Securing applications and web services thru JOSSO

Centralized authentication ensures that users do not actively have to enter their credential to open multiple application in same organization.

JOSSO, or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication. JOSSO is open source and is commercial friendly.  JOSSO exposes Single Sign On services using SOAP over HTTP protocol allowing it to easily integrate with non-Java applications and soap client.  Josso support validation of credentials stored in mutilple formats like Database/XML/Ldap etc.

There are further needs in applications to even make webservices SSO enabled. To enable webservice sso enabled the SSO session id is set in all the requests by a custom Axis client side cookie handler.  All requests are then intercepted by the JOSSO Agent which interacts with the JOSSO Gateway to get the authentication/authorization of the request based on the SSO session id.

How JOSSO works?

JOSSO comprises three main components:

SSO Gateway (IdP): SSO server, also known as Identity Provider, responsible of acting as a web access management authority for SSO-enabled applications and their users.

SSO Agent: Handles the single sign-on use-cases and execution environment integration details for SSO-enabled applications. Agents consume Gateway identity services.

Partner application (SP): SSO-enabled web application, also known as Service Provider that relies on the SSO Agent and Gateway components for providing the Single Sign-On experience to users.

 Interaction between components

a)      User requests for web resource using browser

b)      SSO Agent interrupts the request and checks if resource is protected and is for partner application

c)       SSO Agent checks if SSO session is present using JOSSO_SESSION_ID

d)      If SSO session is not present; SSO agent submits authentication request to gateway. If SSO session is present; agent sends SSO session assert request to gateway to test if user is not already logout thru another application.

e)      Gateway checks if SSO session is present using JOSSO_SESSION_ID.

f)       If SSO session is not present; user credentials are requested by showing login form.

g)      If credentials are invalid user is again requested for credentials till max retries.

h)      If credentials are valid SSO session is created on gateway and assertion details (i.e. authentication/ authorization details) are sent to agent. On assertion resolution session is created on agent; security is associated with the token and security context is injected.

i)        Resource access is then provided to the user.

 

Steps for enabling SSO for an application using JOSSO:

For authenticating using JOSSO gateway and agent :

-       Install JOSSO Gateway

-       Configure LDAP authenticator and identity manager to point to LDAP server on JOSSO gateway

-       Install JOSSO agent on the tomcat server which would host the Web application

-       Configure JOSSO agent

 

Install JOSSO Gateway:

Prerequisites:

a)      JDK 1.5 or above

b)      Tomcat 6.0 or any other App server

c)       JOSSO binaries

JOSSO 1.8 comes with JOSSO deployment console that helps install JOSSO components (Gateway and Agents). The console has been implemented using Apache Geronimo GShell. GShell is an extensible, command-line processing environment for creating platform independent command-line applications.

To install JOSSO Gateway; start “JOSSO gshell” using josso-gsh.bat (on Windows environemnt) or josso-gsh.sh (on UNIX variants).

Use following command to install “JOSSO gateway”: 

gateway install -t <Target installation directory> --platform <app server>

e.g. to install JOSSO gateway on tomcat 6.0 in “/opt/apache-tomcat-6.0.18” directory

josso> gateway install -t /opt/apache-tomcat-6.0.18 --platform tc60

e.g. to install JOSSO gateway on tomcat 6.0 in “/opt/apache-tomcat-6.0.18” directory with default ldap configuration

josso> gateway install -t /opt/apache-tomcat-6.0.18 --platform tc60 --persistence ldap

The install process performs the following tasks:

1.        Verify that the selected target matches the selected installer / platform.

2.        Generates and installs the 'AES' key used by the automatic authentication

3.        Installs default gateway configuration

4.        Deploys the JOSSO gateway war (josso.war)

Configure LDAP authenticator and identity manager to point to LDAP server on JOSSO gateway

The following configuration shows authentication thru ldap. Similarly JOSSO can be configured for authentication with database or XML.

 Using this configuration JOSSO is told to import the josso-gateway-ldap-stores.xml XML configuration file and define the bind authentication bean.

