PortalProtectGLASSFISH INTEGRATION
© 2001-2012 Asseco Denmark A/S. All Rights Reserved.
Table of Content
Introduction
Installation
Webapp configuration
Support
Anchor |
---|
| _Toc303209766 |
---|
| _Toc303209766 |
---|
|
Anchor |
---|
| _Toc323201288 |
---|
| _Toc323201288 |
---|
|
IntroductionAsseco Denmark PortalProtect is an entire security solution that protects portals and application servers, regardless of the communication type used, be it JSP, Servlets, EJB or other type of communication. PortalProtect can provide Authentication and Authorization checking on all resources, as well as provide secure communication clients and servers.
Any number of web servers, application servers or other types of servers can be integrated, and used to create personalized content and session sharing between all applications, so users experience single signon with access (depending on authorization of course) to all applications available in your portal.
This document describes how to integrate PortalProtect with the Glassfish Application Server version 3.112
Anchor |
---|
| _Toc303209767 |
---|
| _Toc303209767 |
---|
|
Anchor |
---|
| _Toc323201289 |
---|
| _Toc323201289 |
---|
|
InstallationIn the PortalProtect distribution, you can find the required .jar files in samples/integration/glassfish. To install the Tomcat Realm, you will need to copy PortalProtectJASPI.jar to your glassfish domain autodeploy/bundles directory, along with PortalProtectAgent.jar (from lib in the PP distribution) and org.apache.log4j_1.2.15.v201012070815.jar which are both required by the PortalProtect Agent.
The org.apache.log4j_1.2.15.v201012070815.jar is a special OSGI aware version since the default distribution of log4j v1.2.16 has broken MANIFEST.MF that does not work with glassfish.
Then you need to change domain.xml and add this section to the message-security-config section.
<provider-config provider-type="server" provider-id="PortalProtectProvider" class-name="dk.portalprotect.jaspi.ServerAuthModule">
<property name="server.name" value="webserver1"></property>
<property name="config.servers" value="nio://localhost:21233"></property>
<property name="server.alias" value="Glassfish"></property>
<property name="nowait" value="true"></property>
<request-policy></request-policy>
<response-policy></response-policy>
</provider-config>
You will need to change the values of server.name, config.servers and server.alias to match your configuration of PortalProtect server – see PortalProtect User Guide for more information.
You can also use Glassfish's administration tool to do this for you, you have to execute this command:
asadmin create-message-security-provider --layer HttpServlet --providertype server --classname dk.portalprotect.jaspi.ServerAuthModule PortalProtectProvider
But then you need to add the properties by editing domain.xml or entering them in the administration GUI. If you wish, you can also use system properties instead.
If you want to make the classes in PortalProtectAgent.jar available to the application as well, you need to copy PortalProtectAgent.jar and the log4j .jar to the domains lib/ext directory for them to be visible to the deployed webapps.
To setup log4j to specify where to log, refer to: https://blogs.oracle.com/naman/entry/configure_log4j_for_use_in
To replace java.util.logging used by glassfish to a better alternative, you might want to look here:
http://hwellmann.blogspot.com/2010/12/glassfish-logging-with-slf4j-part-2.html
Anchor |
---|
| _Toc323201290 |
---|
| _Toc323201290 |
---|
|
Webapp configurationFor the user principal and groups to be available within glassfish, you will need to protect access to your webapp.
This is an example of how to configure web.xml to do just that.
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>Welcome to Glassfish</display-name>
<description>
Welcome to Glassfish
</description>
<security-constraint>
<web-resource-collection>
<web-resource-name>Default constraint</web-resource-name>
<description>Default security constraints</description>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Default constraint</description>
<role-name>pp_everyone</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>All users going though PP</description>
<role-name>pp_everyone</role-name>
</security-role>
</web-app>
You also need to tell Glassfish to use the newly installed PortalProtectProvider for your webapp – do this by adding a file called sun-web.xml to your WEB-INF directory with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'http://www.sun.com/software/sunone/appserver/dtds/sun-web-app_2_3-0.dtd'>
<sun-web-app httpservlet-security-provider="PortalProtectProvider">
<security-role-mapping>
<role-name>pp_everyone</role-name>
<principal-name>pp_everyone</principal-name>
<group-name>pp_everyone</group-name>
</security-role-mapping>
</sun-web-app>
This is all you need to be able to do J2EE security from within your webapp – the following is an example you can add to a .jsp page to try it out:
Current user: <%=request.getRemoteUser() %><br/>
User principal: <%=request.getUserPrincipal() %>
Auth type: <%=request.getAuthType() %><br/>
Has role pp_everyone: <%=request.isUserInRole("pp_everyone") %><br/>
Has role pp_identifiedusers: <%=request.isUserInRole("pp_identifiedusers") %><br/>
Has role pp_anonymous: <%=request.isUserInRole("pp_anonymous") %><br/> Anchor |
---|
| _Toc278917827 |
---|
| _Toc278917827 |
---|
|
You do not need to add all the roles you are checking against in your webapp to <security-role> tags in the web.xml.
Anchor |
---|
| _Toc323201291 |
---|
| _Toc323201291 |
---|
|
SupportDon't hesitate to email support@asseco.dk if you have any questions or problems with PortalProtect.