>http://openam.example.com:8080/openam</param-value>

       </init-param>

       <init-param>

          <param-name>loginUrl</param-name>

          <param-value>http://gatein.example.com:8080/portal/dologin</param-value>

       </init-param>

       <init-param>

          <param-name>ssoCookieName</param-name>

          <param-value>iPlanetDirectoryPro</param-value>

       </init-param>

    </filter>

     

    <!-- Mapping the filters at the very top of the filter chain -->

    <filter-mapping>

       <filter-name>LoginRedirectFilter</filter-name>

       <url-pattern>/*</url-pattern>

    </filter-mapping>

    <filter-mapping>

       <filter-name>OpenSSOLogoutFilter</filter-name>

       <url-pattern>/*</url-pattern>

    </filter-mapping>

    <filter-mapping>

       <filter-name>InitiateLoginFilter</filter-name>

       <url-pattern>/initiatessologin</url-pattern>

    </filter-mapping>

    ------------------

     

    12. Add gatein-sso-1.1.0-GA/opensso/plugin/WEB-INF/lib/commons-httpclient-3.1.jar

        to GATEIN_HOME/lib because of ClassNotFoundException

     

    Then, infinate loop happens when I login with root/gtn.

     

    Thank you for your help.

     

    ssloss

     

    2012/2/7 comment add

    Sorry, I modified a red-letter part.

  • 3. Re: GateIn 3.2.0-Beta01 + OpenAM
    Khoi Nguyen Novice

    Please access the URL gateindomain/rest/sso/authcallback/auth/root/gtn, let see the return value in browser is true or not.

  • 4. Re: GateIn 3.2.0-Beta01 + OpenAM
    macois Newbie

    Okay,

     

    Could you try to check (and change) the name of the cookie by : "rememberme" in the SSO Server (and RESTART all) :

     

    Configuration → Serveurs et Sites → Paramètres du serveur par défaut → Avancé

    com.iplanet.am.cookie.c66Encodetrue

    Cliquer sur "Enregistrer"

    Cliquer sur l'onglet Sécurité.

    Modifier "Nom du cookie" → rememberme

    Cocher la case contre "Coder la valeur du cookie".

    Cliquer sur "Enregistrer" → "Revenir à Serveurs et Sites"

     

    (because of : https://fisheye.exoplatform.org/browse/gatein/components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/opensso/OpenSSOAgent.java?r=7960&r=8286)

     

    And (for an other future problem you may encounter) in the web.xml of the portal webapps :

     

    <servlet>

      <servlet-name>ErrorLoginServlet</servlet-name>

      <servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>

    </servlet>

     

    Regards,

     

    F.

  • 5. Re: GateIn 3.2.0-Beta01 + OpenAM
    ssl oss Newbie

    Hi Nguyen

     

    Thanks for your help.

    I accessed the URL, and the return value in the browser was "true".

     

    ssloss

  • 6. Re: GateIn 3.2.0-Beta01 + OpenAM
    macois Newbie
  • 7. Re: GateIn 3.2.0-Beta01 + OpenAM
    Khoi Nguyen Novice

    Ahhh, there is a problem with GateIn 3.2 and SSO. You have to use GateIn 3.2 JBoss bundle for integration, currently it doesn't work if you run GateIn in Tomcat.

     

    Would you like to re-check with Jboss and let me know if everything are ok

     

    Thank

  • 8. Re: GateIn 3.2.0-Beta01 + OpenAM
    ssl oss Newbie

    Hi macois

     

    I didn't mention but I already changed this setting.

    com.iplanet.am.cookie.c66Encodetrue

     

    I don't know what this means...uncheck the checkbox of "encoding the value of the cookie"?

    (I tried both)

      Cocher la case contre "Coder la valeur du cookie".

     

    Then changed the name of cookie to "rememberme", but error page comes out because of the cookie's problem...

     

    The file web.xml is little bit changed at new version of GateIn, and the part you mention is like this:

    -------------------

    <servlet>

            <servlet-name>ErrorLoginServlet</servlet-name>

            <servlet-class>org.exoplatform.web.login.ErrorLoginServlet</servlet-class>

    </servlet>

    -------------------

     

    Thanks for your help.

     

    ssloss

  • 9. Re: GateIn 3.2.0-Beta01 + OpenAM
    macois Newbie

      Cocher la case contre "Coder la valeur du cookie".

     

    ==> Check the input "Encode cookie value"

  • 10. Re: GateIn 3.2.0-Beta01 + OpenAM
    macois Newbie

    Some news ?

  • 11. Re: GateIn 3.2.0-Beta01 + OpenAM
    Khoi Nguyen Novice

    As above mentioned, did you try with JBoss bundle instead of Tomcat?

     

    There was a problem in GateIn 3.2 Tomcat bundle and SSO integration.

  • 12. Re: GateIn 3.2.0-Beta01 + OpenAM
    ssl oss Newbie

    Hi Nguyen and macois

     

    Thanks for the information about everything.

     

    I don't have time to try with JBoss yet.

    I wonder what is the problem with GateIn 3.2 with Tomcat.

    Please explain to me?

     

    Thanks.

     

    ssloss

  • 13. Re: GateIn 3.2.0-Beta01 + OpenAM
    Khoi Nguyen Novice

    In new version of GateIn SSO, there is new requirement for clusting mode, clustered config check credentials stored and propagated in session. This won't work in tomcat because of lack of JACC PolicyContext

  • 14. Re: GateIn 3.2.0-Beta01 + OpenAM
    ssl oss Newbie

    Hi Nguyen

     

    Thank for your reply.

    So, In this case, don't we have any solution for the integration with GateIn 3.2 Tomcat bundle and OpenAM?

     

    By the way, I tried GateIn 3.2 JBoss bundle for the integration, and it works.

     

    ssloss

1 2 Previous Next