Saturday Jan 22, 2011

OpenID and the "retrun_url" parameter

Referring to my openID Project openid4java-jsr-196 today I have tested some login forms for openid. And after all I came to the conclusion that the OpenID Param 'return_to' should always have a fixed value pointing to a general root context url of a web application. In different to other login modules where the referring url is typical used to forward the user after a successful login in OpenID modules this seems not to be a good idea.  

The reason is that this parameter is  used by the OpenID Providers to grant the access and also often to allow the user to store this url into a page store to provide an automatically login. If the return url is not fixed and points dynamically to the requested secured page, this will block such features provided by the OpenID Provider.

For example, if a user tries to access two different sites from a web application secured with openID like:

  • http://localhost/myapp/protected/page-1
  • http://localhost/myapp/protected/page-2

and the login form forwards this variable url-information to the openid provider, the provider can potentially ask the user to grant two different application urls. This can only be avoided by the application if the OpenID Login form always delegate a fixed application-URL to the provider - independent from the origin page request.

So in most cases it is sufficient to place a hidden field into the openID login form:

 <form method="get" id="openid_login_form"
	action="#{facesContext.externalContext.requestContextPath}/openid_login">
      <h:inputText id="openid_identifier" tabindex="0" />
	<script>document.getElementById('openid_identifier').focus();</script>
     <input type="submit" value="#{global.login}" />
     <!-- Return URL --> 
    <h:inputHidden id="return_to" value="#{loginMB.serverURI}#{facesContext.externalContext.requestContextPath}/openid.jsf" />
 </form> 

 

Please note that I have started a project site to provide a platform for further discussion and development. You will also find souce code from the OpenID-JSR-196 Login Module and a wiki page on the project site:
http://code.google.com/p/openid4java-jsr196/
You are welcome to join this project.


 

Posted at 11:18PM Jan 22, 2011
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [0]

Monday Aug 09, 2010

OpenID and Yahoo

Today we recognized a problem concerning the openID login with yahoo.com on the Imixs BPM Portal

using the officical yahoo URL "http://yahoo.com" did no longer work. This wasn't a problem form the OpenID4Java module we use.  Also other OpenID Login modules like the one provided by Liferay Portal did not work with "http://yahoo.com".

The problem seems to be something with the yahoo servers outside the united states. Logins e.g from german web servers failing with a HTTP 404 Error. 

This problem can be fixed using the yahoo OpenID url "http://me.yahoo.com"

We have changed this on the Imixs BPM Portal.

Please note that I have started a project site to provide a platform for further discussion and development. You will also find souce code from the OpenID-JSR-196 Login Module and a wiki page on the project site:
http://code.google.com/p/openid4java-jsr196/
You are welcome to join this project.


Posted at 05:56PM Aug 09, 2010
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [0]

Sunday Jan 17, 2010

Glassfish & OpenID - JSR-196 with OpenID4Java

Today I implemented a new ServerAuthModule based on JSR-196 using the OpenID4Java library. OpenID4Java is a open source library supporting the Client side authentication process to login a user with an OpenID.

OpenID is an open standard that allows a User to sign into web sites through a single URL (a single digital identity). This URL can be a personal home page, a blog or a web service (e.g from a OpenID Provider like myopenid, Google or yahoo.com) that the user is already using. In any case the user must register only once with his OpenID service provider and therefore he need only one password. Another advantage of using OpenID in your web application is the exemption of hosting and managing user accounts and password informations. You can read more about the details on openid.net.

Please note that I have started a project site to provide a platform for further discussion and development. You will also find souce code from the OpenID-JSR-196 Login Module and a wiki page on the project site:
http://code.google.com/p/openid4java-jsr196/
You are welcome to join this project.


Using JSR-196 and OpenID

There are different solutions available to enable a Web Application to login users with there OpenID account. One of the most auspicious mechanisms to integrate OpenID in JEE Applications is the jsr-196. This authentication service allows web containers to use different login modules - like an external openid provider. JSR-196 is part of Glassfish Server so a Login Mechanism based on the jsr-196 is very easy to use in a JEE or Web application. Ron Monzillo who is the specification lead gives a good overview about the jsr-192 on his blog  "concepts behind JRS-196".