Modify josso-gateway-config.xml to point to ldap store.

josso-gateway-config.xml

<?xml version="1.0" encoding="ISO-8859-1" ?>

<s:import resource="josso-gateway-ldap-stores.xml" />

    <def-auth:authenticator id="josso-authenticator">

        <def-auth:schemes>

                     <s:ref bean="josso-bind-authentication"/>

        </def-auth:schemes>

    </def-auth:authenticator>

 

Configuring the LDAP Store

The josso-gateway-ldap-stores.xml contains the configuration for connecting to the LDAP server

    <ldap-istore:ldap-bind-store

            id="josso-identity-store"

                        class="org.josso.gateway.identity.service.store.ldap.LDAPBindIdentityStore"

            initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"

            providerUrl="ldap://10.145.130.86:1420/"

            securityPrincipal="uid=queryuser,ou=People,dc=xyz"

            securityCredential="xxxx"

            securityAuthentication="simple"

            ldapSearchScope="SUBTREE"

            usersCtxDN="ou=People,dc=xyz"

            principalUidAttributeID="uid"

            uidAttributeID="uniqueMember"

            rolesCtxDN="ou=Roles,ou=a,dc=xyz"

            roleAttributeID="cn"

            />

Configuring the Authenticator

The configuration for authenticator is specified in the josso-gateway-auth.xml configuration file. This component is responsible for authenticating the user using the configured authenticator and managing the authenticated user sessions. The id defined in ldap store need to be configured in authenticator

<?xml version="1.0" encoding="ISO-8859-1" ?>

<bind-authscheme:bind-auth-scheme

            id="josso-bind-authentication"

            name="basic-authentication"

            hashAlgorithm="MD5"

            hashEncoding="HEX"

            ignorePasswordCase="false"

            ignoreUserCase="false">

        <bind-authscheme:credentialStore>

            <s:ref bean="josso-identity-store"/>

        </bind-authscheme:credentialStore>

        <bind-authscheme:credentialStoreKeyAdapter>

            <s:ref bean="josso-simple-key-adapter"/>

        </bind-authscheme:credentialStoreKeyAdapter>

    </bind-authscheme:bind-auth-scheme>

Configuring Login Form

Login form can be configured in josso-gateway-web.xml by modifying costomLoginURL. Point to the login page; you want to show during login.

<web-configuration id="josso-web-configuraiton"

                       rememberMeEnabled="true"

                       sessionTokenOnClient="true"

                       sessionTokenSecure="false"

                       sendP3PHeader="false"

                 customLoginURL="http://localhost:8080/partnerapp/partner-login.jsp">

 

Agent install:

To install JOSSO Gateway; open “JOSSO gshell” using josso-gsh.bat (on Windows environemnt) or josso-gsh.sh (on UNIX variants).

Use following command to install “JOSSO gateway”: 

        agent install –t <target installation directory>  --platform <app server>

 

e.g. to install JOSSO agent on tomcat 6.0 in “/opt/apache-tomcat-6.0.18” directory

 

josso> agent install –t /opt/apache-tomcat-6.0.18 --platform tc60

 

The install process performs the following tasks:

1.       Verifies that the target platform matches the selected installer / platform.

2.       Installs 3rd party JARs needed by JOSSO Agent

3.       Installs Agent components

4.       Installs Agent configuration resources

5.       Configures the Container (when possible)

 

CONFIGURE JOSSO AGENT

The main responsability of the Single Sign-On Agent is to check that a previously user logged in through the Single Sign-On Gateway is authorized to access a web context.

The Agent verifies this information by querying via SOAP the Single Sign-on webservice infrastructure using a special cookie set by the Single Sign-On Gateway on authentication.

Add this xml snippet to josso-agent-config.xml to make the web application a partner application to JOSSO. Please change the id and context as required.

