Skip to content

A minor update to the Grails OpenSSO plugin

October 5, 2009

A very small update to the Grails Open SSO Plugin (0.2).

Previously the OpenSSO  loginUrl was hard coded into the plugin. This is now configured in OpenssoConfig.groovy. This configuration file will get installed in your Grails application when you install the plugin.

Here is an example:

opensso {
// default: opensso is active
active = true
// error page url to redirect to when the policy eval fails
errorPage = '/auth/denied.gsp'
// Urls to be treated as anon (access policy is ignored)
anonymousUrls = ['/index.gsp' , '/auth/denied.gsp', '/images/*']

// Url to redirect the user to if they do not have a valid SSO Token
// This should be the url of the OpenSSO login service
loginUrl = "http://localhost:8080/opensso/UI/Login"
}
Advertisements
6 Comments
  1. William Davis permalink
    November 2, 2009 3:40 pm

    Dear Warren:
    Regarding the sample Grails application you created for OpenSSO
    Did you ever have time to create a cookbook for using this? Do you know of any other examples of using your plugin especially in dealing with policies? Any help would be greatly appreciated. Thank you for your time.
    Sincerely Bill Davis.

    • wstrange permalink*
      November 2, 2009 3:53 pm

      Hi Bill

      I don’t have a cookbook -but it should be fairly straightforward (famous last words :-). You will want to reference the OpenSSO docs for examples of how to create URL policies. In a nutshell, you define the protected resource(s) (e.g. http://myapp/admin/foo/* ), the response (allow/deny) and the subjects the policy applies to (users, groups, all users, etc.). Anonymous (not enforced) URLs can be configured in the plugin.

  2. William Davis permalink
    January 4, 2010 11:41 am

    Dear Warren:
    We have an existing application that is using AccessManager 7.1 with policies for authentication against a existing application using a J2EE web policy agent. We now want to deploy a grails application to the same server using your grails-opensso-0.2 plugin. I have reviewed your sample application and made the necessary changes to the AMConfig.properties file. The cookies are being set but I am still unable to authenticate and am still getting the following error Any ideas??:

    [#|2010-01-04T12:18:14.208-0500|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=32;_ThreadName=httpSSLWorkerThread-80-1;|amSpring:01/04/2010 12:18:14:208 PM EST: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
    Header: cookie =JSESSIONID=a51cbbe160a9b977b33269a76944; amlbcookie=01; JSESSIONID=C6403DF660DBE391A9E302B5F7483E88; iPlanetDirectoryPro=AQIC5wM2LY4SfcztYkrGE1pJCeZqw7l2mgt%252F2ZXpQT9942U%253D%2540AAJTSQACMDE%253D%2523; form:tree-hi=form:tree:applications:webApplications
    |#]

    [#|2010-01-04T12:18:14.209-0500|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=32;_ThreadName=httpSSLWorkerThread-80-1;|amSpring:01/04/2010 12:18:14:209 PM EST: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
    Cookies.length: 5
    |#]

    [#|2010-01-04T12:18:14.210-0500|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=32;_ThreadName=httpSSLWorkerThread-80-1;|amSpring:01/04/2010 12:18:14:210 PM EST: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
    Cookie: name: JSESSIONID domain: null path: null value: a51cbbe160a9b977b33269a76944 secure: false maxAge: -1 version: 0 comment null
    |#]

    [#|2010-01-04T12:18:14.211-0500|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=32;_ThreadName=httpSSLWorkerThread-80-1;|amSpring:01/04/2010 12:18:14:211 PM EST: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
    Cookie: name: amlbcookie domain: null path: null value: 01 secure: false maxAge: -1 version: 0 comment null
    |#]

    [#|2010-01-04T12:18:14.212-0500|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=32;_ThreadName=httpSSLWorkerThread-80-1;|amSpring:01/04/2010 12:18:14:212 PM EST: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
    Cookie: name: JSESSIONID domain: null path: null value: C6403DF660DBE391A9E302B5F7483E88 secure: false maxAge: -1 version: 0 comment null
    |#]