How to Install the OpenID4JavaAuthModule

The OpenID4JavaAuthModule I have written is easy to install. To enable your JEE Web application for OpenID you need a Server plattform supporting JSR-196. The following section will describe the installation steps for a Glassfish Application Server. Glassfish supports JSR-196. But there may be also other web containers supporting JSR-196.

To install the OpenID4Java AuthModule you first need to download the following parts:

Copy the imixs-openid-0.0.2-SNAPSHOT.jar into the Glassfish Lib folder

[GLASSFISHHOME]/lib/

Extract the the openid4java zip archive and copy the following jars into your Glassfish Domain lib/ext/ folder.

  • openid4java-0.9.5.jar
  • commons-codec-1.3.jar
  • commons-httpclient-3.0.1.jar
  • commons-logging-1.03.jar 

The glassfish domain specific /lib folder is located on the following path:

[GLASSFISHHOME]/domains/domain1/lib/ext/

where domain1 is your prefered domain (domain1 is the default domain typical used).

Notice: The tree commons-* libraries are appache utilities which are used by openid4java.

Configuration of the OpenID4JavaAuthModule

Now you can configure the OpenID4JavaAuthModule using the GlassFish Admin Console following the next steps:

  1. Make sure the GlassFish Application Server is running. If it is not already running, you can start it using the following command: 
       <GF_HOME>bin/asadmin start-domain domain1

    where <GF_HOME> is the directory where you installed GlassFish

  2. Open the GlassFish Admin Console by pointing your browser to the URL: http://localhost:4848/.
  3. Login to the Admin Console by entering your ID and password.
  4. Expand the Configuration node at the bottom of the left-hand pane.
  5. Navigate to the Security node, expand it, and click MessageSecurity.




  6. Under Message Security Configurations, either open the HttpServlet layer if it already exists, or create it if it doesn't exist by clicking the New button. Clicking the button opens the New Message Security Configuration window.

    7. If you can not see the HttpServlet node you need to create the layer

     Click the "New" button and you can than start to configure the new provider in one step. To do that:

    • Set the following in the New Message Security Configuration window:

      Provider Type: server
      Provider ID: OpenIDProvider
      Class Name: org.imixs.openid.openid4java.OpenID4JavaAuthModule

      Do not check the Default Provider: Enabled check box.

       

    • Click the OK button. This saves the settings and opens the Message Security Configurations window.
    • Click on HttpServlet in the Authentication Layer column.
    • Select the Providers tab. This opens the Provider Configuration window.
    • Select OpenIDProvider in the Provider ID column you just created. This opens the Edit Provider Configuration window.
    • Click the Save button to complete the configuration of the provider.

    If the HttpServlet layer already exists, you open first the provider list and add a new Provider:

    • Open the HttpServlet layer by selecting it in the Message Security Configurations window.
    • Select the Providers tab to open the Provider Configuration window.




    • Click the New button to open the New Provider Configuration window.
    • In the Provider Configuration area of the window, set the following:

      Provider Type: server
      Provider ID: OpenIDProvider
      Class Name: org.imixs.openid.openid4java.OpenID4JavaAuthModule

      Do not check the Default Provider: Enabled check box.

For the first configuration this is a little bit confusing as you need to create the HttpServlet Layer. But in general the hole configuration is very simple. 

Also note that the provider configuration utility also provides a dialog box that you can use to configure additional properties. We will use this properties to configure out OpenIDProvider for our applications.

Configure additional Properties

After adding the new OpenIDProvider like described before you can start using the provider in your web application. But there a also a few additional properties which can be configured for each provider instance. You can add these properties by using the box "additional properties at the end of you configuration page:

 

The different properties and there usage are described below:

assign.groups

This property is the most important one. It defines which group will be assigned to a user how has logged on with his OpenID. Typical this is a default group used in your web application. 

debug.stages

This property allows you define different debug stages. So you can follow the different phases during the logon process on the server log. Remove this property to turn the debug modus off to switch off debugging.

loginpage

Per default the login module will prompt the user with a simple login page where he can enter his OpenID. You can replace this default page with a individual page supported by your web application (similar to a form based authentication). I will discus this later.

