BackgroundJBoss Application Server runs Java EE applications which can be web applications, EJB applications, Web Services etc. Single Sign On (SSO) or seamless security context/identity propagation is a requirement of these applications. In this article, we will look at some use cases and guidelines to choosing the right type of SSO solution for that use case, when running on JBoss Application Server.
As you know, JBoss Application Server has integrated Apache Tomcat (JBossWeb is the official name, which is a variant of Tomcat) as the web container.
Use Case 1 : Need Kerberos based Desktop SSO
Suppose your user logs into a Kerberos/SPNego driven desktop, such as the one on Microsoft Windows desktop or Linux desktops, after which they log into web applications hosted on JBoss Application Server. In this case, you would like to utilize the integrated authentication mechanism in browsers such that the user is logged in, based on the Kerberos principal.
You should look at JBoss Negotiation component, that is part of the JBoss Application Server.
Use Case 2: Need SSO for web applications running in one instance of JBoss AS or inside a virtual host (Non-Clustered Scenarios)
Use the Apache Tomcat Single Sign On Valve.
In JBoss AS7.x and beyond, the valve configuration is done in jboss-web.xml of your web application. An example is shown in: https://community.jboss.org/wiki/JBossAS7SecurityDomainModel#Deploying_Custom_Tomcat_Authenticators_in_AS7
In JBoss AS 5/6, the valve configuration is done in WEB-INF/context.xml
Use Case 3: Need SSO for web applications running in a JBoss AS cluster
You should use the ClusteredSingleSignOnValve as described in https://community.jboss.org/wiki/JBossWebSingleSignOn
Remember, in JBoss AS7.x, the valve configuration is done in WEB-INF/jboss-web.xml whereas in AS5/6, it is done in WEB-INF/context.xml
Use Case 4: Need SSO for web applications deployed in different servers
In this use case, you have deployed web applications in different servers and you want to authenticate the users centrally and then use the login result in each of your applications. SAML Web Browser based SSO profile fits your needs. In this profile, you have a central Identity Provider (IDP) that holds all the authentication logic. Each of the web applications will redirect user to this central IDP to do the authentication. On successful authentication, the user is logged into the web applications.
Look for project PicketLink that is available from JBoss community (http://jboss.org/picketlink) and part of JBoss Application Server.
This is architecture type 1 described in https://community.jboss.org/wiki/PicketLinkArchitectures
Look for cheatsheets for your version of JBoss AS here: https://community.jboss.org/wiki/CheatsheetPicketLinkAndJBossAS
Use Case 5: Need SSO for EJB applications and Web Services deployed on JBoss Application Servers
In this use case, you want to avail seamless security/identity propagation across ejb/ws applications. You will need to use the PicketLink Security Token Server (STS).
Cheatsheet for AS 7.1.1 is available at https://community.jboss.org/wiki/CheatsheetPicketLinkSecurityTokenServiceWithJBossAS71x
For additional articles, please refer to https://community.jboss.org/wiki/PicketLinkSecurityTokenService and https://community.jboss.org/wiki/PicketLinkSTSDashboard
PicketLink User Email List is (picketlink AT lists.jboss.org) subscribe at: https://lists.jboss.org/mailman/listinfo/picketlink