This chapter presents changes on the JAAS realm with the following sub-topics:
eXo Platform relies on JAAS for propagating the user identity and roles to the different applications deployed on the server.
The JAAS realm is used by all eXo Platform applications and even propagated to the JCR for Access Control.
By default, eXo Platform uses the JAAS realm named "gatein-domain". If your IT operation rules require you to use another JAAS realm, you will need to modify several files so that eXo Platform can work on your JAAS realm.
Since the security configuration is highly dependent of the app server, each application sever is represented separately.
In the Tomcat bundle, the JAAS configuration is controled by the $TOMCAT_HOME/conf/jaas.conf:
gatein-domain {
org.exoplatform.web.security.PortalLoginModule required;
org.exoplatform.services.security.jaas.SharedStateLoginModule required;
org.exoplatform.services.security.j2ee.TomcatLoginModule required;
};
Replace gatein-domain by your own domain name.
The PortalLoginModule module was designed to support the 'Remember me' feature. The password wrapped in PasswordCallback is the cookie token key. The PortalLoginModule module uses the token key to retrieve Credential object from CookieTokenService, then injects the correct username/password into the shared state (accessible from subsequent login modules). For the moment, to keep the authentication work properly, the PortalLoginModule module is mandatory. On the other hand, to ensure that correct password is visible to other login modules, it should be the first one in the JAAS configuration file. The custom login module could retrieve the real password through the shared state instead of PasswordCallback.
To learn more about the syntax, or realms in Tomcat, refer to the JAAS tutorial or Tomcat Realm How-To respectively.
For JBoss, you need to edit the default JAAS security domain in the 02portal.war!WEB-INF/jboss-web.xml file.
<jboss-web>
<security-domain>java:/jaas/gatein-domain</security-domain>
</jboss-web>
Additionally, you need to edit the application-policy to match the security-domain in the gatein.ear!META-INF/gatein-jboss-beans.xml.
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">
<authentication>
<login-module code="org.exoplatform.web.security.PortalLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
<login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
<login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
</authentication>
</application-policy>
</deployment>
To learn more about the JBoss security configuration, refer to JBoss Web Docs.
Finally, you need to do some common changes on both app servers.
First, change the JAAS realm to match your own security constraints and then identify the entry named exo.security.domain inside the configuration.properties file.
# Realm name exo.security.domain=gatein-domain
Internally, eXo Platform uses this setting to set a new variable named "portal.container.realm" that is then used in the Kernel configuration files, such as platform-extension/WEB-INF/conf/platform/repository-configuration.xml.
Inside portal.war, you should declare the Realm name in the web.xml file:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>gatein-domain</realm-name>
<form-login-config>
...
</form-login-config>
</login-config>