OpenID for JEE Applications - Part III
- Part I - The JSR-196, a general overview
- Part II - How to install a OpenID Module on Glassfish
- Part III - Using OpenID in your Web Application
Now I will explain how you can configure your web application to use openid for login mechanism. If you have installed the OpenID Login module like described in part II. this step is quiet easy.
web.xml & sun-web.xml
The first thing what you should do is remove existing tag login-config like basic or form-based authentification configuration from the web.xml if available. You now only need the security-constraint configuration.
This is an example of the security-constraint seciton in my web.xml
....
<security-constraint>
<display-name>Access Manager Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>AUTHENTICATED_RESOURCE
</web-resource-name>
<url-pattern>/pages/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS
</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS
</role-name>
</security-role>
.....
Next you need to specify your openid provider configured on glassfish admin client in the sun-web.xml.
Therefor you need to add the attriubte "httpservlet-security-provider" with the name of your openid provider
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="" httpservlet-security-provider="OpenIDProvider">
<context-root>/openidtestclient</context-root>
<security-role-mapping>
<role-name>org.imixs.ACCESSLEVEL.AUTHORACCESS</role-name>
<group-name>Author</group-name>
</security-role-mapping>
<class-loader delegate="true" />
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class java
code.</description>
</property>
</jsp-config>
</sun-web-app>
Thats it!
Now you application supports OpenID.
Role Mapping
Notice that we mapped also our default group "Author" to a application specific Rolename. The Group "Author" was configured in the OpenIDProvider property "assign.groups". So each user how have successfull authtenticated against his OpenID Proivder will default to this group and the role "org.imixs.ACCESSLEVEL.AUTHORACCESS". You can change this settings to the requriements of your application.
Login Form
If you did not specific a login form with the additional property "loginpage" the OpenID Login Module will answer an unautenticated reqeust with an simple login form as shown above.
You can implement you own login form if you like and use this form as the default form for you openidProvider module.
There for add the property "loginpage" to your provider configuration and support a valid Page inside your application or a simple HTTP page located on a web server.
This is a simple example for a individual login form based on JSF :
<form method="get"
action="#{facesContext.externalContext.requestContextPath}/openid_login">
<f:facet name="header">
<h:outputLabel value="#{global.login_title} " />
</f:facet>
<h:panelGrid columns="2">
<h:outputLabel value="#{global.username}:" />
<h:inputText id="openid_identifier" />
<h:inputHidden id="return_to"
value="#{loginMB.serverURI}#{facesContext.externalContext.requestContextPath}/pages/notes.jsf" />
</h:panelGrid>
<input type="submit" value="#{global.login}" />
<!-- BEGIN ID SELECTOR -->
<script type="text/javascript" id="__openidselector"
src="https://www.idselector.com/selector/e0ed3a269b77fa785de90aeaa20fa0f985746767"
charset="utf-8"></script>
<!-- END ID SELECTOR -->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-3469303-6");
pageTracker._trackPageview();
</script>
</form>
Your form need to care about three things:
- The form action method need to point to the method path "/openid_login". This path indicates the OpenIDLogin Module to start an OpenID Login process.
- The users Input field to enter his OpenID URL should be named "openid_identifier". Make sure that the "name" and "ID" attriubte are set to "openid_identifier"
- The form must support a hidden field "return_to" with points to a page where the user is redirected after login process succeed.
The ID Selector Script is just a funny script provided by http://www.idselector.com to support the user with a nice widget to simplify using openid.
Single Sign On (SSO)
OpenID supports single sing on. This means if your application knows the users OpenID you can easily logon the user to different pages from different web applications on the same server. To use this feature you only need to redirect the authenticated user to a new site providing his identity and the return url in the QueryString.
For example:
http://myhost/mynewapplication?openid.identity=[http://usersopenid]&openid.return_to=[http://myhost/mynewapplication]
The login process now depends on the users openid provider settings. Some providers like myid.net give the user a convenient way to control his personal settings for different pages and applications using openid
Conclusion
You can see that using JSR-196 and OpenID is a very comfortable way to support a new and easy to use login mechansim for web applications. For internet applications openid opens you web site to millions of users. It is easy to use and you dont have to handle all the stuff with managing userids and passwords.
As OpenID servers are also available als OpenSource JSR-196 and OpenID can be a competitive way for enterprises to implement a single sign on (SSO) architecture in an intranet or extranet.
If you have any suggestions or comments let me know.
Posted at 07:15AM Apr 05, 2009
Posted by: Ralph
Category: General