Hide Forgot
Affects: Release Notes project_key: JBEPP JBoss clustered SSO valve require to do reauthentication on second cluster node and it needs to authenticate with same password on both cluster nodes. Bad thing is that EPP login process is not standard and so that user credentials seen by JBossWeb and by SSO valve is not something like "root"/"gtn" but something like "root"/"wci-ticket-123456" . So integration with clustered SSO valve require workaround by customers. They need to switch to BASIC http authentication or patch login.jsp to call directly "/portal/j_security_check" instead of "/portal/login" and bypass standard EPP login process (which is described in JBEPP-615 and in EPP reference guide)
Link: Added: This issue Cloned from JBEPP-1361
From Release Note text on the dev issue: {quote} The fix introduces JBossClusteredSSOValveFilter, which removes the patching and workarounds customers had to implement in earlier versions of the product, and increases overall platform security.{quote} Hi Marek The new ValveFilter sounds like a good thing to document, and replace the current workaround documented in the Reference Guide (which uses BASIC authentication, currently the subject of that worm). Can you link me to any info about the Filter, and what parameters it accepts? Even better, would it be possible to get a real-world configuration example of the ValveFilter in a directive file? Cheers Jared
Primary SME: Added: mposolda NEEDINFO: Removed: Nobody Added: Reporter
Release Notes Docs Status: Removed: Documented as Resolved Issue Added: Not Required Release Notes Text: Removed: The JBoss Clustered Single Sign On (SSO) Valve must authenticate on all clustered nodes using the same password. The login process in Enterprise Portal Platform differed from normal authentication methods, and customers had to bypass standard authentication by enabling BASIC authentication, or patch login.jsp as described in the Reference Guide. The fix introduces JBossClusteredSSOValveFilter, which removes the patching and workarounds customers had to implement in earlier versions of the product, and increases overall platform security.
Hi Jared, there are two things to mention: 1) I've made some minor changes in implementation and decided that it will be better to introduce new helper Valve at JBossWeb context level instead of using servlet filter. It's better also because this valve is not enabled by default in Tomcat or Jetty, which makes integration easier in GateIn as well, because GateIn needs to run on JBoss, Tomcat and Jetty. I've updated Release notes for JBEPP-1361 (I only changed name of filter to "PortalClusteredSSOSupportValve") 2) PortalClusteredSSOSupportValve itself is enabled by default in EPP. When ClusteredSingleSignOn valve is disabled, this valve only forward HTTP request down to servlet layer. Please note that valve itself does not have any parameters and it's not something which customers should directly configure or interact with. It only helps that customers don't need to apply workaround with BASIC authentication and with login.jsp. I've applied all needed documentation changes into GateIn trunk documentation (See jira GTNPORTAL-2277 for details) and I assigned SSO valve documentation change to Scott (Jira for it is JBEPP-1363 ). You can change release notes of JBEPP-1361 if you think that it should contain more informations. From my side, I am ok with how it is right now. I am assigning this JIRA back to you. Let me know if more info or other actions are needed from me. Thanks, Marek