1 2 Previous Next 25 Replies Latest reply on Feb 13, 2012 4:57 PM by mposolda

    GateIn 3.2.0-Beta01 + OpenAM

    kkas

      Hi everyone.

       

      I am trying to integrate GateIn(3.2.0-Beta01) + OpenAM(9.5.3), but it doesn't work yet.

      I followed all the steps at Chapter 6.6.5 in the Reference Guide, and changed a few things like these:

       

      1.Fixed syntax error in jaas.conf

      2.Fixed OpenAM URL and GateIN URL in web.xml

        OpenAM URL

          localhost:8888/opensso -> openam.example.com:8080/openam

        GateIn URL

          localhost:8080 -> gatein.example.com:8080

       

       

      After setting, I tried to login GateIn page with root account, but

      "java.lang.ClassNotFoundException: org.apache.commons.httpclient.HttpMethod" error occurred,

      so I installed "commons-httpclient-3.1.jar" to ${GATEIN_HOME}/lib.

       

      But, still an error occurred below.

      ----------------------

      javax.security.auth.login.LoginException: Login failed for root

              at org.exoplatform.services.security.jaas.DefaultLoginModule.login(DefaultLoginModule.java:134)

              at sun.reflect.GeneratedMethodAccessor157.invoke(Unknown Source)

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

              at java.lang.reflect.Method.invoke(Method.java:616)

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)

      ----------------------

       

      Does someone know this issue?

      Am I missing some settings or procedures?

       

      Thanks for your help.

       

      ssloss

        • 1. Re: GateIn 3.2.0-Beta01 + OpenAM
          macois

          Hello,

           

          Could you describe exactly which files you have modified and which files you have added/deleted please !

          You know SSO is terriby complicated, many things could cause troubles so we need all informations in order to debug your problem.

           

          • jaas.conf,
          • web.xml,
          • ...

           

          The only thing I can tell for the moment is : "You seem to use localhost as a domain ??? and in order ton access to OpenAM and to GateIN ??? Do you declare localhost as a synonym domain as the real FQDN in the OpenAM configuration ? Because, OpenAM per default can only work with FQDN."

           

          Regards,

           

          Thanks,

           

          Macois.

          • 2. Re: GateIn 3.2.0-Beta01 + OpenAM
            kkas

            Hi Macois

             

            Thanks for your reply.

             

            I use the domain below, and those work on the GateIn 3.1.0-FINAL + OpenAM9.5.3.

             

            Domain

            OpenAM:openam.example.com

            GateIn:gatein.example.com

             

            And I use latest SSO library(sso-packaging-1.1.0-GA.zip).

             

            All the steps I did are

             

            1. Copy AuthenticationPlugin.xml in gatein-sso-1.1.0-GA/opensso/plugin/config/auth/default

               to TOMCAT_HOME/webapps/openam/config/auth/default/

             

            2. Copy all the jar files in gatein-sso-1.1.0-GA/opensso/plugin/WEB-INF/lib/

               to TOMCAT_HOME/webapps/openam/WEB-INF/lib

             

            3. Copy gatein.properties in gatein-sso-1.1.0-GA/opensso/plugin/WEB-INF/classes

               to TOMCAT_HOME/webapps/openam/WEB-INF/classes

             

            4. Copy all the jar files in gatein-sso-1.1.0-GA/opensso/gatein.ear/lib

               to GATEIN_HOME/lib

             

            5. Configure "gatein" realm in the Reference Guide)

             

            6. Modify GATEIN_HOME/conf/jaas.conf file like this:

            ------------------

            gatein-domain {

              //org.gatein.wci.security.WCILoginModule optional;

              //org.exoplatform.services.security.jaas.SharedStateLoginModule required;

              //org.exoplatform.services.security.j2ee.TomcatLoginModule required;

             

              // Uncomment the following part (and comment the other part for CAS integration

              org.gatein.sso.agent.login.SSOLoginModule required;

              org.exoplatform.services.security.j2ee.TomcatLoginModule required

                portalContainerName="portal"

                realmName="gatein-domain";

             

            };

            ------------------

             

            7. Access to http://openam.example.com:8080/openam/UI/Login?realm=gatein and

               login with the username root and the password gtn.

