Need help regarding Wildfly 9 SSO - single-sign-on

I want to implement SSO between two apps that are deployed on same instance of Wildfly 9. I have searched about it but never got enough information regarding it.
First thing is we have to start from standalone.xml:
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on domain="localhost"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/9"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
Then in jboss-web.xml put following entry of security-domain and valve:
<jboss-web>
<security-domain>java:/jaas/other</security-domain>
<valve>
<class-name>org.apache.catalina.authenticator.SingleSignOn</class-name>
</valve>
</jboss-web>
I am not sure about changes in web.xml.
I think we have to provide information about security-constraint and login-config.
Please help me to implement this concept in both clustered and non-clustered environment.

Try to add the following line at default-host host under the default-server server:
<single-sign-on path="/"/>
At the end, it will be like:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on path="/"/>
</host>
</server>
I'm using Wildfly 9.0.2 Final.

org.apache.catalina.authenticator.SingleSignOn can't work on WildFly AS, because Tomcat is substituted by Undertow as a web container.
Normally, you don't need any change to jboss-web.xml.
For an IdP based on PicketLink, you can set jboss-web.xml as following to enable the PicketLink Authenticator:
<filter>
<filter-name>IDPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.IDPFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>IDPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

I complete the "tiago mussi" answer, valve are note supported anymore on widlfy because it uses the new webserver undertow, you can put the valve line in jboss-web it will do nothing at all...
<single-sign-on domain="localhost"/>
this is bad syntax because there is a bug in domain sso
<single-sign-on path="/"/>
this is the right syntax then in your web application you will see JSESSIONSSOID or like this name in plus than SESSIONID
picketLink is too much just for use SSO, because it handle API REST SSO, social secure, and it is a specific module with a new mechanism authentication, and furthermore if you will manage several URL you can't because you have to put in configuration the url, it is not dynamic...

Related

How to allow several different origins in Wildfly 10

My goal is to allow several BUT NOT ALL origins for http requests to my Wildfly 10. I have searched StackOverflow and haven't found anything so far on this topic. People all over the Internet suggest using a wildcard, however this could effectively be a security flaw. Yes, a wildcard for Access-Control-Allow-Origin does work, but I don't want to allow just any origin. I have tried this standalone.xml part for undertow subsystem (unsuccessfully):
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" max-post-size="314572800" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<filter-ref name="Access-Control-Allow-Origin-header1"/>
<filter-ref name="Access-Control-Allow-Origin-header2"/>
<filter-ref name="Access-Control-Allow-Origin-header3"/>
<filter-ref name="Access-Control-Allow-Methods-header"/>
<filter-ref name="Access-Control-Allow-Headers-header"/>
<filter-ref name="Access-Control-Allow-Credentials-header"/>
<filter-ref name="Access-Control-Max-Age-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<response-header name="Access-Control-Allow-Origin-header1" header-name="Access-Control-Allow-Origin" header-value="http://122.22.22.24:*"/>
<response-header name="Access-Control-Allow-Origin-header2" header-name="Access-Control-Allow-Origin" header-value="http://122.22.22.21:*"/>
<response-header name="Access-Control-Allow-Origin-header3" header-name="Access-Control-Allow-Origin" header-value="http://122.22.22.22:*"/>
<response-header name="Access-Control-Allow-Methods-header" header-name="Access-Control-Allow-Methods" header-value="GET, POST, OPTIONS, PUT"/>
<response-header name="Access-Control-Allow-Headers-header" header-name="Access-Control-Allow-Headers" header-value="accept, authorization, content-type, x-requested-with"/>
<response-header name="Access-Control-Allow-Credentials-header" header-name="Access-Control-Allow-Credentials" header-value="true"/>
<response-header name="Access-Control-Max-Age-header" header-name="Access-Control-Max-Age" header-value="1"/>
</filters>
</subsystem>
What am I doing wrong?
This nice article is explaining one way to do it, using an Undertow expression-filter validating origin against some whitelisted domains (modelled as a multi-valued|-separated list):
<property name=”cors.whitelist” value=”http://domainA|http://domainB"/>
All credits go to the article author :-)

How to disable welcome page on JBoss EAP 7 Domain Cluster

I am new to working with JBoss and I'm working on setting up a cluster to test with. I followed the directions from middleware to setup a JBoss Domain cluster on a single Linux VM using JBoss EAP 7.1.6. I am now trying to deploy a web application to my cluster using the admin console to test that the cluster is working.
I have created a simple hello world web app using liweinan's cluster demo source code that should display the current time. I tested the app and it displays correctly on a standalone cluster, but when I test my domain cluster I am seeing the page telling me that I need to disable the welcome content. What am I doing wrong? Is there something that also needs to be configured on the slaves?
Here is my jboss-web.xml in my application war:
<jboss-web>
<context-root>/</context-root>
</jboss-web>
In the host-master.xml the domain controller is:
<domain-controller>
<local/>
</domain-controller>
In the domain.xml file I have updated the interfaces to match the address of my machine. I also commented out the welcome content in the undertow.
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<!--<location name="/" handler="welcome-content"/>-->
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<!--<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>-->
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
In both of the host-slave.xml files I have updated the socket interface management port, the interface inet-address, and added an offset for the servers.
Any help or suggestions would be greatly appreciated. I've been researching this for days without success.
It turns out the issue wasn't with my configuration. When you deploy the application you can't change the name. I was changing it from ClusterDemo.war to ClusterDemo. When I left the .war on the name, the app ran with no issues.