(The other params - verfiymode and debug - shown in the screenshot are deprecated and can be left)

 

Configuration of your Web Application

Now I will explain how you can configure your web application to use openid as a login mechanism. If you have installed the OpenID Login module like described before this step is quiet easy. 

web.xml & sun-web.xml

The first thing what you should do is remove existing tag login-config like basic or form-based authentification configuration from the web.xml if available. Using JSR-196 you now only need the security-constraint configuration.

This is an example of the security-constraint seciton in my web.xml

....
	<security-constraint>
		<display-name>Access Manager Security Constraint</display-name>
		<web-resource-collection>
			<web-resource-name>AUTHENTICATED_RESOURCE
			</web-resource-name>
			<url-pattern>/pages/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS
			</role-name>
		</auth-constraint>
	</security-constraint>
	
	<security-role>
		<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS
		</role-name>
	</security-role>
.....

Next you need to link your openid provider configured on glassfish admin client with you web application in the sun-web.xml. 

Therefor you need to add the attriubte "httpservlet-security-provider" with the name of your openid provider. The the following example of my sun-web.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="" httpservlet-security-provider="OpenIDProvider">

	<context-root>/openidtestclient</context-root>

	<security-role-mapping>
		<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS</role-name>
		<group-name>Author</group-name>
	</security-role-mapping>

	<class-loader delegate="true" />
	<jsp-config>
		<property name="keepgenerated" value="true">
			<description>Keep a copy of the generated servlet class java
				code.</description>
		</property>
	</jsp-config>
</sun-web-app>

That's it!

Now You will see a default login page if you try to login to your web application


Role Mapping

Notice that we mapped also our default group "Author" to a application specific role name. The group "Author" was configured in the OpenIDProvider property "assign.groups". So each user how have successful authenticated against his OpenID Provider will default to this group and the role  "org.imixs.ACCESSLEVEL.AUTHORACCESS". You can change this settings to the requirements of your application.

Login Form

If you did not specific a login form with the additional property "loginpage" the OpenID Login Module will answer an unautenticated request with an simple login form as shown above.

You can implement you own login form if you like and use this form as the default form for your openidProvider module. 

There for add the property "loginpage"  to your provider configuration and support a valid Page inside your application or a simple HTTP page located on a web server.

This is a simple example for a individual login form based on JSF :

	<form method="get"
		action="#{facesContext.externalContext.requestContextPath}/openid_login">
		<f:facet name="header">
			<h:outputLabel value="#{global.login_title} " />
		</f:facet>
		<h:panelGrid columns="2">
			<h:outputLabel value="#{global.username}:" />
			<h:inputText id="openid_identifier" />

			<h:inputHidden id="return_to"
				value="#{loginMB.serverURI}#{facesContext.externalContext.requestContextPath}/pages/notes.jsf" />

		</h:panelGrid>
		<input type="submit" value="#{global.login}" />


		<!-- BEGIN ID SELECTOR -->
		<script type="text/javascript" id="__openidselector"
			src="https://www.idselector.com/selector/e0ed3a269b77fa785de90aeaa20fa0f985746767"
			charset="utf-8"></script>
		<!-- END ID SELECTOR -->
		<script type="text/javascript">
			var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
			document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
			</script>
						<script type="text/javascript">
			var pageTracker = _gat._getTracker("UA-3469303-6");
			pageTracker._trackPageview();
		</script>
	</form>
 

Your form need to care about three things:

  1. The form action method need to point to the method path "/openid_login". This path indicates the OpenIDLogin Module to start an OpenID Login process.
  2. The users Input field to enter his OpenID URL should be named "openid_identifier". Make sure that the "name" and "ID" attribute are set to "openid_identifier"
  3. The form must support a hidden field "return_to" with points to a page where the user is redirected after login process succeed.

 

The ID Selector Script is just a funny script provided by http://www.idselector.com to support the user with a nice widget to simplify using openid.

Conclusion

You can see that using JSR-196 and OpenID4Java is a very comfortable way to support a new and easy to use login mechanism for web applications. For Internet applications openid opens you web site to millions of users. It is easy to use and you don't have to handle all the stuff with managing userids and passwords.

If you have any suggestions or comments let me know.

