1 2 3 Previous Next 34 Replies Latest reply on Apr 5, 2012 2:55 PM by tonykaska Go to original post
      • 15. Looking for Test Volunteers[Seam/PicketLink]
        anil.saldhana

        Matt, have you tried with regular form authentication?  What you are describing may be an issue with the use of the negotiation authenticator that does an extra handshake with the negotiation w/ browser.

        • 16. Re: Looking for Test Volunteers[Seam/PicketLink]
          matthew.hayes

          No I haven't, I will try that as well.

           

          I noticed one other thing, global variables that work in most JBoss XML files don't seem to be getting processed properly in the XML files for the Seam SP configuration (specifically external-authentication-config.xml and saml-entities.xml)

          Is this supposed to work?  If not are there any plans to support it?

           

           

          <?xml version="1.0" encoding="UTF-8"?>

          <ExternalAuthenticationConfig

              xmlns="urn:picketlink:identity-federation:seam:config:1.0" xmlns:tns="urn:picketlink:identity-federation:seam:config:1.0">

              <ServiceProvider protocol="${mycompany.saml.idp.protocol}" hostname="${mycompany.saml.idp.domain}" port="${mycompany.saml.idp.port}"

                  unsolicitedAuthenticationUrl="${mycompany.saml.sp.baseurl}seam-sp/PublicPage.seam"

                  loggedOutUrl="${mycompany.saml.sp.baseurl}seam-sp/PublicPage.seam"

                  failedAuthenticationUrl="${mycompany.saml.sp.baseurl}seam-sp/FailedAuthenticationPage.seam"

                  internalAuthenticationMethod="#{authenticator.internalAuthenticate}">

                  <SamlConfig serviceProviderEntityId="${mycompany.saml.sp.baseurl}seam-sp"

                      defaultIdentityProvider="${mycompany.saml.idp.protocol}://${mycompany.saml.idp.domainpath}" authnRequestsSigned="${mycompany.saml.signed}" wantAssertionsSigned="${mycompany.saml.signed}"

                      keyStoreUrl="${mycompany.saml.keystoreurl}" keyStorePass="${mycompany.saml.keystorepass}"

                      signingKeyAlias="${mycompany.saml.signingalias}" signingKeyPass="${mycompany.saml.signingpass}">

                      <SamlIdentityProvider entityId="${mycompany.saml.idp.protocol}://${mycompany.saml.idp.domainpath}" />

                  </SamlConfig>

              </ServiceProvider>

          </ExternalAuthenticationConfig>

          • 17. Looking for Test Volunteers[Seam/PicketLink]
            anil.saldhana

            Matt, I don't think we have any issues in supporting this across PicketLink.

            https://issues.jboss.org/browse/PLFED-138

            • 18. Looking for Test Volunteers[Seam/PicketLink]
              anil.saldhana

              Matt,  that JIRA is fixed.  You will need to update both the workspaces.  PL trunk as well as the PL Seam trunk workspace.

               

              One issue is that PL Seam parsing uses JAXB and some attributes tie into BigInteger such as Port.  So they cannot be system property substituted.

              • 19. Re: Looking for Test Volunteers[Seam/PicketLink]
                matthew.hayes

                Any objection to doing the replace with something a bit more generic to handle prefixes and suffixes, etc?  Something like:

                 

                   public static String getSystemPropertyAsString( String str )

                   {

                       if (str == null || str.isEmpty())

                           return(str);

                 

                       Pattern p = Pattern.compile("\\$\\{([^}]+)}");

                       Matcher m = p.matcher(str);

                       StringBuffer sb = new StringBuffer();

                       String sysPropertyValue = null;

                      

                       while (m.find()) {

                             sysPropertyValue = SecurityActions.getSystemProperty(m.group(1), "" );

                             if( sysPropertyValue.isEmpty() )

                                 throw new IllegalArgumentException( "System Property " + m.group(1) + " is not set" );

                                  m.appendReplacement(sb,sysPropertyValue);

                       }

                       m.appendTail(sb);

                      

                      return sb.toString();

                   }

                 

                 

                Also I noticed the SamlConfiguration.java file still needed the function to be added in a few places.  Lines 85-92, 109, 121-124, 164

                Configuration.java lines 82 and 86

                • 20. Looking for Test Volunteers[Seam/PicketLink]
                  anil.saldhana

                  Matt,  can you give me some examples of possible patterns?

