FUEGO 5.5 WORK PORTAL. (Using Tomcat 5) Fernando Dobladez

Similar documents
COPYRIGHTED MATERIAL

Configuring Tomcat for a Web Application

Live Data Connection to SAP Universes

Signicat Connector for Java Version 2.6. Document version 3

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

Open XML Gateway User Guide. CORISECIO GmbH - Uhlandstr Darmstadt - Germany -

Supplement IV.E: Tutorial for Tomcat For Introduction to Java Programming By Y. Daniel Liang

CodeCharge Studio Java Deployment Guide Table of contents

xcp 2.0 SSO Integrations RAJAKUMAR THIRUVASAGAM

Entrust Connector (econnector) Venafi Trust Protection Platform

Before installing tmsintranet, the following requirements must be met:

Internet Script Editor

SmartLink configuration DME Server 3.5

White Paper. Fabasoft Folio Portlet. Fabasoft Folio 2017 R1 Update Rollup 1

System Administrator Manual

Database Applications Recitation 6. Project 3: CMUQFlix CMUQ s Movies Recommendation System

Setting Up the Development Environment

Apache Tomcat Installation guide step by step on windows

Troubleshooting Single Sign-On

SAS AppDev Studio TM 3.4 Eclipse Plug-ins. Migration Guide

Troubleshooting Single Sign-On

CMIS CONNECTOR MODULE DOCUMENTATION DIGITAL EXPERIENCE MANAGER 7.2

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Meteor Quick Setup Guide Version 1.11

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

3. Optionally, if you want to use the new Web SSO feature, complete the steps in Adding Web Single Sign-On Functionality.

Writing Servlets and JSPs p. 1 Writing a Servlet p. 1 Writing a JSP p. 7 Compiling a Servlet p. 10 Packaging Servlets and JSPs p.

Table of Contents Introduction to the SAP Roambi migration process SystemRequirements Preparing to upgrade SAP Roambi ES

Enhydra 6.2 Application Architecture. Tanja Jovanovic

Voltage SecureData Enterprise SQL to XML Integration Guide

UIMA Simple Server User Guide

The Basic Web Server CGI. CGI: Illustration. Web based Applications, Tomcat and Servlets - Lab 3 - CMPUT 391 Database Management Systems 4

QMShibb - Shibboleth enabling Questionmark Perception

Certificate Properties File Realm

Novell. NetWare 6. NETWARE WEBACCESS OVERVIEW AND INSTALLATION

Structure of a webapplication

15-415: Database Applications Project 2. CMUQFlix - CMUQ s Movie Recommendation System

Yellowfin SAML Bridge Web Application

X-road MISP2 installation and configuration guide. Version 1.20

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

web.xml Deployment Descriptor Elements

How to Configure Authentication and Access Control (AAA)

servlets and Java JSP murach s (Chapter 2) TRAINING & REFERENCE Mike Murach & Associates Andrea Steelman Joel Murach

Signicat Connector for Java Version 4.x. Document version 1

Application Design and Development: October 30

XSEDE Canonical Use Case 4 Interactive Login

Web based Applications, Tomcat and Servlets - Lab 3 -

perfsonar 2.0 Administration Guide Version 2.1

SAML-Based SSO Configuration

Google Search Appliance

HttpServlet ( Class ) -- we will extend this class to handle GET / PUT HTTP requests

MIGRATING FROM VERSION 5.1 TO VERSION 5.5. Pablo Victory

13. Databases on the Web

The Rockefeller University I NFORMATION T ECHNOLOGY E DUCATION & T RAINING. VPN Web Portal Usage Guide

Live Guide Co-browsing

Open a browser and download the Apache Tomcat 7 and Oracle JDBC 6 JAR from these locations. The Oracle site may require that you register as a user.

FuegoBPM TM Enterprise Process Orchestration Engine Configuration Instructions for a JVM Engine

Java SAML Consumer Value-Added Module (VAM) Deployment Guide

Connecting to System i System i Access for Web

Apparo Fast Edit. Installation Guide 3.1.1

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

VAM. Java SAML Consumer Value- Added Module (VAM) Deployment Guide

Entrust GetAccess 7.0 Technical Integration Brief for IBM WebSphere Portal 5.0

Technosoft HR Recruitment Workflow Developers Manual

SSO Plugin. J System Solutions. Troubleshooting SSO Plugin - BMC AR System & Mid Tier.