You can download the source file of my Implementation also from here.

I also want to thank the OpenID4Java Team for there work.

Please note that I have started a project site on googlecode to publish the sources and provide a platform to discuss and exchange experience. You are welcome to join this project.

 http://code.google.com/p/openid4java-jsr196/

Posted at 10:52AM Jan 17, 2010
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [12]

Friday Apr 10, 2009

Using OpenID for JForum

Today I want to post the solution I developed to use OpenID in JForum.

There are different Solutions for OpenID Authentication Modules. As I am running JForum on Glassfish Server I decided to use set OpenIDAuthModul based on JSR-196 . This module is easy to install see my blog OpenID for JEE Appplications Part II.

So now when you have installed the OpenID Module and configured on Glassfish there are only a few steps to complete.

1.) Add sun-web.xml

To use JSR-196 athtentication in you JForum you need to add a sun-web.xml which points to your OpenID Provider.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">

<sun-web-app error-url="" httpservlet-security-provider="OpenID2">
    <context-root>/shareyourwork/jforum</context-root>
	<security-role-mapping>
        	<role-name>user</role-name>
        	<principal-name>user</principal-name>
	        <group-name>Author</group-name>
	</security-role-mapping>
    <class-loader delegate="true" />
    <jsp-config>
        <property name="keepgenerated" value="true">
            <description>Keep a copy of the generated servlet class javacode.</description>
        </property>
    </jsp-config>
</sun-web-app>	 

Notice the Security Role Mapping I am using here! I map the JForums role "user" to my default Group "Auhtor" which I configured in my OpenID Autmodule as explained in Part II of my OpenID Blog.

2. Change web.xml

Next I changed the web XML to force a Login when Users access my JForum (this is wy we need not more Registration in JForum)

<security-constraint>
	<web-resource-collection>
         <web-resource-name>Restricted Area</web-resource-name>
         <url-pattern>/*</url-pattern>
      </web-resource-collection>	     
      <auth-constraint>
         <role-name>user</role-name>
      </auth-constraint>
</security-constraint>
<security-role> 
       <role-name>user</role-name> 
</security-role>

3. Implement a SSO Module for JForum

Next we need a so called SSO Moduel for JForum. This is a JForum specific way to allow individual authentification mechanism. Read more about JForums sso here.

This is the class I implemented:

package org.imixs.login;

import java.util.Collection;

import javax.servlet.http.Cookie;

import net.jforum.ControllerUtils;
import net.jforum.JForumExecutionContext;
import net.jforum.context.RequestContext;
import net.jforum.entities.UserSession;
import net.jforum.sso.SSO;
import net.jforum.util.preferences.ConfigKeys;
import net.jforum.util.preferences.SystemGlobals;

import org.imixs.workflow.ItemCollection;
import org.imixs.workflow.jee.ejb.EntityServiceRemote;

/**
 * Simple SSO Implemetation for JForum
 * 
 * @author Ralph Soika
 * @version 0.0.1
 */
public class SSOLogin implements SSO {

	String userName;
	String userID;
	String email;

	public final String COOKIE_NAME = "jforumUserId";

	public String authenticateUser(RequestContext request) {
		String sUser = request.getRemoteUser();
		userName = sUser;
		if (sUser != null) {
			// here you can complete user spcific informations if necessary
			try {
			/*
			 * Code was taken from
			 * http://www.jforum.net/doc/ImplementSSO
			 */
			ControllerUtils.addCookie("JforumSSO", userName); // refresh
			}

			} catch (NamingException e) {
				System.out.println("------ SSO LOGIN - Error ");
				e.printStackTrace();
			}

		}

		return userName;
	}

	/**
	 * Code was taken from
	 * 
	 * http://www.jforum.net/doc/ImplementSSO
	 * 
	 */
	public boolean isSessionValid(UserSession userSession,
			RequestContext request) {
		String remoteUser = null;
		Cookie SSOCookie = ControllerUtils.getCookie("JforumSSO");
		if (SSOCookie != null)
			remoteUser = SSOCookie.getValue(); // jforum username

		// user has since logged out
		if (remoteUser == null
				&& userSession.getUserId() != SystemGlobals
						.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) {
			return false;

			// user has since logged in
		} else if (remoteUser != null
				&& userSession.getUserId() == SystemGlobals
						.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) {
			return false;

			// user has changed user
		} else if (remoteUser != null
				&& !remoteUser.equals(userSession.getUsername())) {
			return false;
		}
		return true; // myapp user and forum user the same
		// return true;
	}

}
 

This code did not do much as I use the OpenID URL as the UserName used by JForum.

