21.2.2. Example of usage

Lets look a little bit closer and configure SSO between portal and other web application. As an example we'll use jmx-console web-app that comes with every JBoss Application Server installation. You can find more information on how to secure jmx-console in JBoss AS wiki.
  1. Take a clean install of JBoss Application Server
  2. Edit $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml file and make sure it contains following content:
                      
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>HtmlAdaptor</web-resource-name>
        <description>An example security config that only allows users with the
          role JBossAdmin to access the HTML JMX console web application
        </description>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>Admin</role-name>
      </auth-constraint>
    </security-constraint>
    
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Public</web-resource-name>
        <url-pattern>/public/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
    </security-constraint>
    
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>jmx-console</realm-name>
    </login-config>
    
    <security-role>
       <role-name>Admin</role-name>
    </security-role>
    
    This will secure jmx-console web application using BASIC browser authentication and restrict access for users with Admin role only.
  3. Edit $JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties file and make it contain:
                      
    admin=JBossAdmin,HttpInvoker,Admin
    
    This file is a simple identity store for this web application authentication. It will make user admin belongs to Admin role.
  4. Deploy JBoss Portal
  5. Run JBoss Application Server
  6. Now you can check that when you go to
    • http://localhost:8080/portal
    • http://localhost:8080/jmx-console
    you need to authenticate separately into each of those web applications.
  7. Shutdown Application Server
  8. Uncomment the following line
    <Valve className=’org.apache.catalina.authenticator.SingleSignOn’/>
    in the $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml file. More information can be found here.
    Run JBoss Application Server.
Now if you log into portal as user admin with password admin, you won't be asked for credentials when accessing jmx-console. This should work in both directions.

Note

Please note that in this example jmx-console uses BASIC authentication method. This means that user credentials are cached on the client side by browser and passed on each request. Once authenticated to clear authentication cache you may need to restart browser.