Bug 794312 (JBEPP-1361)

Summary:

JBoss SSO valve integration improvement

Product:

[JBoss] JBoss Enterprise Portal Platform 5

Reporter:

mposolda

Component:

Portal

Assignee:

mposolda

Status:

CLOSED NEXTRELEASE

QA Contact:

Severity:

high

Docs Contact:

Priority:

high

Version:

5.2.0.ER06

CC:

epp-bugs, mposolda

Target Milestone:

---

Target Release:

5.2.0.CR01

Hardware:

Unspecified

OS:

Unspecified

URL:

http://jira.jboss.org/jira/browse/JBEPP-1361

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2011-11-15 09:14:04 UTC

Type:

Enhancement

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Attachments:

Description	Flags
ClusteredSSOValve_patch.patch	none

Description mposolda 2011-11-14 22:06:30 UTC

Affects: Release Notes
project_key: JBEPP

JBoss clustered SSO valve require to do reauthentication on second cluster node and it needs to authenticate with same password on both cluster nodes. Bad thing is that EPP login process is not standard and so that user credentials seen by JBossWeb and by SSO valve is not something like "root"/"gtn" but something like "root"/"wci-ticket-123456" . So integration with clustered SSO valve require workaround by customers. They need to switch to BASIC http authentication or patch login.jsp to call directly "/portal/j_security_check" instead of "/portal/login" and bypass standard EPP login process (which is described in JBEPP-615 and in EPP reference guide)

Comment 1 mposolda 2011-11-14 22:10:17 UTC

I have a solution for SSO valve by adding new servlet filter, which update SSO valve with real credential of user when it detect login of user. This will help people to avoid workaround currently needed for SSO valve (switch to BASIC or edit login.jsp).

I am attaching patch with new filter . I've tested with EPP 5.2.0 branch and also with GateIn on JBoss and there should not be risk with adding it to EPP 5.2 branch (filter is working correctly with valve enabled and disabled). 

Still I am not sure if it can be added at this stage of testing or add it later to have the fix for EPP 5.2.1 ? It will also require some changes in documentation (Deleting some parts related to patch login.jsp and switch to BASIC authentication as these won't be needed anymore)

Comment 2 mposolda 2011-11-14 22:11:13 UTC

Attachment: Added: ClusteredSSOValve_patch.patch

Comment 3 mposolda 2011-11-15 09:14:04 UTC

Release Notes Text: Added: Added JBossClusteredSSOValveFilter to help integration with JBoss SSO valve and  avoid bypass of standard EPP authentication process.

Comment 4 mposolda 2011-11-15 09:14:45 UTC

Link: Added: This issue relates to JBEPP-1363

Comment 5 mposolda 2011-11-15 14:34:05 UTC

Link: Added: This issue is related to GTNPORTAL-2276

Comment 7 Jared MORGAN 2011-11-15 22:37:50 UTC

Release Notes Docs Status: Added: Not Required
Affects: Added: Release Notes

Comment 8 mposolda 2011-11-15 23:31:01 UTC

Release Notes Docs Status: Removed: Not Required 
Security: Removed: RHT+eXo

Comment 9 mposolda 2011-11-15 23:33:48 UTC

Hi Jared,

This jira is not something, which needs to be secure. I set it with security level RH+EXO probably by accident, sorry for that:-/ Now I made it public.

I returned release notes status back to "None". Is some more info needed from me? Because "Release notes text" already have some value, which can be used to identify purpose of this jira.

Comment 10 Jared MORGAN 2011-11-16 02:57:13 UTC

Release Notes Docs Status: Added: Documented as Resolved Issue
Release Notes Text: Removed: Added JBossClusteredSSOValveFilter to help integration with JBoss SSO valve and  avoid bypass of standard EPP authentication process. Added: The JBoss Clustered Single Sign On (SSO) Valve must authenticate on all clustered nodes using the same password. The login process in Enterprise Portal Platform differed from normal authentication methods, and customers had to bypass standard authentication by enabling BASIC authentication, or patch login.jsp as described in the Reference Guide. The fix introduces JBossClusteredSSOValveFilter, which removes the patching and workarounds customers had to implement in earlier versions of the product, and increases overall platform security.
Security: Added: Public

Comment 11 Jared MORGAN 2011-11-16 02:57:36 UTC

Link: Added: This issue Cloned to JBEPP-1365

Comment 12 mposolda 2011-11-16 15:47:18 UTC

Release Notes Text: Removed: The JBoss Clustered Single Sign On (SSO) Valve must authenticate on all clustered nodes using the same password. The login process in Enterprise Portal Platform differed from normal authentication methods, and customers had to bypass standard authentication by enabling BASIC authentication, or patch login.jsp as described in the Reference Guide. The fix introduces JBossClusteredSSOValveFilter, which removes the patching and workarounds customers had to implement in earlier versions of the product, and increases overall platform security. Added: The JBoss Clustered Single Sign On (SSO) Valve must authenticate on all clustered nodes using the same password. The login process in Enterprise Portal Platform differed from normal authentication methods, and customers had to bypass standard authentication by enabling BASIC authentication, or patch login.jsp as described in the Reference Guide. The fix introduces PortalClusteredSSOSupportValve, which removes the patching and workarounds customers had to implement in earlier versions of the product, and increases overall platform security.