I an internal project we added some individual code in into the method authenticateUser() to get the Username and Email from a different application. But this is not necessary if you allow users to complete there profile in JForum. The Profile will be generated automatically.

4.) Customize SystemGlobals.properties.

  FinallyI customized the SystemGlobals.properties (located in  WEB-INF/config/).

....
authentication.type = sso
login.authenticator = net.jforum.sso.DefaultLoginAuthenticator
sso.implementation = org.imixs.login.SSOLogin
....

Conclusion

So this was an easy way for me to allow users to work with there OpenID (like yahoo.com accounts) in my JFourm. If you have any suggestions you can post your comments here.

Posted at 07:04AM Apr 10, 2009
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [2]

Sunday Apr 05, 2009

OpenID for JEE Applications - Part III


Please note that I have started a project site to provide a platform for further discussion and development. You will also find souce code from the OpenID-JSR-196 Login Module and a wiki page on the project site:
http://code.google.com/p/openid4java-jsr196/
You are welcome to join this project.


Now I will explain how you can configure your web application to use openid for login mechanism. If you have installed the OpenID Login module like described in part II. this step is quiet easy. 

web.xml & sun-web.xml

The first thing what you should do is remove existing tag login-config like basic or form-based authentification configuration from the web.xml if available. You now only need the security-constraint configuration.

This is an example of the security-constraint seciton in my web.xml

....
	<security-constraint>
		<display-name>Access Manager Security Constraint</display-name>
		<web-resource-collection>
			<web-resource-name>AUTHENTICATED_RESOURCE
			</web-resource-name>
			<url-pattern>/pages/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS
			</role-name>
		</auth-constraint>
	</security-constraint>
	
	<security-role>
		<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS
		</role-name>
	</security-role>
.....

Next you need to specify your openid provider configured on glassfish admin client in the sun-web.xml. 

Therefor you need to add the attriubte "httpservlet-security-provider" with the name of your openid provider

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="" httpservlet-security-provider="OpenIDProvider">

	<context-root>/openidtestclient</context-root>

	<security-role-mapping>
		<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS</role-name>
		<group-name>Author</group-name>
	</security-role-mapping>

	<class-loader delegate="true" />
	<jsp-config>
		<property name="keepgenerated" value="true">
			<description>Keep a copy of the generated servlet class java
				code.</description>
		</property>
	</jsp-config>
</sun-web-app>

Thats it!

 

Now you application supports OpenID.

Role Mapping

Notice that we mapped also our default group "Author" to a application specific Rolename. The Group "Author" was configured in the OpenIDProvider property "assign.groups". So each user how have successfull authtenticated against his OpenID Proivder will default to this group and the role  "org.imixs.ACCESSLEVEL.AUTHORACCESS". You can change this settings to the requriements of your application.

Login Form

If you did not specific a login form with the additional property "loginpage" the OpenID Login Module will answer an unautenticated reqeust with an simple login form as shown above.

You can implement you own login form if you like and use this form as the default form for you openidProvider module. 

There for add the property "loginpage"  to your provider configuration and support a valid Page inside your application or a simple HTTP page located on a web server.

This is a simple example for a individual login form based on JSF :

	<form method="get"
		action="#{facesContext.externalContext.requestContextPath}/openid_login">
		<f:facet name="header">
			<h:outputLabel value="#{global.login_title} " />
		</f:facet>
		<h:panelGrid columns="2">
			<h:outputLabel value="#{global.username}:" />
			<h:inputText id="openid_identifier" />

			<h:inputHidden id="return_to"
				value="#{loginMB.serverURI}#{facesContext.externalContext.requestContextPath}/pages/notes.jsf" />

