You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rave.apache.org by ja...@apache.org on 2011/10/31 10:11:53 UTC
svn commit: r1195379 - /incubator/rave/site/trunk/content/rave/documentation/sso-login.mdtext

Author: jasha
Date: Mon Oct 31 09:11:53 2011
New Revision: 1195379

URL: http://svn.apache.org/viewvc?rev=1195379&view=rev
Log:
Add documentation for the SSO login extension.

Added:
    incubator/rave/site/trunk/content/rave/documentation/sso-login.mdtext

Added: incubator/rave/site/trunk/content/rave/documentation/sso-login.mdtext
URL: http://svn.apache.org/viewvc/incubator/rave/site/trunk/content/rave/documentation/sso-login.mdtext?rev=1195379&view=auto
==============================================================================
--- incubator/rave/site/trunk/content/rave/documentation/sso-login.mdtext (added)
+++ incubator/rave/site/trunk/content/rave/documentation/sso-login.mdtext Mon Oct 31 09:11:53 2011
@@ -0,0 +1,129 @@
+Title:     How to configure Single Sign-On (Extension)
+Notice:    Licensed to the Apache Software Foundation (ASF) under one
+           or more contributor license agreements.  See the NOTICE file
+           distributed with this work for additional information
+           regarding copyright ownership.  The ASF licenses this file
+           to you under the Apache License, Version 2.0 (the
+           "License"); you may not use this file except in compliance
+           with the License.  You may obtain a copy of the License at
+           .
+             http://www.apache.org/licenses/LICENSE-2.0
+           .
+           Unless required by applicable law or agreed to in writing,
+           software distributed under the License is distributed on an
+           "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+           KIND, either express or implied.  See the License for the
+           specific language governing permissions and limitations
+           under the License.
+
+The default login mechanism relies on predefined users in the database with basic authentication or OpenId.
+With a different [Spring security][1] configuration Rave supports login based on request headers.
+
+The following instructions assume there is already an SSO authentication service running in your network like [ShibbolethÂ®][2]
+
+##1) Get Rave
+
+There are multiple ways to build your custom Rave instance, but the quickest is to use a Maven WAR overlay.  See [Extending Rave](rave-extensions.html) for an example overlay.
+
+##2) Build the Rave SSO extension
+
+Run the following commands in your shell/terminal/command to build the Single Sign-On extension from the Rave Sandbox:
+
+    svn co http://svn.apache.org/repos/asf/incubator/rave/sandbox/rave-extensions/rave-extension-sso
+    cd rave-extension-sso
+    mvn install
+
+##3) Add a custom Spring security configuration
+
+Place the following Spring security configuration in your war overlay project (`/src/main/webapp/WEB-INF`) as `applicationContext-security-extension-sso.xml`
+
+    <?xml version="1.0" encoding="UTF-8"?>
+    <beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
+                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                 xmlns="http://www.springframework.org/schema/security"
+                 xsi:schemaLocation="http://www.springframework.org/schema/beans
+           http://www.springframework.org/schema/beans/spring-beans.xsd
+           http://www.springframework.org/schema/security
+           http://www.springframework.org/schema/security/spring-security.xsd">
+
+      <http use-expressions="true">
+        <intercept-url pattern="/newaccount.jsp*" access="permitAll"/>
+        <intercept-url pattern="/app/newaccount*" access="permitAll"/>
+        <intercept-url pattern="/login.jsp*" filters="none"/>
+        <intercept-url pattern="/css/**" access="permitAll"/>
+        <intercept-url pattern="/images/**" access="permitAll"/>
+        <intercept-url pattern="/script/**" access="permitAll"/>
+        <intercept-url pattern="/app/admin/**" access="hasRole('ROLE_ADMIN')"/>
+        <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
+
+        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?authfail=sso"/>
+        <logout logout-success-url="/../Shibboleth.sso/Logout?target=/portal"/>
+        <!-- To remove SSO header authentication, comment out the following line -->
+        <custom-filter ref="ssoHeaderFilter" position="PRE_AUTH_FILTER"/>
+      </http>
+
+      <!--
+        REMOTE_USER is the header we're expecting.
+        It's important that if we're using this header, the app is not accessed directly,
+        instead accessed only through e.g. the Apache Shibboleth module, otherwise this header could be faked.
+      -->
+      <beans:bean id="ssoHeaderFilter"
+                  class="org.apache.rave.portal.security.filter.SSORequestHeaderAuthenticationFilter">
+        <beans:property name="principalRequestHeader" value="REMOTE_USER"/>
+        <beans:property name="authenticationManager" ref="authenticationManager"/>
+        <beans:property name="allowPreAuthenticatedPrincipals" value="true"/>
+        <beans:property name="exceptionIfHeaderMissing" value="false"/>
+        <beans:constructor-arg index="0" ref="userService"/>
+        <beans:constructor-arg index="1" ref="ssoLoginHandler"/>
+      </beans:bean>
+
+      <beans:bean id="ssoLoginHandler" class="org.apache.rave.portal.security.impl.DefaultSSOLoginHandler">
+        <beans:property name="autoCreateUser" value="true"/>
+        <beans:property name="ssoHeaderEmail" value="Shib-InetOrgPerson-mail"/>
+        <beans:property name="defaultPageLayout" value="columns_2"/>
+        <beans:property name="defaultUserRole" value="ROLE_USER"/>
+        <beans:constructor-arg index="0" ref="defaultNewAccountService"/>
+        <beans:constructor-arg index="1" ref="userDetailsService"/>
+        <beans:constructor-arg index="2" ref="defaultAuthorityService"/>
+      </beans:bean>
+
+      <beans:bean id="preauthAuthProvider"
+                  class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
+        <beans:property name="preAuthenticatedUserDetailsService">
+          <beans:bean id="userDetailsServiceWrapper"
+                      class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
+            <beans:property name="userDetailsService" ref="userDetailsService"/>
+          </beans:bean>
+        </beans:property>
+      </beans:bean>
+
+      <beans:bean id="userDetailsService" class="org.apache.rave.portal.service.impl.DefaultUserService"/>
+
+      <authentication-manager alias="authenticationManager">
+        <authentication-provider ref="preauthAuthProvider">
+          <password-encoder ref="passwordEncoder">
+            <salt-source ref="saltSource"/>
+          </password-encoder>
+        </authentication-provider>
+      </authentication-manager>
+
+    </beans:beans>
+
+Change the `web.xml`
+
+    <context-param>
+        <param-name>contextConfigLocation</param-name>
+        <param-value>
+            /WEB-INF/dataContext.xml
+            /WEB-INF/applicationContext.xml
+            /WEB-INF/applicationContext-security-extension-sso.xml
+        </param-value>
+    </context-param>
+
+##4) Customize the login.jsp
+
+Create your own login.jsp with e.g. a welcome text and a link to your SSO login form.
+
+
+[1]: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html
+[2]: http://shibboleth.internet2.edu
\ No newline at end of file