wildfly web app SSO (single sign on) / book recommendation

Question

I have a wildfly 8.0.0.final running but I cannot get my wildfly to do a SSO. Under IBM WAS I had to define the web app SSO. But under wildfly I have no clue how to do it and how to enable/configure it.

My packaging of the application looks like:

myapp.ear:

• web.war (context: /web and used for web services)
• gui.war (context: /gui and used for the end users)
• additional.war

Typically the users work on gui.war. Here the users get a form based auth (which does already work properly) The web.war is used for external systems, which do a basic auth additional.war typically use a form based auth.

Right now every auth on every war file works as expected. But I have to do a auth on every war-file, even if I have already been authenticated. So my question is, how to enable the web application SSO (single sign on) on wildfly? Please keep in mind, I am totally new to wildfly and of course JBoss AS. So I need a newbee documentation for the configurations.

Could someone recommend my a good book for the wildfly, which explains the features in more detail?

bye hans

Answer 1

A work-around currently is to have the following in your jboss-web.xml of all the wars:

<?xml version="1.0"?>
<jboss-web>
    <session-config>
       <cookie-config>
          <path>/</path>
       </cookie-config>
    </session-config>
</jboss-web>
<xml>

Answer 2

Rather a long answer unfortunately, due to the domain bug in wildfly 8.0.0. This answer applies by working around the bug - there is almost certainly an easier variant of it, but I'm not sufficiently familiar with wildfly extensions yet to manage that.

Add under the subsystem, server, host tags in standalone.xml (or domain.xml equivalent) - does NOT matter what the domain is.

In you war files, add:

WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension

contents:

FixSSOServletExtension

make this class implement ServletExtension with a line:

deploymentInfo.addFirstAuthenticationMechanism("form",  new FixSSOAuthenticationMechanism());

(change form to basic or whatever you use)

In FixSSOAuthenticationMechanism.authenticate:

exchange.addResponseWrapper(responseListener);
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;

(in the other method just return new ChallengeResult(false) )

Add:

final class ResponseListener implements ConduitWrapper<StreamSinkConduit> {
        public StreamSinkConduit wrap(ConduitFactory<StreamSinkConduit> factory, HttpServerExchange exchange) {
            Cookie c = exchange.getResponseCookies().get("JSESSIONIDSSO");
            if( c!=null ) {
                c.setDomain(null);
            }
            return factory.create();
        }
    }

and create an instance of that in the class to return.

Add to your jboss-deployment-structure.xml

<module name="io.undertow.core" />
<module name="io.undertow.servlet" />
<module name="org.jboss.xnio" />

You only need to do this in the war file which you login to - but if you can login multiple locations, then everywhere needs it, and if so you can put it into a shared module, or a sar module (my copy is in a sar because there is an existing security mbean being deployed there)

Answer 3

Alternate answer (very different approach to the same issue) Edit SignleSignOnAuthenticationMechanism.java in undertow, and remove the method call: setDomain(domain) in both locations it occurs, recompile that module and replace it in your wildfly directory. This I believe is the fix (except domain will be conditional as to whether it is added or not) in https://issues.jboss.org/browse/WFLY-3033

Answer 4

what you are doing is really difficult to make it work in wildlfy just do this in domain.xml or standalone.xml :

<server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
                <http-listener name="default" socket-binding="http" redirect-socket="https"/>
                <https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                    <single-sign-on path="/"/>
                </host>
 </server>

just add the single-sign-on path not domain because there is a bug into this .. and then handle the logout properly... i spent lot of time to make it work very easily, when debug with google chrome you will see a JSESSIONSSOID ... no valve in jboss-web because the web server is undertow now...