		</h:panelGrid>
		<input type="submit" value="#{global.login}" />


		<!-- BEGIN ID SELECTOR -->
		<script type="text/javascript" id="__openidselector"
			src="https://www.idselector.com/selector/e0ed3a269b77fa785de90aeaa20fa0f985746767"
			charset="utf-8"></script>
		<!-- END ID SELECTOR -->
		<script type="text/javascript">
			var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
			document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
			</script>
						<script type="text/javascript">
			var pageTracker = _gat._getTracker("UA-3469303-6");
			pageTracker._trackPageview();
		</script>
	</form>
 

Your form need to care about three things:

  1. The form action method need to point to the method path "/openid_login". This path indicates the OpenIDLogin Module to start an OpenID Login process.
  2. The users Input field to enter his OpenID URL should be named "openid_identifier". Make sure that the "name" and "ID" attriubte are set to "openid_identifier"
  3. The form must support a hidden field "return_to" with points to a page where the user is redirected after login process succeed.

 

The ID Selector Script is just a funny script provided by http://www.idselector.com to support the user with a nice widget to simplify using openid.

Single Sign On (SSO)

OpenID supports single sing on. This means if your application knows the users OpenID you can easily logon the user to different pages from different web applications on the same server. To use this feature you only need to redirect the authenticated user to a new site providing his identity and the return url in the QueryString.

For example:

http://myhost/mynewapplication?openid.identity=[http://usersopenid]&openid.return_to=[http://myhost/mynewapplication]

The login process now depends on the users openid provider settings. Some providers like myid.net give the user a convenient way to control his personal settings for different pages and applications using openid

Conclusion

You can see that using JSR-196 and OpenID is a very comfortable way to support a new and easy to use login mechansim for web applications. For internet applications openid opens you web site to millions of users. It is easy to use and you dont have to handle all the stuff with managing userids and passwords.

As OpenID servers are also available als OpenSource JSR-196 and OpenID can be a competitive way for enterprises to implement a single sign on (SSO) architecture in an intranet or extranet.

If you have any suggestions or comments let me know.

Posted at 07:15AM Apr 05, 2009
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [0]

Saturday Apr 04, 2009

OpenID for JEE Applications - Part II

Please note that I have started a project site to provide a platform for further discussion and development. You will also find souce code from the OpenID-JSR-196 Login Module and a wiki page on the project site:
http://code.google.com/p/openid4java-jsr196/
You are welcome to join this project.


In Part I. I described the general concepts behind the JSR 196 and the OpenID integration in Glassfish. Now I would like to explain how you can configure a OpenLogin Provider in Glassfish. 

To configure a OpenID Provider in glassfish you need first the libary containg the OpenID Login Module. You can download the latest version of the library containing this OpenID Login Module from here: (sam.openid-0.0.1-SNAPSHOT.jar).
Next you can put the jar file simply into the <GF_HOME>/lib folder of your Glassfish installation.

Configuration of a OpenID Login Provider

You can configure the OpenID Login Provider using the GlassFish Admin Console following the next steps:

  1. Make sure the GlassFish Application Server is running. If it is not already running, you can start it using the following command: 
       <GF_HOME>bin/asadmin start-domain domain1

    where <GF_HOME> is the directory where you installed GlassFish

  2. Open the GlassFish Admin Console by pointing your browser to the URL: http://localhost:4848/.
  3. Login to the Admin Console by entering your ID and password.
  4. Expand the Configuration node at the bottom of the left-hand pane.
  5. Navigate to the Security node, expand it, and click MessageSecurity.




  6. Under Message Security Configurations, either open the HttpServlet layer if it already exists, or create it if it doesn't exist by clicking the New button. Clicking the button opens the New Message Security Configuration window.

    7. If you can not see the HttpServlet node you need to create the layer:

     

     Click the "New" button and you can than start to configure the new provider in one step. To do that:

    • Set the following in the New Message Security Configuration window:

      Provider Type: server
      Provider ID: OpenIDProvider
      Class Name: SAM, that is, com.sun.security.sam.openid2.OpenIDServerAuthModule

      Do not check the Default Provider: Enabled check box.

       

    • Click the OK button. This saves the settings and opens the Message Security Configurations window.
    • Click on HttpServlet in the Authentication Layer column.
    • Select the Providers tab. This opens the Provider Configuration window.
    • Select OpenIDProvider in the Provider ID column you just created. This opens the Edit Provider Configuration window.
    • Click the Save button to complete the configuration of the provider.

