Bug 1018898

Summary: Switchyard BPEL console should participate in Overlord SSO
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Eric Wittmann <eric.wittmann>
Component: BPEL IntegrationAssignee: Eric Wittmann <eric.wittmann>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Sedlacek <jsedlace>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0.0 GACC: ldimaggi, oskutka, soa-p-jira
Target Milestone: ER7   
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Wittmann 2013-10-14 16:14:28 UTC 
Description of problem:
The switchyard bpel console has its own set of users and its own login.  It does not participate in the SSO used by the Overlord projects.

How reproducible:
Always

Steps to Reproduce:
1. Install FSW6
2. Log in to bpel-console

Actual results:
Separate login.

Expected results:
The common overlord login is used.
Comment 2 Eric Wittmann 2013-10-21 16:04:35 UTC 
As requested, the BPEL console now leverages Overlord SSO as its authentication mechanism rather than its own.

The following implications (in no particular order) should be noted:

* the FSW Installer can stop prompting for a separate BPEL user.
* the FSW Installer should add "administrator" to the list of roles given to the "Governance Admin user" when creating it in overlord-idp-roles.properties
* the section of standalone.xml that configures the "overlord-jaxrs" login module must have ",/bpel-console" added to the 'value' attribute of the allowedIssuers module option

Also note that the BPEL REST services (located in bpel-console-server) are now protected by BASIC authentication instead of FORM auth.  This should (I hope) actually be a very good change for any customers who might be using them.  [Those services now also support SAML bearer token authentication]
Comment 3 Len DiMaggio 2014-01-08 15:51:25 UTC 
Verified in ER8:

<security-domain name="bpel-console" cache-type="default">
                            <module-option name="allowedIssuers" value="/s-ramp-ui,/dtgov,/dtgov-ui,/gadget-web,/bpel-console"/>
Comment 4 Len DiMaggio 2014-01-08 15:52:07 UTC 
Verified in ER8:

<security-domain name="bpel-console" cache-type="default">
                            <module-option name="allowedIssuers" value="/s-ramp-ui,/dtgov,/dtgov-ui,/gadget-web,/bpel-console"/>