Latest DBPrism functionality includes JAAS/SSO support through Oracle Proxy User functionality.
Enabling DBPrism CMS JAAS support requires Web Server and DBPrism/database configurations.
First configure your Web server to enable JAAS/SSO support, in Jetty which is distributed by default with DBPrism CMS you can do that following these steps.
First its necessary to create a new CMS User used as a middle tier user or also called big user . To do that using the installer add CMS_PUBLIC user as any other CMS user, here an screen shot off this step.
[put here an screen shot with Installer screen adding CMS_PUBLIC user]
SQL> connect / as sysdba SQL> alter user DBPRISM_ADMIN grant connect through CMS_PUBLIC account unlock; SQL> revoke CONNECT from DBPRISM_ADMIN; SQL> grant CREATE SESSION to DBPRISM_ADMIN; SQL> delete from cms_data.cms_users where username='CMS_PUBLIC';
You can enable Jetty JAAS support by adding this entry in jetty-xxx.xml file for example:
<!-- =============================================================== -->
<!-- Configure the Authentication Realms -->
<!-- =============================================================== -->
<Call name="addRealm">
<Arg>
<New class="org.mortbay.http.HashUserRealm">
<Arg>DBPrism CMS Realm</Arg>
<Arg>../sites/www.dbprism.com.ar/db/dbprismRealm.properties</Arg>
</New>
</Arg>
</Call>
dbprismRealm.properties file look like:
# # This file defines users passwords and roles for a HashUserRealm # # The format is # <username>: <password>[,<rolename> ...] # # Passwords may be clear text, obfuscated or checksummed. The class # org.mortbay.util.Password should be used to generate obfuscated # passwords or password checksums # # If DIGEST Authentication is used, the password must be in a recoverable # format, either plain text or OBF:. # dbprism_admin: dbprism_admin,cms_user demo_admin: demo_admin,cms_user install_user: install_user,installer
web.xml file look like:
<web-app>
.....
<error-page>
<error-code>403</error-code>
<location>/live/NotAuthorized.html</location>
</error-page>
<!-- Security Section uncomment this section if you want SSO or JAAS
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Installer</web-resource-name>
<url-pattern>/ldoc/install.xhtml</url-pattern>
<url-pattern>/ldoc/_install/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>installer</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Installer-CMS</web-resource-name>
<url-pattern>/ldoc/images/*</url-pattern>
<url-pattern>/ldoc/cms-imgs/*</url-pattern>
<url-pattern>/ldoc/js/*</url-pattern>
<url-pattern>/ldoc/cross-browser.com/*</url-pattern>
<url-pattern>/ldoc/css/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>installer</role-name>
<role-name>cms_user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>DBPrism CMS</web-resource-name>
<url-pattern>/dpls/*</url-pattern>
<url-pattern>/ldoc/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>cms_user</role-name>
</auth-constraint>
</security-constraint>
<!-- Define this realm at jetty.xml file
installer and frontend use this Realm to control CMS access
using JAAS/Oracle proxy user support
-->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>DBPrism CMS Realm</realm-name>
</login-config>
<!--
Use Form based authentication
activate only once the CMS is intalled
because forms are stored in a /live/ directory of the
CMS user
<login-config>
<auth-method>FORM</auth-method>
<realm-name>DBPrism CMS Realm</realm-name>
<form-login-config>
<form-login-page>/live/logon.html</form-login-page>
<form-error-page>/live/NotAuthorized.html</form-error-page>
</form-login-config>
</login-config>
-->
<security-role>
<role-name>cms_role</role-name>
</security-role>
<security-role>
<role-name>installer</role-name>
</security-role>
</web-app>
Also some changes on Cocoon sitemap.xmap are required to work with JAAS:
..
<map:match pattern="content/**.xml">
<map:generate src="/content/{1}.xml">
<map:parameter name="ESI-Key-Pattern" value="CookiePattern=CMS_.*"/>
<map:parameter name="Cache-Control" value="External"/>
<map:parameter name="cms_user" value="DBPRISM_ADMIN"/>
<map:parameter name="base" value="/public"/>
</map:generate>
<map:serialize/>
</map:match>
..
<map:match pattern="header/**.xml">
<map:generate src="/header/{1}.xml">
<map:parameter name="ESI-Key-Pattern" value="CookiePattern=CMS_.*"/>
<map:parameter name="Cache-Control" value="External"/>
<map:parameter name="cms_user" value="DBPRISM_ADMIN"/>
<map:parameter name="base" value="/public"/>
</map:generate>
<map:serialize/>
</map:match>
..
Public web site which not requires JAAS authentication is connected using a DAD user CMS_PUBLIC, so an additional parameter is required, cms_user=DBPRISM_ADMIN for example, to locate which site is visited.
Finally prism.xconf DAD entries which uses JAAS authentication requires an extra parameter to enable Oracle Proxy user support:
<?xml version='1.0' encoding='ISO-8859-1'?>
<properties>
<category name="general">
<property name="useProxyUser" value="true"/>
</category>
...
<category name="DAD_cms">
<property name="useProxyUser" value="false"/>
</category>
...
<category name="DAD_header">
<property name="useProxyUser" value="false"/>
<property name="defaultPage" value="CMSj.header"/>
<property name="alwaysCallDefaultPage" value="true"/>
</category>
...
<category name="DAD_content">
<property name="useProxyUser" value="false"/>
<property name="defaultPage" value="CMSj.content"/>
<property name="alwaysCallDefaultPage" value="true"/>
</category>
...
</properties>
By default enable Proxy user support in general section and disable for public DADs (DADs which will use CMS_PUBLIC database user).