    If the HttpServlet layer already exists, you open first the provider list and add a new Provider:

    • Open the HttpServlet layer by selecting it in the Message Security Configurations window.
    • Select the Providers tab to open the Provider Configuration window.




    • Click the New button to open the New Provider Configuration window.
    • In the Provider Configuration area of the window, set the following:

      Provider Type: server
      Provider ID: OpenIDProvider
      Class Name: SAM, that is, com.sun.security.sam.openid2.OpenIDServerAuthModule

      Do not check the Default Provider: Enabled check box.

For the first configuration this is a little bit confusing as you need to create the HttpServlet Layer. But in general the hole configuration is very simple. 

Also note that the provider configuration utility also provides a dialog box that you can use to configure additional properties. We will use this properties to configure out OpenIDProvider for our applications.

Configure additional Properties

After adding the new OpenIDProvider like described before you can start using the provider in your web application. But there a also a few additional properties which can be configured for each provicer instance. You cann add these properties by using the box "additional properties at the end of you confiugration page:

 

The different properties and there usage are described below:

assign.groups

This property is the most important one. It defines which group will be assigend to a user how has loged on with its OpenID. Typical this is a default group used in your web application. 

debug

Defines is login module will print debug messages on the console file. Remove this property to turn debug modus off.

debug.stages

This property allows you define different debug stages. So you can follow the different phases during the logon process on the server log. Remove this property to turn the debug modus off.

loginpage

Per default the login module will promt the user with a simpel login page where he can enter his OpenID url. You can replace this default page with a individueal page supported by your web application (simmilar to a form based authentification). We will descuss this later.

verifymode

This property can be set to "once" or "allways". If the property is set to "once" the login module will verify the OpenID Token only first time the user enters a restricted page. If set to "allways" (default) the token will be verified for every request of a restricted ressource.


Posted at 11:28AM Apr 04, 2009
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [0]

OpenID for JEE Applications - Part I

Please note that I have started a project site to provide a platform for further discussion and development. You will also find souce code from the OpenID-JSR-196 Login Module and a wiki page on the project site:
http://code.google.com/p/openid4java-jsr196/
You are welcome to join this project.


A few months ago I started to work on a Internet Web Application using OpenID as the primary login mechanism. In the following I will explain how you can use OpenID in your JEE Application.

OpenID is an open standard that allows a User to sign into web sites through a single URL (a single digital identity). This URL can be a personal home page, a blog or a web service (e.g from a OpenID Provider like myopenid or yahoo.com) that the user is already using. In any case the user must register only once with his OpenID service provider and therefore he need only one password. You can read more about the details on openid.net.

Using OpenID in a Web Application

There are different solutions available to enable a Web Application to login users with there OpenID url. One of the most auspicious mechanisms to integrate OpenID in JEE Applications is the jsr-196. This authentication service allows web containers to use different login modules - like an external openid provider. JSR-196 is part of Glassfish Server so a Login Mechanism based on the jsr-196 is very easy to use in a JEE or Web application. Ron Monzillo who is the specification lead gives a good overview about the jsr-192 on his blog  "concepts behind JRS-196".

The OpenSSO extension jsr196

As a subproject of the OpenSSO Project Ron has published a first implementation of a OpenID Login Module based on the OpneID Standard 1.0. in june 2008. I joined this project and started the work with Ron on this implementation. There is an Issue List available where you can see topics of the current work. And also the sources can be downloaded frome here: https://opensso.dev.java.net/source/browse/opensso/extensions/jsr196/

We implemented a new parser to optimize the handshake between the login module and the openid provider and in 2009 I added different enhancements. Finally I implemented a new version of the Login Module which now supports also OpenID 2.0 Providers like yahoo.com. This new login module is located in the package com.sun.security.sam.openid2 and is called OpenIDServerAuthModule. 

You can download the latest version of the library containing this OpenID Login Module from here: (sam.openid-0.0.1-SNAPSHOT.jar).

In the next part I will explain how you install the login module and which configuration on glassfish server is necessary.