User Directories. Overview, Pros and Cons

This tutorial will teach you how to use Java Servlets to develop your web based applications in simple and easy steps.

PowerSchool Student Information System

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Effacts 4 Installation Guide

SecureAware Technical Whitepaper

Cisco CVP VoiceXML 3.1. Installation Guide

Java.. servlets and. murach's TRAINING & REFERENCE 2ND EDITION. Joel Murach Andrea Steelman. IlB MIKE MURACH & ASSOCIATES, INC.

PRODUCT DOCUMENTATION. Installing and Implementing Enterprise Contact Center Chat RELEASE 5.1

Author - Ashfaque Ahmed

Echidna Concepts Guide

Scan Report Executive Summary

Run Syncope in real environments

Monitoring Apache Tomcat Servers With Nagios XI

SSO Plugin. HP Service Request Catalog. J System Solutions. Version 3.6

ULTEO OPEN VIRTUAL DESKTOP SUSE LINUX ENTERPRISE SERVER (SLES) 11 SP1 SUPPORT

Remote Health Service System based on Struts2 and Hibernate

Client 2. Authentication 5

CA SiteMinder Federation Security Services

Administering the JBoss 5.x Application Server

Securing Apache Tomcat for your environment. Mark Thomas March 2009

i) isapi_redirect dll (downloaded from )

C examcollection.premium.58q

Before the first run of a node, it is recommended to check the settings of the embedded database for better performances.

XMediusFAX Sharp OSA Connector Administration Guide

COMP REST Programming in Eclipse

Java- EE Web Application Development with Enterprise JavaBeans and Web Services

REV. NO. CHANGES DATE. 000 New Document 5 May 2014

Building Web Applications with SAS AppDev Studio TM 3.0

Funambol Exchange Connector Installation and Configuration Guide

XAMPP Web Development Stack

pinremote Manual Version 4.0

Technical Background Information

Transcription:

FUEGO 5.5 WORK PORTAL SINGLE-SIGN-ON WITH A WINDOWS DOMAIN (Using Tomcat 5) Fernando Dobladez ferd@fuego.com December 30, 2005

3 IIS CONFIGURATION Abstract This document describes a way of configuring the Fuego Work Portal running in Apache Tomcat integrated with Microsoft s IIS in order to achieve Single-Sign- On with a Windows Domain. 1 Introduction The goal is to achieve Single-Sign-On functionality in the Fuego Work Portal. When a user is working from a Windows workstation and is logged into the Windows Domain, he/she will be automatically recognized by the Fuego Work Portal application with no need to provide a user ID and password. Each user must first be created in the Fuego Directory. A customizable error page will be presented to the users that have not been added to the Fuego Directory. 2 How it works At a high level, the solution implemented works as follows: IIS (Microsoft s Web Server) will handle all HTTP trafic from the end users. All requests addressed to the Fuego Portal will be delegated to Tomcat (the Java webapp container hosting the Fuego Portal). IIS and IE (Internet Explorer) both support a protocol for identifying the user if already logged into the domain. Basically, IE passes an identification token to IIS, and IIS validates the token and obtains the user ID. IIS sits in the middle between the web browsers (IE) and Tomcat. When an authenticated request is accepted and is addressed to the Fuego Work Portal, IIS will inject the user ID into the request and delegate it to Tomcat. When Tomcat recevies an HTTP request with a user ID, it will pass the ID to the Fuego Work Portal application which will in turn use it to identify the user. 3 IIS Configuration The Tomcat Connector ISAPI filter needs to be installed in IIS. This filter will allow IIS to delegate the specified URL requests to Tomcat. The Apache Jakarta website includes documentation on how to install and configure the filter in IIS: 2

