To configure the web server as desired, it is simpler to directly modify the sources.
The first step is to add the GateIn 3.2 Authentication Plugin:
The plugin makes secure authentication callbacks to a RESTful service installed on the remote GateIn 3.2 server to authenticate a user.
In order for the plugin to function correctly, it needs to be properly configured to connect to this service. This configuration is done via the opensso.war/config/auth/default/AuthenticationPlugin.xml file.
Obtain a copy of Tomcat and extract it into a suitable location (this location will be referred to as TOMCAT_HOME in this example).
Change the default port to avoid a conflict with the default GateIn 3.2 port (for testing purposes) by editing TOMCAT_HOME/conf/server.xml and replacing the 8080 port with 8888.
Note
If GateIn 3.2 is running on the same machine as Tomcat, other ports need to be changed in addition to 8080 to avoid port conflicts. They can be changed to any free port. For example, you can change the admin port from 8005 to 8805, and AJP port from 8009 to 8809.
Ensure the TOMCAT_HOME/webapps/opensso/config/auth/default/AuthenticationPlugin.xml file looks like this:
<?xml version='1.0' encoding="UTF-8"?>
<!DOCTYPE ModuleProperties PUBLIC "=//iPlanet//Authentication Module Properties XML Interface 1.0 DTD//EN"
"jar://com/sun/identity/authentication/Auth_Module_Properties.dtd">
<ModuleProperties moduleName="AuthenticationPlugin" version="1.0" >
<Callbacks length="2" order="1" timeout="60"
header="GateIn OpenSSO Login" >
<NameCallback>
<Prompt>
Username
</Prompt>
</NameCallback>
<PasswordCallback echoPassword="false" >
<Prompt>
Password
</Prompt>
</PasswordCallback>
</Callbacks>
</ModuleProperties>
Copy GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/sso-opensso-plugin-<VERSION>.jar, GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-httpclient-<VERSION>.jar, and GATEIN_SSO_HOME/opensso/plugin/WEB-INF/lib/commons-logging-<VERSION>.jar into the Tomcat directory at TOMCAT_HOME/webapps/opensso/WEB-INF/lib.
Copy GATEIN_SSO_HOME/opensso/plugin/WEB-INF/classes/gatein.properties into TOMCAT_HOME/webapps/opensso/WEB-INF/classes.
Tomcat should start and be able to access http://localhost:8888/opensso/UI/Login?realm=gatein. Login will not be available at this point.
Configure the "gatein" realm:
Direct your browser to http://localhost:8888/opensso.
Create the default configuration.
Login as amadmin and then go to the Configuration tab -> Authentication -> Core link -> add a new value and fill in the class name org.gatein.sso.opensso.plugin.AuthenticationPlugin. This step is really important. If not, AuthenticationPlugin is not available among other the OpenSSO authentication modules.
Go to the Access control tab and create the new realm called gatein.
Go to the "gatein" realm and click the Authentication tab. At the bottom of the Authentication chaining section, click ldapService. Here, change the selection from "Datastore", which is the default module in the authentication chain, to AuthenticationPlugin. This enables the authentication of "gatein" realm by using the GateIn REST service instead of the OpenSSO LDAP server.
Go to Advanced properties and change UserProfile from Required to Dynamic. This step is needed because GateIn 3.2 users are not in the OpenSSO Datastore (LDAP server), so their profiles can not be obtained if "Required" is active. By using "Dynamic", all new users are automatically created in the OpenSSO datastore after successful authentication.
Increase the user privileges to allow the REST access. Go to Access control -> Top level realm -> Privileges tab -> All authenticated users, and check the last two checkboxes:
Read and write access only for policy properties.
Read and write access to all realm and policy properties.
Repeat previous step with increasing privileges for gatein realm as well.