Introduction
This article is an addendum to PicketLink Security Token Service by Stefan Guilhen. It shows necessary steps to make JBoss AS 7.1.1 work with latest version of PicketLink (version 2.0.3 Final) and the picketlink-sts.war included in PicketLink Web Applications for JBoss AS 7.1.x
Versions
Version | |
---|---|
JBoss AS | 7.1.1.Final |
PicketLink | 2.0.3.Final |
PicketLink Web Applications | 2.0.3.Final |
JBoss AS Configuration
Follow the last section (How do I install PL 2.0.2 (and above) in AS 7.1.x?) of PicketLink 2.0.3.Final article by Anil Saldhana. After following the steps, you shoud:
- have the latest picketlink jars in ${jboss.home.dir}/modules/org/picketlink/main
- have ${jboss.home.dir}/modules/org/picketlink/main/module.xml updated to:
<module xmlns="urn:jboss:module:1.1" name="org.picketlink"> <resources> <resource-root path="picketlink-fed-2.0.3.Final.jar"/> <resource-root path="picketlink-bindings-2.0.3.Final.jar"/> <resource-root path="picketlink-bindings-jboss-2.0.3.Final.jar"/> </resources> <dependencies> <module name="javax.api"/> <module name="javax.security.auth.message.api"/> <module name="javax.security.jacc.api"/> <module name="javax.transaction.api"/> <module name="javax.xml.bind.api"/> <module name="javax.xml.stream.api"/> <module name="javax.servlet.api"/> <module name="org.jboss.common-core"/> <module name="org.jboss.logging"/> <module name="org.jboss.as.web"/> <module name="org.jboss.security.xacml"/> <module name="org.picketbox"/> <module name="javax.xml.ws.api"/> <module name="org.apache.log4j"/> <!-- <module name="org.apache.santuario.xmlsec"/> --> <!-- Comment this line out --> <module name="sun.jdk"/> <!-- Add this new module dependency --> </dependencies> </module>
- have added the below lines in ${jboss.home.dir}/modules/sun/jdk/main/module.xml
<path name="javax/xml/crypto/dsig"/> <path name="javax/xml/crypto"/> <path name="javax/xml/crypto/dsig/dom"/> <path name="javax/xml/crypto/dsig/keyinfo"/> <path name="com/sun/org/apache/xml/internal/security/transforms/implementations"/> <path name="org/jcp/xml/dsig/internal/dom"/>
- have unpacked all web applications in ${jboss.home.dir}/standalone/deployments
- have modified the ${jboss.home.dir}/configuration/standalone.xml to include security domain entries for the sample web applications above
<security-domain name="idp" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="users.properties"/> <module-option name="rolesProperties" value="roles.properties"/> </login-module> </authentication> </security-domain> <security-domain name="picketlink-sts" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="sts-users.properties"/> <module-option name="rolesProperties" value="sts-roles.properties"/> </login-module> </authentication> </security-domain> <security-domain name="sp" cache-type="default"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/> </authentication> </security-domain>
Modify picketlink-sts.war
The picketlink-sts.war does not include the user and role property files for authentication. To make it work, you can either update the war file or change the recommended security-domain entry for "picketlink-sts" to tell it to use external properties files instead.
Update picketlink-war file
- Unpack the war file contents [jar xf picketlink-sts.war]
- Create both sts-users.properties and sts-roles.properties files under WEB-INF/classes. You can either copy the users and roles from idp.war (same location WEB-INF/classes) or create it yourself. You need to add a user=password entry for sts-users.properties and add the role configured from WEB-INF/web.xml in sts-roles.properties
sts-users.properties
tomcat=tomcat
sts-roles.properties
tomcat=manager,sales,employee,STSClient
- Update the jar file with the latest WEB-INF [jar uf picketlink-sts.war WEB-INF]
Update standalone.xml
The other way of doing it is to point the authentication mechanism to use external property files, modify the picketlink-sts security-domain section in standalone.xml (below). Then create the same sts-users.properties and sts-roles.properties files from above section in the directory ${jboss.home.dir}/standalone/configuration.
<security-domain name="picketlink-sts" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="${jboss.server.config.dir}/sts-users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/sts-roles.properties"/> </login-module> </authentication> </security-domain>
Check STS wsdl
To make sure everything is configure correctly, check the wsdl - http://localhost:8080/picketlink-sts/PicketLinkSTSService?wsdl
It should ask for authentication before providing the wsdl.
Run Client Application
To run the client application in PicketLink Security Token Service by Stefan Guilhen. Modify the endpoint and user/password:
public void testSTS() throws Exception { // create a WSTrustClient instance. WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort", "http://localhost:8080/picketlink-sts/PicketLinkSTSService", new SecurityInfo("tomcat", "tomcat")); . . .
To change the SAML to 1.1, change the token type:
// issue a SAML assertion using the client API. Element assertion = null; try { assertion = client.issueToken(SAMLUtil.SAML11_TOKEN_TYPE); } catch (WSTrustException wse) { System.out.println("Unable to issue assertion: " + wse.getMessage()); wse.printStackTrace(); System.exit(1); }
If everything is working fine, you should get the SAML assertion
<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="ID_eb76fdfc-8614-462f-933e-cb8d17cb5e4e" IssueInstant="2012-04-09T21:43:36.572Z" Issuer="PicketLinkSTS" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2012-04-09T21:43:36.572Z" NotOnOrAfter="2012-04-09T23:43:36.572Z"/><saml:AuthenticationStatement AuthenticationInstant="2012-04-09T21:43:36.572Z" AuthenticationMethod="urn:picketlink:auth"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">tomcat</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>HDnMXVoONxX3EtDGVhI3y5n88ho=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>Lw/KCB//ahqDl9YFvA54jAiHA4uyte2xzqU1B+5qJTzy/ADKULWnjSV6gG5BNF2BwqgRwYD0GW3K W/mEeHefJ6IZD/rHxMChGDYM4v/1ST27RV/tGWXSMOeilK0pMFvO0yWrljQarJvCV1cYwZR+zbaQ davemRmvg95GxbwaJl4=</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1 dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw lYGGtrP5VQv00dfNPbs=</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></saml:Assertion>
Comments