http://jakarta.apache.org/tomcat/connectors-doc/index.html Once installed and working properly, it is important to enable the Windows Integrated Authentication option on the IIS site where the connector is configured. This will make IIS do the authentication of the user against the Windows Domain and then inject the user id into the request before delegating it to Tomcat. 4 Tomcat configuration Tomcat v5.0.x uses the JK2 connector. Once installed, the following properties need to be added to the jk2.properties file:... request.tomcatauthentication=false request.registerrequests=false.../jakarta-tomcat-5.0.28/conf/jk2.connector Those properties tell the connector not to use Tomcat s authentication, but accept the authentication passed by IIS. Note: The JK2 connector is deprecated in the newer Tomcat version 5.5.x (although it is still supported). The JK connector is recommended instead. When using JK, the properties are not specified in a separate file as in JK2. Instead, they need to be set as an attribute of the <Connector> tag definition inside Tomcat s server.xml file. 5 Fuego Configuration Since the Fuego Work Portal will not be doing the authentication itself, it needs to be configured for container-based authentication. To achieve this, follow the next configuration steps: 1. Configure the directory.properties file of the Portal webapp so that it can create Fuego Directory sessions without asking the users for a password. 2. Switch the authentication servlets of the Fuego Work Portal (modifying the web-.xml file). 3. Add participant trust entries into the Fuego Directory. This allows the Portal to automatically create Fuego Directory sessions for the users without requiring a password. The following sections explain each step in more detail. 3

5.1 Configuring directory.properties Three new properties need to be added to the directory.properties file of the Fuego Work Portal: directory.directory ID.preset.container-auth.jdbc-user This is the JDBC user that will be used to connect to the Fuego Directory database when using Containerbased authentication. directory.directory ID.preset.container-auth.jdbc-password This is the JDBC password for the user specified in the previous property. directory.directory ID.preset.container-auth.skip-auth This property should be set to true in order to automatically log the user in without asking for a password. Example: # C o n t a i n e r A u t h e n t i c a t i o n Fuego D i r e c t o r y S e r v i c e C o n f i g u r a t i o n directory.default.preset.container-auth.jdbc-user=fuegofdiadm directory.default.preset.container-auth.jdbc-password=<encrypt>password directory.default.preset.container-auth.skip-auth=true Note the optional <encrypt> prefix added to the password. If this is specified the Portal application 1 will scramble the password in the file, so that it no longer shows in plain text. After the application starts, the prefix will change to <crypted> and the value of the password will be a random-looking string similar to the following: directory.default.preset.container-auth.jdbc-password=<crypted> UA7jo3Pvnu12sc/NMcxJ3ijnJHzgtte9YrbPr3NkA5wYNm1BbAHAOmLDvlq8vEpQ6fpD8g== 5.2 Switch Portal Authentication Servlets The default servlets of the Fuego Work Portal always authenticate the users against the Fuego Directory using an HTML login form. The Fuego Work Portal provides another set of authentication servlets that delegate the authentication to the servlet container. These provide the needed behavior for the Tomcat+IIS single-sign-on solution described in this document. To enable the container-based authentication servlets, the web.xml file needs to be changed from the default values:.../webapps/portal/web-inf/web.xml 1 Or any Fuego application using this directory.properties file. 4

startup <servlet-class>fuego.portal.servlet.deploy.simplestartup</servlet-class> <load-on-startup>1</load-on-startup> loginwam <servlet-class>fuego.portal.servlet.deploy.simplelogin</servlet-class>... logoutwam <servlet-class>fuego.portal.servlet.deploy.simplelogout</servlet-class> to the following:.../webapps/portal/web-inf/web.xml startup <servlet-class>fuego.portal.servlet.deploy.userprincipalstarup</servletclass> <load-on-startup>1</load-on-startup> loginwam <servlet-class>fuego.portal.servlet.deploy.userprincipallogin</servletclass>... logoutwam <servlet-class>fuego.portal.servlet.deploy.userprincipallogout</servletclass> 5.3 Add participant trusts to Fuego Directory The Fuego Directory trusted user structure needs to be configured in order to allow the Fuego Work Portal to establish Fuego Directory sessions for the end users without specifying a password. 5

When the Fuego Directory is implemented on top of a relational databse, this structure is stored in the FUEGO PARTTRUST table. The following rows need to be inserted into the table in order to trust the Portal jdbc user: FUEGO PARTTRUST FUEGO ID FUEGO TRUSTID 1 null FUEGOFDIADM* 2 admin FUEGOFDIADM The first row means that a Fuego Directory Service JDBC User FUEGOFDIADM should trust any Fuego Participant already authenticated. The * suffix means no double authentication. The value specified for the FUEGO TRUSTID is the one specified in the property directory.directory ID.preset.container-auth.jdbc-user on the Fuego Work Portal s directory.properties file. The second row means that a Fuego Directory Service JDBC User FUEGOFDIADM should trust Fuego Participant admin doing authentication. This is the Fuego Administrator participant (also commonly configured as root). The value of FUEGO TRUSTID does not have the * suffix as we do want to perform authentication for this Fuego participant. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback