JOSSO

We have a tomcat 7.0 application set up as a partner app and we're trying to configure it using Josso 1.8.5. We are fronting the Tomcat application with Apache/SSL. The josso gateway is also running under this environment but under a different virtual host than our main web application (the partnerapp). When running everything via http on our server (when we take Apache out of the equation there), or if I just run tomcat in a local environment, (again just http) everything works just fine. It also works when I point my local tomcat app under http to the server's Gateway (even when the Gateway is https). Once the partnerapp requests are routed to https though it doesn't work. We are able to get our web app to redirect to the Gateway login page, login normally there and save and store the assertion id which it then sends back along to our partner app via the special "josso_security_check" url. Here the result is a 404 error. The error seems to be happening in Apache as I do not see any logging information ever get into the SSOAgentValue in this case, but there is logging information in the SSOAgentValue prior to this point so I know the Agent Value is working. Is there something I need to add into our Apache configuration and/or configuration regarding SSL/Https to get this to work? Again the sequence appears to go like this looking at the Firefox Tamper data: 1) http://partnerapp.abc.net (Initial try to go partnerapp via my browser) 2) https://partnerapp.abc.net (Apache redirect) Set-Cookie: JSESSIONID=C94B879EE8F7901255087DC5F6EC7096; Path=/; Secure; HttpOnly 3) (Redirected to our Gateway login, not sure why the josso_cmd=login_optional is appended here) https://login.abc.net/josso/signon/login.do?josso_cmd=login_optional&josso_back_to=https://partnerapp.abc.net/josso_security_check&josso_partnerapp_id=mypartnerapp Set-Cookie: JSESSIONID=D40F52CBB70704789717A6537738D6A1; Path=/josso; Secure; HttpOnly 4) https://partnerapp.abc.net/josso_security_check (results in 404 error showing in browser). 5) http://partnerapp.abc.net (I re-type my partnerapp URL into the browser again) 6) https://partnerapp.abc.net (Apache redirect to https again) 7) (Redirected to the Gateway login, this time it does what I expect based on the code in the login_redirect.jsp) http://login.abc.net/josso/singon/login.do?josso_back_to=https://partnerapp.abc.net 8) (Apache redirect to https again, Gateway login page appears) https://login.abc.net/josso/signon/login.do?josso_back_to=https://partnerapp.abc.net 9) (Login credentials entered and submitted) https://login.abc.net/josso/signon/usernamePasswordLogin.do SetCookie: JOSSO_SESSIONID_josso=35978486ABE492DC42245566C905E819; Path=/josso 10) (Login was successful try to go redirect back to partnerapp) https://partner.abc.net/?josso_assertion_id=blah 11) (Another redirect back to Gateway behind the scenes for some reason) https://login.abc.net/josso/signon/login.do?josso_cmd=login_optional&josso_back_to=https://partnerapp.abc.net/josso_security_check&josso_partnerapp_id=mypartnerapp 12) (Back to the partner app again except this time with a different assertion id, this ends in a 404 error at which point we are then stuck) https://partnerapp.bos.net/josso_security_check?josso_assertion_id=blah2 Here is the relevant info for the apps in the Tomcat server.xml <!-- JOSSO Gateway webapp config --> <Host name="login.abc.net"> <Alias>1.2.3.4</Alias> <Realm className="org.apache.catalina.realm.MemoryRealm" /> <Context path="/josso" docBase="/pathtogatewayfiles" crossContext="false" reloadable="false" /> </Host> <!-- My Josso partner app config running --> <Host name="partnerapp.abc.net" > <Alias>1.2.3.5</Alias> <Realm className="org.josso.tc70.agent.jaas.CatalinaJAASRealm" appName="josso" userClassNames="org.josso.gateway.identity.service.BaseUserImpl" roleClassNames="org.josso.gateway.identity.service.BaseRoleImpl" debug="1" /> <Valve className="org.josso.tc70.agent.SSOAgentValve" debug="5" appName="josso" /> <Context path="" docBase="/pathtoappfiles" crossContext="false" reloadable="false" > </Host> The relevant josso-agent-config.xml file info: <tc70:agent name="josso-tomcat70-agent" sessionAccessMinInterval="1000"> <!-- Gateway LOGIN and LOGOUT URLs --> <gatewayLoginUrl>https://login.abc.net/josso/signon/login.do</gatewayLoginUrl>; <gatewayLogoutUrl>https://login.abc.net/josso/signon/logout.do</gatewayLogoutUrl>; <!-- Gateway service locator --> <gatewayServiceLocator> <!-- Other properties for ws-service-locator : username, password, servicesWebContext, transportSecurity --> <protocol:ws-service-locator endpoint="login.abc.net:8180" /> </gatewayServiceLocator> <configuration> <agent:agent-configuration> <!-- ============================================================================= --> <!-- --> <!-- JOSSO Parnter application definicions : --> <!-- --> <!-- Configure all web applications that should be a josso partner application --> <!-- within this server. --> <!-- For each partner application you have to define the proper web-context. --> <!-- ============================================================================= --> <agent:partner-apps> <!-- Simple definition of a partner application --> <agent:partner-app id="mypartnerapp" context="/" vhost="partnerapp.abc.net"> <!-- This is an optional feature : You can reference any web resource collection that should not be subject to SSO protection. The SSO agent will not provide identity nor demand authentication to requests matching the security constraint associated to this web resource collections. In order to work, the security constraint must not contain auth-constraints declarations. See sample web.xml file from josso partnerapp. --> </agent:partner-app> </agent:partner-apps> </agent:agent-configuration> </configuration> </tc70:agent> And finally the josso-gateway-web.xml configuration. <web-configuration id="josso-web-configuraiton" rememberMeEnabled="false" sessionTokenOnClient="true" sessionTokenSecure="false" sendP3PHeader="false"> <!-- List of trusted host names where partner applications are deployed --> <trustedHosts> <s:value>partnerapp.abc.net</s:value> </trustedHosts> </web-configuration> Thank you for any assistance.

Hi, See that post http://sourceforge.net/projects/josso/forums/forum/399715/topic/4930108 , i think there is something about the context. Verify in the gateway log what war the error. Stéphane

We ended up solving this. It was indeed an Apache configuration change that was needed to route all the requests properly down to tomcat (and thus avoid the 404 error in Apache with /josso_security_check). Once that was figured out everything works. Thanks for the previous response.