SSO Login Extension module
Edition |
Incubator (services) |
||
Git |
|||
Latest |
|
The SSO Login Extension module provides provides JCR and SSO authentication.
This module is at the INCUBATOR level. |
The SSO Login Extension module cannot be installed with Magnolia SSO module 4.0.0 and later.
It must be uninstalled before you install the SSO module.
|
Installing with Maven
Maven is the easiest way to install the module. Add the following to your bundle:
<dependency>
<groupId>info.magnolia.sso</groupId>
<artifactId>sso-login-extension</artifactId>
<version>1.0.4</version>
</dependency>
Configuration
JAAS configuration
Your jaas.config
file should look like so:
sso-authentication {
info.magnolia.sso.jaas.SsoAuthenticationModule requisite;
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
magnolia {
// ensure user is who he claims he is (check pwd for the user)
info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
// retrieve users ACLs
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
URL configuration
By default, to log in using jcr, you will have to point your browser to /.magnolia/jcrlogin
, this value can be changed in the configuration using decorations, the value is set in the property jcrLoginUrl
, you can set the new URL value in that property. Otherwise /.magnolia/jcrlogin
is used as default.
This property can be created via JCR or by decorating the configuration following these instructions. |
Usage
The SSO login extension module enables you to log in with SSO or use a URL to log in using JCR authentication.
The default is SSO unless you access the URL specified in the module configuration. |
Configuring Multiple Paths
By default, the Magnolia SSO module allows only one fixed path to be protected in the configuration.
Especially on public instances, it may be necessary to protect more than one path, depending on the user group you want to support (such as customers or vendors).
To work around the single-path limitation, you can add one or more security callback filters using the info.magnolia.sso.login.extension.filter.securitycallback.MultiPathRedirectCallback
filter class.
Define the filter at /server/filters/securityCallback/clientCallbacks.
Path parameters
You can use the path
property to specify the path to protect.
If the path property is missing or invalid (such as "/" ), the filter attempts to use the path defined in config.yaml file of your Magnolia SSO module configuration.
|
Default filter settings
You can use the default filter settings, such as the originalUrlPattern
settings, to match the protected path.
In addition, you can use filter configurations such as hostPattern
, which allows you to configure the host to which the configuration should be applied.
In the example below, the host is taken into account when the protected path is checked.
This means that the protected path setting would only be applied to the sso.gummibaer.org
host.
See info.magnolia.cms.security.auth.callback.AbstractHttpClientCallback for more filtering options.
|
Order of Client Callbacks
The order of the filter settings is critical. |
The configurations for the multi path filter must come before the extended login filter (enabling login with /.magnolia/jcrlogin
).
However, local logins will work in addition to the paths you define with the multi-path filter.
Additional examples
There are no configurations applied by default, but there are two sample client callback configuration files you can check out in the src/main/resources/samples
directory of the SSO Login Extension module repository.
Uninstalling
To fully uninstall the module:
-
Edit your
jaas.config
file so that it looks like this:sso-authentication { info.magnolia.sso.jaas.SsoAuthenticationModule requisite; info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required; };
-
Revert your configuration to the following: Since it is a change in the configuration of the login, you need to use a groovy script or do it in rescue mode.
/server/filters/login/class = info.magnolia.cms.security.auth.login.LoginFilter (1) /server/filters/securityCallback/clientCallbacks/magnolia-sso/class = info.magnolia.sso.UserInitiatedRedirectClientCallback
1 If you’re already using the 4.x
+ of the SSO module, this value has theinfo.magnolia.cms.security.auth.login.LoginFilter
class. However, if you’re on version3.x
of the SSO module, you must manually set the class toinfo.magnolia.sso.SsoLoginFilter
when uninstalling to ensure the logging process continues smoothly.
-
Remove the following dependency from your project:
<dependency> <groupId>info.magnolia.sso</groupId> <artifactId>sso-login-extension</artifactId> <version>1.0.4</version> </dependency>
Changelog
The SSO Login Extension module cannot be installed with Magnolia SSO module 4.0.0 and later.
It must be uninstalled before you install the SSO module.
|
Version | Notes |
---|---|
|
Improve check for anonymous user. |
|
Disallow installation on newer versions, this module will be outdated. |
|
Improvement multiple path protection. |
|
Improvement for Basic auth support. |
|
Initial release of the module. |