<agent:partner-app id="partnerapp " context="/partnerapp">

<ignore-web-resource-collections>public-resources,img-resources</ignore-web-resource-collections>

 </agent:partner-app>

<agent:partner-app id="partnerapp2 " context="/partnerapp2">

<ignore-web-resource-collections>public-resources,img-resources</ignore-web-resource-collections>

 </agent:partner-app>

 

 

Configure the SSO Gateway login URL

The Single Sign-On Agent Configuration must reside in the $CATALINA_HOME/lib directory and should be referenced by the josso-agent-config.xml file as stated before.

<?xml version="1.0" encoding="UTF-8" ?>

        <gatewayLoginUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginUrl>

        <gatewayLogoutUrl>http://localhost:8080/josso/signon/logout.do</gatewayLogoutUrl>

  <configuration>

      <agent:agent-configuration>

         </agent:partner-app>

             <agent:partner-app id="partnerap" context="/ partnerapp">

                   <ignore-web-resource-collections>public-resources,img-resources</ignore-web-resource-collections>

              </agent:partner-app>

             </agent:partner-apps>

         </agent:agent-configuration>

   </configuration>

Using this configuration one can set:

• The Gateway Login URL, where the Single Sign-On Agent will redirect the user on protected resource access request so that he can authenticate.
• The Gateway Logout URL, where the Single Sign-On Agent will redirect the user on logout request.
• Concrete Single Sign-On Agent to be instantiated
• The concrete Service Locator to be used to invoke the services of the Single Sign-On Gateway.

In this specific case, which is the default, is using SOAP over HTTP to invoke The Single Sign-On Gateway WebServices.

If the gateway and the agent are running in the same server this will be localhost and the port should be the port where Tomcat is listening for incoming HTTP requests.

Set up Security Constraints (JEE)

Web application Security Constraints (web.xml) of your application

<security-constraint>

  <web-resource-collection>

    <web-resource-name>public-resources</web-resource-name>

    <url-pattern>/lib/*</url-pattern>

    <http-method>HEAD</http-method>

    <http-method>GET</http-method>

    <http-method>POST</http-method>

    <http-method>PUT</http-method>

    <http-method>DELETE</http-method>

  </web-resource-collection>

</security-constraint>

<security-constraint>

  <web-resource-collection>

    <web-resource-name>protected-resources</web-resource-name>

    <url-pattern>/*</url-pattern>

    <http-method>HEAD</http-method>

    <http-method>GET</http-method>

    <http-method>POST</http-method>

    <http-method>PUT</http-method>

    <http-method>DELETE</http-method>

  </web-resource-collection>

    <auth-constraint>

    <role-name>*</role-name>

  </auth-constraint>

  <user-data-constraint>

    <transport-guarantee>NONE</transport-guarantee>

  </user-data-constraint>

</security-constraint>

<login-config>

  <auth-method>FORM</auth-method>

  <form-login-config>

    <form-login-page>/login-redirect.jsp</form-login-page>

    <form-error-page>/login-redirect.jsp</form-error-page>

  </form-login-config>

</login-config>

 

You are ready with an SSO enable application. Similarly configure your other applications.

 

Making Web Services SSO/JOSSO enabled

To make your webservices application JOSSO enabled. The webservice client would require passing JOSSO session id with each webservice request.

COOKIE HANDLER

A custom axis client side handler which sets the SSO session id in all the requests made by the client.

client-config.wsdd

 

<?xml version="1.0" encoding="UTF-8"?>

<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

<globalConfiguration>

<requestFlow>

<handler type="CookieHandler"/>

</requestFlow>

</globalConfiguration>

<transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender"/>

</deployment>

 

CookieHandler.java

 

import org.apache.axis.AxisFault;

import org.apache.axis.MessageContext;

import org.apache.axis.handlers.BasicHandler;

import org.apache.axis.transport.http.HTTPConstants;

 

public class CookieHandler extends BasicHandler {

public void invoke(MessageContext context) throws AxisFault {

String cookieValue = System.getProperty("josso_session_id");

context.setProperty(HTTPConstants.HEADER_COOKIE, “JOSSO_SESSION_ID” + "=" + cookieValue);

context.setMaintainSession(true);

      }

}