In Part III. I will show how you enable your web application to logon users with an openID.

If you have any comments or suggestions let me know

Posted at 10:26AM Apr 04, 2009
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [1]

Sunday Dec 07, 2008

RichFaces - How to handle external Login mechanism like OpenID

Today I found a solution for a login problem I was faced with since a long time using RichFaces and Facelets in my JEE Web App.
The problem was that my Login Form uses an external login mechanism (OpenID) to log in the user.
After the first successful login the RichFaces page is not loaded correctly (styles and scripts are not loaded). If the user reloads the page after the first login everything works well.
I saw that some people are faced with this problem in similar situations. So I will try to explain my solution I found today.

My application has to areas - a unrestricted (/*) and a restricted (/secured/*) area. So when the user try to access a restricted (RichFaces) page (e.g. /secured/page-a.jsf) my loginForm - located in the unrestricted area (/login.jsf) appears. So the user can first perform a login. Typical for OpenID the login mechanims is handled by a Servlet. The Servlet knows the first Request to the restricted page. After successful login the Servlet will redirect the user again to that restricted page. But this (RichFaces)page now will not be rendered correctly because the request goes no longer through the RichFaces Servlet Filter. So CSS and Scrips will not be loaded!
I solved this situation as I changed the startup mechanism of my application. The first thing the user will see is the Loginpage itself! The LoginPage is located in an unrestricted area. Now after the user logged in successfull, the login form (servlet) will redirect the user to an restricted RichFaces Page. And in this case the restricted RichFaces Page will be rendered correctly as the full request goes now through the RichFaces Servlet Filter. This works as there is no cascading redirect through different servlets.

I know that this sounds a little bit confusing but it works for me. If you have found other solutions for that problem please let me know.

Posted at 09:37AM Dec 07, 2008
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [0]

Saturday Nov 08, 2008

OpenID Authentification Modul for Glassfish

Please note that I have started a project site to provide a platform for further discussion and development. You will also find souce code from the OpenID-JSR-196 Login Module and a wiki page on the project site:
http://code.google.com/p/openid4java-jsr196/
You are welcome to join this project.

In the OpenSSO Project on dev.java.net you can find an extension for OpenID. With this OpenID Module which is based on jsr-196 it is easy to use OpenID authentification in a JEE Application running on Glassfish. Additional Informations about the JSR-196 can be found here

To build the Sources of hte OpenID Authentification Module is very easy as the project is based on maven. So first check out the sources form the jsr-196 project inside cvs code repository 

https://opensso.dev.java.net/source/browse/opensso/extensions/jsr196/

The hostname for the cvs repository is : cvs.dev.java.net
Repoistory path is : /cvs
Connection type is: pserver

You just need to check out the jsr-196 project which is found under /opensso/extensions

After you have checked out the sources you can run a maven install directly to build the libary. Information about Maven you find here .

After you run the maven install you have a library called 

sam.openid-x.x.x.jar

Copy this jar into your glassfish/lib folder. Thats it.
You can now configure a new HTTP Messaging Provider as described here. The provider class name for the OpenID Autentification Module is : com.sun.security.sam.openid.OpenIDServerAuthModule

Posted at 08:52AM Nov 08, 2008
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [0]

Sunday Oct 12, 2008

Glassfish and OpenID

Currently I am working on a solution to authenticate users with an OpenID in a JEE Application running on Glassfish. I need this Integration for a Workflow Application using the IX JEE Worklfow

After searching for java based OpenID Solutions for Web applications I come to the end that the JRS-196, Java Authentication Service Provider Interface for Containers is one of the most auspicious solutions for JEE and Glassfish. But its not easy in the moment to find a running modul on this technologie. There is a very important blog about the concepts behind JRS-196 from Ron Monzillo. And also there I started a discussion in the java.net forum about the best way of integration. I will update my results in this blog the next time.

Please note that I have started a project site to provide a platform for further discussion and development. You will also find souce code from the OpenID-JSR-196 Login Module and a wiki page on the project site:
http://code.google.com/p/openid4java-jsr196/
You are welcome to join this project.


Posted at 09:34AM Oct 12, 2008
Posted by: Ralph
Category: General

Permanent link to this entry | Comments [0]