eXo Platform relies on JAAS for propagating the user identity and roles to the different applications deployed on the server.
The JAAS realm will be used by all eXo apps and even propagated to the JCR for Access Control
By default, Platform uses a JAAS realm named "gatein-domain". If your IT operations rules require you to use another JAAS realm, you will need to modify several files so that eXo can work on your JAAS realm.
Since the security configuration is highly dependent of the app server we'll cover each application sever separately.
In the Tomcat bundle, the jaas configuration is controled by this $TOMCATHOME/conf/jaas.conf :
gatein-domain {
org.exoplatform.web.security.PortalLoginModule required;
org.exoplatform.services.security.jaas.SharedStateLoginModule required;
org.exoplatform.services.security.j2ee.TomcatLoginModule required;
};
Replace gatein-domain by your own domain name.
Learn more about the syntax in the JAAS tutorial. Read more about realms in tomcat in the Tomcat Realm Howto
For JBoss, you need to edit the default jaas security domain in 02portal.war!WEB-INF/jboss-web.xml
<jboss-web> <security-domain>java:/jaas/gatein-domain</security-domain> </jboss-web>
Additionnaly, you need to edit the application-policy to match the security-domain in gatein.ear!META-INF/gatein-jboss-beans.xml.
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">
<authentication>
<login-module code="org.exoplatform.web.security.PortalLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
<login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
<login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
</authentication>
</application-policy>
</deployment>
Read More about JBoss security configuration in JBoss Web Docs
Finally, there are some common changes to do on both app servers.
First, change the JAAS realm to match your own security constraints, inside the configuration.properties file, identify the entry named "exo.security.domain
# Realm name exo.security.domain=gatein-domain
Internally, eXo will use this setting to set a new variable named "portal.container.realm" that is then used in kernel configuration files such as platform-extension/WEB-INF/conf/platform/repository-configuration.xml.
Inside portal.war, you should declare in the web.xml file the realm name:
<login-config> <auth-method>FORM</auth-method> <realm-name>gatein-domain</realm-name> <form-login-config> ... </form-login-config> </login-config>