Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-10736

Provide JBossWeb SSO valve that will work when only the WebAuthentication login module is used

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • EAP_EWP 5.3.0.ER1
    • EAP_EWP 5.2.0
    • Security, Web
    • None
    • Hide
      Possible draft release notes content:
      Cause and Consequence:
      Customers that are attempting to implement a custom login process using only the WebAuthentication for their web application run into problems when this approach is used in a Clustered SSO environment. This is because the SSO re-authentication logic is implemented in the Form and Basic authenticators. These authenticators are not used in the case when only the WebAuthentication module is used. There is no valve/authenticator that should be used if the customer is only using the WebAuthentication approach

      Fix:
      a new CustomNonLoginAuthenticator which extends AuthenticatorBase is provided and it will work when only the WebAuthentication login module is used.

      Result: the new CustomNonLoginAuthenticator allows customers to implement a custom login process using only the WebAuthentication(non Form/Basic authenticators) for their web application in a Clustered SSO environment. They can enable CustomNonLoginAuthenticator in context.xml of their application if they only want to use the WebAuthentication approach like follows:

      <Context cookies="true" crossContext="true">
         <Valve className="org.jboss.web.tomcat.security.authenticators.CustomNonLoginAuthenticator" />
      </Context>
      Show
      Possible draft release notes content: Cause and Consequence: Customers that are attempting to implement a custom login process using only the WebAuthentication for their web application run into problems when this approach is used in a Clustered SSO environment. This is because the SSO re-authentication logic is implemented in the Form and Basic authenticators. These authenticators are not used in the case when only the WebAuthentication module is used. There is no valve/authenticator that should be used if the customer is only using the WebAuthentication approach Fix: a new CustomNonLoginAuthenticator which extends AuthenticatorBase is provided and it will work when only the WebAuthentication login module is used. Result: the new CustomNonLoginAuthenticator allows customers to implement a custom login process using only the WebAuthentication(non Form/Basic authenticators) for their web application in a Clustered SSO environment. They can enable CustomNonLoginAuthenticator in context.xml of their application if they only want to use the WebAuthentication approach like follows: <Context cookies="true" crossContext="true">    <Valve className="org.jboss.web.tomcat.security.authenticators.CustomNonLoginAuthenticator" /> </Context>
    • Not Yet Documented
    • NEW

      Allow customers to implement a custom login process using only the WebAuthentication(non Form/Basic authenticators) for their web application in a Clustered SSO environment. They can use the CustomNonLoginAuthenticator in context.xml of their application if they only want to use the WebAuthentication approach.

        1. JBPAPP-10736.patch
          20 kB

              chaowan@redhat.com Chao Wang
              chaowan@redhat.com Chao Wang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: