eXo Platform relies on JAAS for propagating the user identity and roles to the different applications deployed on the server.
The JAAS realm is used by all eXo Platform applications and even propagated to the JCR for Access Control.
Therefore, if you need to change the JAAS configuration, consider that your change impacts a lot and
it may require you to unpackage and modify some .war files.
This section explains:
The JAAS configuration requires a login.config file.
This file contains one (or more) entry which is called a "Realm". Each entry declares a Realm name and at least one login module.
Each login module consists of a Java class and some parameters which are specified by the class.
Below is the default Realm in the Tomcat bundle. In JBoss, it looks different but basically, the explanation is right for both.
gatein-domain {
org.gatein.sso.integration.SSODelegateLoginModule required
enabled="#{gatein.sso.login.module.enabled}"
delegateClassName="#{gatein.sso.login.module.class}"
portalContainerName=portal
realmName=gatein-domain
password-stacking=useFirstPass;
org.exoplatform.services.security.j2ee.TomcatLoginModule required
portalContainerName=portal
realmName=gatein-domain;
};In which:
gatein-domain is the Realm name which will be refered by applications.
If you change this default name, you need to re-configure all the applications that use the Realm (listed later).
Two required login modules are: org.gatein.sso.integration.SSODelegateLoginModule and org.exoplatform.services.security.j2ee.TomcatLoginModule. The first, if authentication succeeds, will create an Identity object and save it into a shared state map, then the object can be used by the second.
These are some login modules available in eXo Platform. Refer to Existing login modules to understand how they match the login scenarios.
Declaring JAAS Realm in eXo Platform
In the Tomcat bundle
The default Realm is declared in the $PLATFORM_TOMCAT_HOME/conf/jaas.conf file. Its content is exactly the above example.
A "security domain" property in $PLATFORM_TOMCAT_HOME/gatein/conf/exo.properties
(about this file, see Configuration overview)
needs to be set equal to the Realm name:
exo.security.domain=gatein-domain
In the JBoss package
The default Realm is declared in the $PLATFORM_JBOSS_HOME/standalone/configuration/standalone-exo.xml file, at the following lines:
<security-domain name="gatein-domain" cache-type="default">
<authentication>
<!--
<login-module code="org.gatein.sso.integration.SSODelegateLoginModule" flag="required">
<module-option name="enabled" value="${gatein.sso.login.module.enabled}"/>
<module-option name="delegateClassName" value="${gatein.sso.login.module.class}"/>
<module-option name="portalContainerName" value="portal"/>
<module-option name="realmName" value="gatein-domain"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
-->
<login-module code="org.exoplatform.services.security.j2ee.JBossAS7LoginModule" flag="required">
<module-option name="portalContainerName" value="portal"/>
<module-option name="realmName" value="gatein-domain"/>
</login-module>
</authentication>
</security-domain>
A "security domain" property in $PLATFORM_JBOSS_HOME/standalone/configuration/gatein/exo.properties
(about this file, see Configuration overview)
needs to be set equal to the Realm name:
exo.security.domain=gatein-domain
List of applications using Realm
If an application (.war) uses the Realm for authentication and authorization, it will refer to the Realm name with either of the following lines.
In WEB-INF/jboss-web.xml:
<security-domain>java:/jaas/gatein-domain</security-domain>
In WEB-INF/web.xml:
<realm-name>gatein-domain</realm-name>
In META-INF/context.xml:
appName='gatein-domain'
As mentioned above, if you change "gatein-domain", you need to re-configure all the applications that use the Realm
to refer to the new Realm.
Here is the list of webapps and the files you need to re-configure:
In the Tomcat bundle:
portal.war: /WEB-INF/jboss-web.xml, /WEB-INF/web.xml, /META-INF/context.xml.
rest.war: /WEB-INF/jboss-web.xml, /WEB-INF/web.xml, /META-INF/context.xml.
ecm-wcm-extension.war: /WEB-INF/jboss-web.xml.
calendar-extension.war: /WEB-INF/jboss-web.xml.
forum-extension.war: /WEB-INF/jboss-web.xml.
wiki-extension.war: /WEB-INF/jboss-web.xml.
ecm-wcm-core.war: /WEB-INF/jboss-web.xml.
crash.war: /WEB-INF/crash/crash.properties in case you install the Crash add-on.
The .war files are located under the $PLATFORM_TOMCAT_HOME/webapps folder.
In the JBoss package:
exo.portal.web.portal.war: /WEB-INF/jboss-web.xml, /WEB-INF/web.xml, /META-INF/context.xml.
exo.portal.web.rest.war: /WEB-INF/jboss-web.xml, /WEB-INF/web.xml, /META-INF/context.xml.
ecm-wcm-extension.war: /WEB-INF/jboss-web.xml.
calendar-extension-webapp.war: /WEB-INF/jboss-web.xml.
forum-extension-webapp.war: /WEB-INF/jboss-web.xml.
wiki-extension-webapp.war: /WEB-INF/jboss-web.xml.
ecms-core-webapp.war: /WEB-INF/jboss-web.xml.
ecms-packaging-wcm-webapp.war: /WEB-INF/jboss-web.xml.
crash.war: /WEB-INF/crash/crash.properties in case you install the Crash add-on.
The .war files are located under the $PLATFORM_JBOSS_HOME/standalone/deployments/platform.ear folder.
See also