Portofino 4 by ManyDesigns
Single sign-on
Heads up! These docs are for Portofino 3, which is a legacy product. Check out Portofino 4!
Copyright 2008-2012 ManyDesigns srl. All rights reserved.
Contents
Purpose
Single sign-on allows you to delegate authentication and authorization to a common infrastructure specifically designed for this purpose, such as an LDAP server.In this way, you can centralize and avoid duplication of security information and functionality.
Generally, when you start a new application, you develop it using local authentication. This means using user management and permissions as described in previous chapters. Then,
A note on the terminology: in single sign-on, "role" is a synonym of "user group".
Configuring Portofino
Step 1: Configure the role (user group) for all usersSingle sign-on administrators often configure a role for all the users who can access a certain application. Find out what that role is. For example let's suppose your application is called myapp and that the role ismyapp-users.
If your single sign-on does not a role like te one described, you may use the role for the generic user (e.g.,all-users).
Start ManyDesigns Portofino without single sign-on. Log in at the upstairs level. Click on the Meta user groups tab and click on the object called Users. Edit its name to match the aforementioned role (myapp in the example).
Step 2: Configure the deployment descriptor
Edit the
WEB-INF/web.xml file.Locate the following xml elements:
- security-constraint
- login-config
- security-role
Locate the following elements:
- security-constraint -> auth-constraint -> role-name
- security-role -> role-name
Step 3: Configure the properties file
Edit or add the following line in portofino-custom.properties:
security.type=container
This instructs to start using the container-manged security. See the servlet API documentation for the technical details.
Configuring the application server
Here is a list of external documentation that can help you configure your specific application server.Apache Tomcat 6.0:
- Realm configuration how-to
- The valve component (section "Single sign-on valve")
Glassfish:
Oracle OC4J and OracleAS:
JBoss:
Alignment between single sign-on and the local database
Users
Users are automatically aligned, on demand, from the single sign-on to the local database.Any time a user successfully logs in through single sign-on, Portofino checks if a corresponding object exists in the User class. If not, it creates one, setting the login field to the login/username provided by the single sign-on.
If a user is on the local database but not on the single sign-on, the user is not allowed to log in.
Roles/user groups
Roles are not automatically aligned, i.e., no roles are created on the local database based on roles provided by the single sign-on.Make sure the local user groups (as meta user groups upstairs, or user groups downstairs) are properly configured.
There are three situations:
- role on the single sign-on only: the role is ignored;
- role both on the single sign-on and the local database (the names must match): the role is used;
- roles on the local database only: the role is used.
You can have a mix of situation 2 and 3. Situation 2 is useful for coarser-grained roles, situation 3 for finer-grained ones.
When the permission systems need to verify whether a user is assigned to a role, Portofino performs these operations:
To configure an LDAP authentication you have to define a realm in Tomcat. You can access with the same method also a Microsoft Active Directory Domain.
To create a Realm modify your
Username and password must be the ones of a user that can explore the LDAP hierarchy.
Finally you have to modify your web.xml adding the following lines:
Associations of users to user groups
Associations of users to user group are not automatically aligned, i.e., no associations (in theUser_UserGrp class) are created on the local database based on mappings provided by the single sign-on.When the permission systems need to verify whether a user is assigned to a role, Portofino performs these operations:
- first, it verifies whether the association is present on the single sign-on;
- if not, it verifies whether the association is present on the local database.
Example configurations
LDAP and Microsoft Active Directory for Tomcat
In this example we configure Portofino with Apache Tomcat to use the LDAP authentication (or Microsoft Active Directory).To configure an LDAP authentication you have to define a realm in Tomcat. You can access with the same method also a Microsoft Active Directory Domain.
To create a Realm modify your
conf/server.xml configuration file as in the following example: <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://servername:389" alternateURL="ldap://servername:389" userRoleName="memberOf" userBase="cn=Users,dc=domainname" userPattern="cn={0},cn=Users,dc=domainname" roleBase="cn=Users,dc=domainname" roleName="cn" roleSearch="(memberOf={0})" roleSubtree="true" userSubtree="true" connectionName="cn=username,cn=Users,dc=domainname" connectionPassword="password" /> Username and password must be the ones of a user that can explore the LDAP hierarchy.
Finally you have to modify your web.xml adding the following lines:
... <auth-constraint> <description> Role (i.e. user group) containing all the users who can access the application. Make sure this role is listend in the security-role section below. </description> <role-name>CN=Users,CN=
Builtin,DC=domainname</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login</form-login-page> <form-error-page>/LoginErrorPage</form-error-page> </form-login-config> </login-config> <security-role> <description> Role (i.e. user group) containing all the users who can access the application </description> <role-name>CN=Users,CN=Builtin,DC=domainname</role-name> </security-role> ...
</security-constraint> ...
Previous: Listeners
Next: Versioning