Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Ceptor PortalProtect is an entire security solution that protects portals and application servers, regardless of the communication type used, be it JSP, Servlets, EJB or other type of communication. PortalProtect Ceptor can provide Authentication and Authorization checking on all resources, as well as provide secure communication clients and servers.
Any number of web servers, application servers or other types of servers can be integrated, and used to create personalized content and session sharing between all applications, so users experience single signon with access (depending on authorization of course) to all applications available in your portal.
This document describes how to integrate PortalProtect Ceptor with the Glassfish Application Server version 3.112

Installation

In the PortalProtect Ceptor distribution, you can find the required .jar files in samples/integration/glassfish. To install the Tomcat Realm, you will need to copy PortalProtectJASPIcopyCeptorJASPI.jar to your glassfish domain autodeploy/bundles directory, along with PortalProtectAgentwithCeptorAgent.jar (from lib in the PP distribution) and org.apache.log4j_1.2.15.v201012070815.jar which are both required by the PortalProtect Ceptor Agent.
The org.apache.log4j_1.2.15.v201012070815.jar is a special OSGI aware version since the default distribution of log4j v1.2.16 has broken MANIFEST.MF that does not work with glassfish.
Then you need to change domain.xml and add this section to the message-security-config section.

Code Block
languagexml
<provider-config provider-type="server" provider-id="PortalProtectProviderCeptorProvider" class-name="dk.portalprotect.jaspi.ServerAuthModule">
  <property name="server.name" value="webserver1"></property>
  <property name="config.servers" value="nio://localhost:21233"></property>
  <property name="server.alias" value="Glassfish"></property>
  <property name="nowait" value="true"></property>
  <request-policy></request-policy>
  <response-policy></response-policy>
</provider-config>


You will need to change the values of server.name, config.servers and server.alias to match your configuration of PortalProtect server – see PortalProtect User Guide for more informationCeptor.
You can also use Glassfish's administration tool to do this for you, you have to execute this command:
asadmin create-message-security-provider --layer HttpServlet --providertype server --classname dk.portalprotect.jaspi.ServerAuthModulePortalProtectProvider
But then you need to add the properties by editing domain.xml or entering them in the administration GUI. If you wish, you can also use system properties instead.
If you want to make the classes in PortalProtectAgentCeptorAgent.jar available to the application as well, you need to copy PortalProtectAgentCeptorAgent.jar and the log4j .jar to the domains lib/ext directory for them to be visible to the deployed webapps.
To setup log4j to specify where to log, refer to: https://blogs.oracle.com/naman/entry/configure_log4j_for_use_in
To replace java.util.logging used by glassfish to a better alternative, you might want to look here:
http://hwellmann.blogspot.com/2010/12/glassfish-logging-with-slf4j-part-2.html

Webapp

...

Configuration

For the user principal and groups to be available within glassfish, you will need to protect access to your webapp.
This is an example of how to configure web.xml to do just that.

...

You also need to tell Glassfish to use the newly installed PortalProtectProvider CeptorProvider for your webapp – do this by adding a file called sun-web.xml to your WEB-INF directory with the following content:

Code Block
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'http://www.sun.com/software/sunone/appserver/dtds/sun-web-app_2_3-0.dtd'>
  <sun-web-app httpservlet-security-provider="PortalProtectProviderCeptorProvider">
  <security-role-mapping>
    <role-name>pp_everyone</role-name>
    <principal-name>pp_everyone</principal-name>
    <group-name>pp_everyone</group-name>
  </security-role-mapping>
</sun-web-app>

...