             

            8. Modify the GATEIN_HOME/webapps/web/groovy/groovy/webui/component/UIBannerPortlet.gtml file like this:

            ------------------

            <!--

            <a class="Login" onclick="$signInAction"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>

            -->

            <a class="Login" href="/portal/sso"><%=_ctx.appRes("UILoginForm.label.Signin")%></a>

            ------------------

             

            9. Modify the GATEIN_HOME/webapps/web/groovy/portal/webui/component/UILogoPortlet.gtmpl file like this:

            ------------------

            <!--

            <a onclick="$signInAction"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>

            -->

            <a href="/portal/sso"><%=_ctx.appRes("UILogoPortlet.action.signin")%></a>

            ------------------

             

            10. Replace the entire contents of GATEIN_HOME/webapps/portal/login/jsp/login.jsp with:

            ------------------

            <html>

              <head>

                <script type="text/javascript">

                 window.location = '/portal/sso';

                </script>

              </head>

              <body>

              </body>

            </html>

            ------------------

             

            11. Add the following Filters at the top of the filter chain in GATEIN_HOME/webapps/portal/WEB-INF/web.xml

            ------------------

            <filter>

               <filter-name>LoginRedirectFilter</filter-name>

               <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>

               <init-param>

                  <!-- This should point to your SSO authentication server -->

                  <param-name>LOGIN_URL</param-name>

                  <param-value>http://openam.example.com:8080/openam/UI/Login?realm=gatein&amp;goto=http://gatein.example.com:8080/portal/initiatessologin</param-value>

               </init-param>

            </filter>

            <filter>

               <filter-name>OpenSSOLogoutFilter</filter-name>

               <filter-class>org.gatein.sso.agent.filter.OpenSSOLogoutFilter</filter-class>

               <init-param>

                  <!-- This should point to your SSO authentication server -->

                  <param-name>LOGOUT_URL</param-name>

                  <param-value>http://openam.example.com:8080/openam/UI/Logout</param-value>

               </init-param>

            </filter>

            <filter>

               <filter-name>InitiateLoginFilter</filter-name>

               <filter-class>org.gatein.sso.agent.filter.InitiateLoginFilter</filter-class>

               <init-param>

                  <param-name>ssoServerUrl</param-name>

                  <param-value>http://openam.example.com:8080/openam</param-value>

               </init-param>

               <init-param>

                  <param-name>loginUrl</param-name>

                  <param-value>http://gatein.example.com:8080/portal/dologin</param-value>

               </init-param>

               <init-param>

                  <param-name>ssoCookieName</param-name>

                  <param-value>iPlanetDirectoryPro</param-value>

               </init-param>

            </filter>

             

            <!-- Mapping the filters at the very top of the filter chain -->

            <filter-mapping>

               <filter-name>LoginRedirectFilter</filter-name>

               <url-pattern>/*</url-pattern>

            </filter-mapping>

            <filter-mapping>

               <filter-name>OpenSSOLogoutFilter</filter-name>

               <url-pattern>/*</url-pattern>

            </filter-mapping>

            <filter-mapping>

               <filter-name>InitiateLoginFilter</filter-name>

               <url-pattern>/initiatessologin</url-pattern>

            </filter-mapping>

            ------------------

             

            12. Add gatein-sso-1.1.0-GA/opensso/plugin/WEB-INF/lib/commons-httpclient-3.1.jar

                to GATEIN_HOME/lib because of ClassNotFoundException

             

            Then, infinate loop happens when I login with root/gtn.

             

            Thank you for your help.

             

            ssloss

             

            2012/2/7 comment add

            Sorry, I modified a red-letter part.

            • 3. Re: GateIn 3.2.0-Beta01 + OpenAM
              ndkhoiits

              Please access the URL gateindomain/rest/sso/authcallback/auth/root/gtn, let see the return value in browser is true or not.

              • 4. Re: GateIn 3.2.0-Beta01 + OpenAM
                macois

                Okay,

                 

                Could you try to check (and change) the name of the cookie by : "rememberme" in the SSO Server (and RESTART all) :

                 

                Configuration → Serveurs et Sites → Paramètres du serveur par défaut → Avancé

                com.iplanet.am.cookie.c66Encodetrue

                Cliquer sur "Enregistrer"

                Cliquer sur l'onglet Sécurité.

