16.4. Use Single Sign On (SSO) In A Web Application

Prerequisites

• You need to have a configured security domain which handles authentication and authorization.
• The infinispan subsystem needs to be present. It is present in the full-ha profile for a managed domain, or by using the standalone-full-ha.xml configuration in a standalone server.
• The web cache-container and SSO cache-container must each be present. The initial configuration files already contain the web cache-container, and some of the configurations already contain the SSO cache-container as well. Use the following commands to check for and enable the SSO cache container. Note that these commands modify the ha profile of a managed domain. You can change the commands to use a different profile, or remove the /profile=ha portion of the command, for a standalone server.

  Example 16.1. Check for the web cache-container

  The profiles and configurations mentioned above include the web cache-container by default. Use the following command to verify its presence. If you use a different profile, substitute its name instead of ha.

  /profile=ha/subsystem=infinispan/cache-container=web/:read-resource(recursive=false,proxies=false,include-runtime=false,include-defaults=true)

  Copy to Clipboard Toggle word wrap

  If the result is success the subsystem is present. Otherwise, you need to add it.

  Example 16.2. Add the web cache-container

  Use the following three commands to enable the web cache-container to your configuration. Modify the name of the profile as appropriate, as well as the other parameters. The parameters here are the ones used in a default configuration.

  /profile=ha/subsystem=infinispan/cache-container=web:add(aliases=["standard-session-cache"],default-cache="repl",module="org.jboss.as.clustering.web.infinispan")

  Copy to Clipboard Toggle word wrap

  /profile=ha/subsystem=infinispan/cache-container=web/transport=TRANSPORT:add(lock-timeout=60000)

  Copy to Clipboard Toggle word wrap

  /profile=ha/subsystem=infinispan/cache-container=web/replicated-cache=repl:add(mode="ASYNC",batching=true)

  Copy to Clipboard Toggle word wrap

  Example 16.3. Check for the SSO cache-container

  Run the following Management CLI command:

  /profile=ha/subsystem=infinispan/cache-container=web/:read-resource(recursive=true,proxies=false,include-runtime=false,include-defaults=true)

  Copy to Clipboard Toggle word wrap

  Look for output like the following: "sso" => {

  If you do not find it, the SSO cache-container is not present in your configuration.

  Example 16.4. Add the SSO cache-container

  /profile=ha/subsystem=infinispan/cache-container=web/replicated-cache=sso:add(mode="SYNC", batching=true)

  Copy to Clipboard Toggle word wrap
• The web subsystem needs to be configured to use SSO. The following command enables SSO on the virtual server called default-host, and the cookie domain domain.com. The cache name is sso, and reauthentication is disabled.

  /profile=ha/subsystem=web/virtual-server=default-host/sso=configuration:add(cache-container="web",cache-name="sso",reauthenticate="false",domain="domain.com")

  Copy to Clipboard Toggle word wrap
• Each application which will share the SSO information needs to be configured to use the same <security-domain> in its jboss-web.xml deployment descriptor and the same Realm in its web.xml configuration file.