-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification
16.4. Use Single Sign On (SSO) In A Web Application
Single Sign On (SSO) capabilities are provided by the web and Infinispan subsystems. Use this procedure to configure SSO in web applications.
Prerequisites
- You need to have a configured security domain which handles authentication and authorization.
- The
infinispan
subsystem needs to be present. It is present in thefull-ha
profile for a managed domain, or by using thestandalone-full-ha.xml
configuration in a standalone server. - The
web
cache-container
and SSO cache-container must each be present. The initial configuration files already contain theweb
cache-container, and some of the configurations already contain the SSO cache-container as well. Use the following commands to check for and enable the SSO cache container. Note that these commands modify theha
profile of a managed domain. You can change the commands to use a different profile, or remove the/profile=ha
portion of the command, for a standalone server.Example 16.1. Check for the
web
cache-containerThe profiles and configurations mentioned above include theweb
cache-container by default. Use the following command to verify its presence. If you use a different profile, substitute its name instead ofha
./profile=ha/subsystem=infinispan/cache-container=web/:read-resource(recursive=false,proxies=false,include-runtime=false,include-defaults=true)
If the result issuccess
the subsystem is present. Otherwise, you need to add it.Example 16.2. Add the
web
cache-containerUse the following three commands to enable theweb
cache-container to your configuration. Modify the name of the profile as appropriate, as well as the other parameters. The parameters here are the ones used in a default configuration./profile=ha/subsystem=infinispan/cache-container=web:add(aliases=["standard-session-cache"],default-cache="repl",module="org.jboss.as.clustering.web.infinispan")
/profile=ha/subsystem=infinispan/cache-container=web/transport=TRANSPORT:add(lock-timeout=60000)
/profile=ha/subsystem=infinispan/cache-container=web/replicated-cache=repl:add(mode="ASYNC",batching=true)
Example 16.3. Check for the
SSO
cache-containerRun the following Management CLI command:/profile=ha/subsystem=infinispan/cache-container=web/:read-resource(recursive=true,proxies=false,include-runtime=false,include-defaults=true)
Look for output like the following:"sso" => {
If you do not find it, the SSO cache-container is not present in your configuration.Example 16.4. Add the
SSO
cache-container/profile=ha/subsystem=infinispan/cache-container=web/replicated-cache=sso:add(mode="SYNC", batching=true)
- The
web
subsystem needs to be configured to use SSO. The following command enables SSO on the virtual server calleddefault-host
, and the cookie domaindomain.com
. The cache name issso
, and reauthentication is disabled./profile=ha/subsystem=web/virtual-server=default-host/sso=configuration:add(cache-container="web",cache-name="sso",reauthenticate="false",domain="domain.com")
- Each application which will share the SSO information needs to be configured to use the same <security-domain> in its
jboss-web.xml
deployment descriptor and the same Realm in itsweb.xml
configuration file.
The SSO Valves are configured automatically when sso
is configured under the web subsystem in a server profile. The ClusteredSingleSignOn
version is used when attribute cache-container
is present, otherwise standard SingleSignOn
class is used.
Example 16.5. Example Clustered SSO Configuration
/subsystem=web/virtual-server=default-host/sso=configuration:add(cache-container="web",cache-name="sso",reauthenticate="false",domain="domain.com")
Example 16.6. Example Non-Clustered SSO Configuration
/subsystem=web/virtual-server=default-host/sso=configuration:add(reauthenticate="false")
An application can programmatically invalidate a session by invoking method javax.servlet.http.HttpSession.invalidate()
.