                Modifier "Nom du cookie" → rememberme

                Cocher la case contre "Coder la valeur du cookie".

                Cliquer sur "Enregistrer" → "Revenir à Serveurs et Sites"

                 

                (because of : https://fisheye.exoplatform.org/browse/gatein/components/sso/trunk/agent/src/main/java/org/gatein/sso/agent/opensso/OpenSSOAgent.java?r=7960&r=8286)

                 

                And (for an other future problem you may encounter) in the web.xml of the portal webapps :

                 

                <servlet>

                  <servlet-name>ErrorLoginServlet</servlet-name>

                  <servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>

                </servlet>

                 

                Regards,

                 

                F.

                • 5. Re: GateIn 3.2.0-Beta01 + OpenAM
                  kkas

                  Hi Nguyen

                   

                  Thanks for your help.

                  I accessed the URL, and the return value in the browser was "true".

                   

                  ssloss

                  • 6. Re: GateIn 3.2.0-Beta01 + OpenAM
                    macois
                    • 7. Re: GateIn 3.2.0-Beta01 + OpenAM
                      ndkhoiits

                      Ahhh, there is a problem with GateIn 3.2 and SSO. You have to use GateIn 3.2 JBoss bundle for integration, currently it doesn't work if you run GateIn in Tomcat.

                       

                      Would you like to re-check with Jboss and let me know if everything are ok

                       

                      Thank

                      • 8. Re: GateIn 3.2.0-Beta01 + OpenAM
                        kkas

                        Hi macois

                         

                        I didn't mention but I already changed this setting.

                        com.iplanet.am.cookie.c66Encodetrue

                         

                        I don't know what this means...uncheck the checkbox of "encoding the value of the cookie"?

                        (I tried both)

                          Cocher la case contre "Coder la valeur du cookie".

                         

                        Then changed the name of cookie to "rememberme", but error page comes out because of the cookie's problem...

                         

                        The file web.xml is little bit changed at new version of GateIn, and the part you mention is like this:

                        -------------------

                        <servlet>

                                <servlet-name>ErrorLoginServlet</servlet-name>

                                <servlet-class>org.exoplatform.web.login.ErrorLoginServlet</servlet-class>

                        </servlet>

                        -------------------

                         

                        Thanks for your help.

                         

                        ssloss

                        • 9. Re: GateIn 3.2.0-Beta01 + OpenAM
                          macois

                            Cocher la case contre "Coder la valeur du cookie".

                           

                          ==> Check the input "Encode cookie value"

                          • 10. Re: GateIn 3.2.0-Beta01 + OpenAM
                            macois

                            Some news ?

                            • 11. Re: GateIn 3.2.0-Beta01 + OpenAM
                              ndkhoiits

                              As above mentioned, did you try with JBoss bundle instead of Tomcat?

                               

                              There was a problem in GateIn 3.2 Tomcat bundle and SSO integration.

                              • 12. Re: GateIn 3.2.0-Beta01 + OpenAM
                                kkas

                                Hi Nguyen and macois

                                 

                                Thanks for the information about everything.

                                 

                                I don't have time to try with JBoss yet.

                                I wonder what is the problem with GateIn 3.2 with Tomcat.

                                Please explain to me?

                                 

                                Thanks.

                                 

                                ssloss

                                • 13. Re: GateIn 3.2.0-Beta01 + OpenAM
                                  ndkhoiits

                                  In new version of GateIn SSO, there is new requirement for clusting mode, clustered config check credentials stored and propagated in session. This won't work in tomcat because of lack of JACC PolicyContext

                                  • 14. Re: GateIn 3.2.0-Beta01 + OpenAM
                                    kkas

                                    Hi Nguyen

                                     

                                    Thank for your reply.

                                    So, In this case, don't we have any solution for the integration with GateIn 3.2 Tomcat bundle and OpenAM?

                                     

                                    By the way, I tried GateIn 3.2 JBoss bundle for the integration, and it works.

                                     

                                    ssloss

                                    1 2 Previous Next