    [#|2010-01-04T12:18:14.213-0500|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=32;_ThreadName=httpSSLWorkerThread-80-1;|amSpring:01/04/2010 12:18:14:213 PM EST: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
    Cookie: name: iPlanetDirectoryPro domain: null path: null value: AQIC5wM2LY4SfcztYkrGE1pJCeZqw7l2mgt%252F2ZXpQT9942U%253D%2540AAJTSQACMDE%253D%2523 secure: false maxAge: -1 version: 0 comment null
    |#]

    [#|2010-01-04T12:18:14.214-0500|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=32;_ThreadName=httpSSLWorkerThread-80-1;|amSpring:01/04/2010 12:18:14:214 PM EST: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
    Cookie: name: form:tree-hi domain: null path: null value: form:tree:applications:webApplications secure: false maxAge: -1 version: 0 comment null
    |#]

    [#|2010-01-04T12:18:14.219-0500|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=32;_ThreadName=httpSSLWorkerThread-80-1;|amSpring:01/04/2010 12:18:14:215 PM EST: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
    ERROR: Error creating SSOToken
    com.iplanet.sso.SSOException: Service URL not found:session
    at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:107)
    at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:239)
    at com.sun.identity.provider.springsecurity.OpenSSOProcessingFilter.getToken(OpenSSOProcessingFilter.java:92)
    at com.sun.identity.provider.springsecurity.OpenSSOProcessingFilter.obtainSSOToken(OpenSSOProcessingFilter.java:119)
    at com.sun.identity.provider.springsecurity.OpenSSOProcessingFilter.attemptAuthentication(OpenSSOProcessingFilter.java:57)
    at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:258)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
    at org.codehaus.groovy.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:65)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
    at org.codehaus.groovy.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:66)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:313)
    at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:287)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
    at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
    at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:291)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:666)
    at com.sun.enterprise.web.connector.grizzly.comet.CometEngine.executeServlet(CometEngine.java:616)
    at com.sun.enterprise.web.connector.grizzly.comet.CometEngine.handle(CometEngine.java:362)
    at com.sun.enterprise.web.connector.grizzly.comet.CometAsyncFilter.doFilter(CometAsyncFilter.java:84)
    at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.invokeFilters(DefaultAsyncExecutor.java:189)
    at com.sun.enterprise.web.connector.grizzly.async.DefaultAsyncExecutor.interrupt(DefaultAsyncExecutor.java:164)
    at com.sun.enterprise.web.connector.grizzly.async.AsyncProcessorTask.doTask(AsyncProcessorTask.java:92)
    at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:264)
    at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)

    |#]

    [#|2010-01-04T12:18:14.220-0500|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=32;_ThreadName=httpSSLWorkerThread-80-1;|amSpring:01/04/2010 12:18:14:220 PM EST: Thread[httpSSLWorkerThread-80-1,10,Grizzly]
    username: is null

  3. wstrange permalink*
    January 4, 2010 11:53 am

    Hi Bill

    It looks like a configuration problem where the plugin is not finding the OpenSSO server. I would enable full debugging in AMConfig.properties – that should give you much more information than the Glassfish logs.

    I found that in some cases cookie encoding needs to be enabled (on both the client in AMConfig, and the OpenSSO server – under servers->config).

    Also – be very careful to use fully qualified host/domain names everywhere. That is often a source of problems (hack your local /etc/hosts if you need to).

    If you are using AM 7.1, I am not 100% sure that the SDK bundled with the plugin is going to work (it is from OpenSSO 8.x). You may have to rebuild the plugin with SDK from AM 7.x. You can contact me offline for more help (warren dot strange at gmail )

  4. Dave permalink
    October 5, 2010 10:21 am

    I just stumbled across this and was really unaware of OpenSSO for the most part.
    It appears that open OpenSSO is now handled by another company and is known as OpenAM.
    Does this plugin now work with OpenAM?

    Thanks

    • wstrange permalink*
      October 5, 2010 10:55 am

      Hi Dave

      The plugin has not been updated in quite some time -but it should be compatible with OpenAM.

Comments are closed.

%d bloggers like this: