As mentioned, the fallback to FORM authentication is automatically enabled. This means that users can authenticate either by the SPNEGO handshake with their Kerberos ticket or by providing their credentials in the eXo Platform login form, which will perform verification of credentials against the Picketlink IDM database.
For some reasons, you may want to enforce authentication only by SPNEGO and disable possibility to authenticate with the eXo Platform login form.
In this case, you will need to add the enableFormAuthentication=false option to the SSODelegateLoginModule module:
$PLATFORM_TOMCAT_HOME/conf/jaas.conf (in Tomcat).
The jaas.conf now looks like:
...
gatein-domain {
org.gatein.sso.integration.SSODelegateLoginModule required
enabled="#{gatein.sso.login.module.enabled}"
delegateClassName="#{gatein.sso.login.module.class}"
portalContainerName=portal
realmName=gatein-domain
enableFormAuthentication=false
password-stacking=useFirstPass;
org.exoplatform.services.security.j2ee.TomcatLoginModule required
portalContainerName=portal
realmName=gatein-domain;
};
...
$PLATFORM_JBOSS_HOME/standalone/configuration/standalone-exo.xml (in JBoss).
The standalone-exo.xml now looks like.
...
<security-domain name="gatein-domain" cache-type="default">
<authentication>
<login-module code="org.gatein.sso.integration.SSODelegateLoginModule" flag="required">
<module-option name="enabled" value="#{gatein.sso.login.module.enabled}" />
<module-option name="delegateClassName" value="#{gatein.sso.login.module.class}" />
<module-option name="portalContainerName" value="portal" />
<module-option name="enableFormAuthentication" value="false"/>
<module-option name="realmName" value="gatein-domain" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
<login-module code="org.exoplatform.services.security.j2ee.JBossAS7LoginModule" flag="required">
<module-option name="portalContainerName" value="portal"/>
<module-option name="realmName" value="gatein-domain"/>
</login-module>
</authentication>
</security-domain>
...