Replace Wildfly 10 homepage with a custom application contained in an ear file

I'm trying to replace the Wildfly 10 default homepage (accessed from http://hostname:port) by one of my own web application.
I found a good way to do it by removing some parts of the undertow subsystem of the standalone.xml of my wildfly and by adding a war to the default-web-module.
My problem is that I don't have a war, I have a ear (with a war in it), and it doesn't work with that.
Hereunder is the undertow part of my standalone.xml file :
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost" default-web-module="myear.ear/mywar.war">
<access-log pattern="%{i,X-Forwarded-For} %h %{i,SM_UNIVERSALID} %t %H %p %U %q %s %D %T" prefix="http-in" suffix=".log"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
Can this solution work with an ear instead of a war, or have I to find another way ?
Thank you in advance,
Seb
Finally, I solved it by redirecting the index.html page of the welcome-content folder of WildFly to my application, it's simpler and it works perfectly.
Seb

Setting up maximum of connections for web

In JBoss7 we've restricted number of web connections by using this
<connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" secure="true" max-connections="3000">
for urn:jboss:domain:web:1.0 subsystem which is replaced by urn:jboss:domain:undertow:1.2 in the wildfly. How to setup max-connections in wildfly?
I went through the documentation and didn't find matching attribute.
Thanks
Try add under filters definition
<filters>
<connection-limit name="limit-connections" max-concurrent-requests="3000" queue-size="100"/>
</filters>
and then under host or location add (depends on your need)
<filter-ref name="limit-connections"/>
See a configuration example and Model Reference
Also take a look in Configuring the Web server Pool: http://www.javacodegeeks.com/2014/01/entering-undertow-web-server.html
The above comment from Federico Sierra is correct. But in Wildfly 10.x the filter name 'connection-limit' doesn't exist anymore. Instead it is now called 'request-limit'.
So for Wildfly 10.x add filter reference in the untertow subsystem inside 'server' and 'host' context and the request-limit filter inside the 'filters' context:
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
[...]
<server name="default-server">
[...]
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
[...]
<filter-ref name="limit-connections"/>
</host>
</server>
[...]
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<request-limit name="limit-connections" max-concurrent-requests="3000" queue-size="100"/>
</filters>
</subsystem>
Reference: https://github.com/wildfly/wildfly/blob/master/undertow/src/test/resources/org/wildfly/extension/undertow/undertow-3.1.xml
If you want to limit the maximum number of concurrent connections for an HTTP/HTTPS/AJP Connector you have to set the attribute max-connections.
Example:
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=max-connections,value=300)
Source: How to set the maximum number of Web connections in WildFly
I would use the max-conncections attribute as defined in the documentation. Either for http and/or https connections. It is defined as
"The maximum number of concurrent connections. Only values greater
than 0 are allowed. For unlimited connections simply undefine this
attribute value."
I don't see the benefit of defining an extra filter. But maybe the others can shed some light on this... So similar to the other solutions it would look like this:
<subsystem xmlns="urn:jboss:domain:undertow:10.0">
[...]
<server name="default-server">
<http-listener name="default" socket-binding="http" max-connections="3000" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" max-connections="3000" security-realm="ApplicationRealm" enable-http2="true" />
[...]
</server>
[...]
</subsystem>
Update: I just realized that this is the standalone.xml solution to what Francesco is proposing...

Deploy EAR on different Wildfly undertow server

I have two different inside wildfly undertow subsystem in order to use two interface on different ip and send different ssl certificate for different domain
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<https-listener name="https-listener" socket-binding="https" security-realm="https_realm1"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<access-log pattern="common" directory="${jboss.server.log.dir}" prefix="access"/>
</host>
</server>
<server name="default-server_secondary">
<http-listener name="default_secondary" socket-binding="http_secondary"/>
<https-listener name="https-listener_secondary" socket-binding="https_secondary" security-realm="realm2"/>
<host name="server.mydomain.com" alias="server.mydomain.com">
<location name="/" handler="welcome-content"/>
<access-log pattern="common" directory="${jboss.server.log.dir}" prefix="access_secondary"/>
<filter-ref name="server-header1"/>
</host>
</server>
By using this configuration and others on interface and socket binding I correctly set my environment.
But the problem is deploy the EAR file in default-server_secondary inside host server.mydomain.com.
How to?
Thank you
I solve it.
Make and edit jboss-web.xml in WAR module
default-server_secondary
server.mydomain.com