                  • 21. Re: Looking for Test Volunteers[Seam/PicketLink]
                    matthew.hayes

                    Sure I just worked the regex off the example above, I highlighted them below

                     

                    <?xml version="1.0" encoding="UTF-8"?>

                    <ExternalAuthenticationConfig

                        xmlns="urn:picketlink:identity-federation:seam:config:1.0" xmlns:tns="urn:picketlink:identity-federation:seam:config:1.0">

                        <ServiceProvider protocol="${mycompany.saml.idp.protocol}" hostname="${mycompany.saml.idp.domain}" port="80"

                            unsolicitedAuthenticationUrl="${mycompany.saml.sp.baseurl}seam-sp/PublicPage.seam"

                            loggedOutUrl="${mycompany.saml.sp.baseurl}seam-sp/PublicPage.seam"

                            failedAuthenticationUrl="${mycompany.saml.sp.baseurl}seam-sp/FailedAuthenticationPage.seam"

                            internalAuthenticationMethod="#{authenticator.internalAuthenticate}">

                            <SamlConfig serviceProviderEntityId="${mycompany.saml.sp.baseurl}seam-sp"

                                defaultIdentityProvider="${mycompany.saml.idp.protocol}://${mycompany.saml.idp.domainpath}" authnRequestsSigned="${mycompany.saml.signed}" wantAssertionsSigned="${mycompany.saml.signed}"

                                keyStoreUrl="${mycompany.saml.keystoreurl}" keyStorePass="${mycompany.saml.keystorepass}"

                                signingKeyAlias="${mycompany.saml.signingalias}" signingKeyPass="${mycompany.saml.signingpass}">

                                <SamlIdentityProvider entityId="${mycompany.saml.idp.protocol}://${mycompany.saml.idp.domainpath}" />

                            </SamlConfig>

                        </ServiceProvider>

                    </ExternalAuthenticationConfig>

                    • 22. Looking for Test Volunteers[Seam/PicketLink]
                      anil.saldhana

                      Matt,  thanks for the example.  I think we should be able to support these.

                      • 23. Looking for Test Volunteers[Seam/PicketLink]
                        anil.saldhana

                        Update the two workspaces to pick the changes.

                        • 24. Looking for Test Volunteers[Seam/PicketLink]
                          matthew.hayes

                          Sorry for the delay, too many competing priorities.   A brief check of the new code looks good.  I'll try to get some more in depth testing of it later in the week.  In the meantime I did notice a classloading issue with the SEAM configuration files.  When the xml configuration files are within the classes directory of a WAR file there is no problem loading them.  But when you have the more complex configuration of the same WAR file in an EAR the files aren't being found.  The getClass().getResource(CONFIGURATION_FILE) returns null. 

                           

                          The problematic line (109) in org.picketlink.identity.seam.federation.configuration.Configuration

                                   JAXBElement<?> o = (JAXBElement<?>) unmarshaller.unmarshal(getClass().getResource(CONFIGURATION_FILE));

                           

                          If the thread classloader is used it works for both scenarios

                               JAXBElement<?> o = (JAXBElement<?>) unmarshaller.unmarshal(

                                         Thread.currentThread().getContextClassLoader().getResource(CONFIGURATION_FILE));

                           

                          The EAR is setup with the picketlink-seam jar in the EAR\lib directory with the WAR file esentially the same as the seam-sp example.  The other picketlink jar files in the jboss instance lib directory (server/default/lib)

                          • 25. Looking for Test Volunteers[Seam/PicketLink]
                            matthew.hayes

                            Sorry forgot to add its the same thing for the saml-entities.xml file line 138 of SamlConfiguration. 

                             

                            InputStream samlEntitiesStream = getClass().getResourceAsStream( SAML_ENTITIES_FILE );

                             

                            same style of fix seems to work.

                             

                            InputStream samlEntitiesStream = Thread.currentThread().getContextClassLoader().getResourceAsStream( SAML_ENTITIES_FILE );

                            • 26. Looking for Test Volunteers[Seam/PicketLink]
                              anil.saldhana

                              Matt, I had noticed the use of class.getCL in the PL Seam code base but had not worried about that. I am sure we can take care of that in a very generic way.

                               

                              Expect the changes shortly in the pl seam workspace.

                              • 27. Looking for Test Volunteers[Seam/PicketLink]
                                anil.saldhana

                                Fixed with https://issues.jboss.org/browse/PLFED-155

                                 

                                Matt, test it out.

                                • 28. Looking for Test Volunteers[Seam/PicketLink]
                                  anil.saldhana

                                  Matt,  I also added the support for default values if any of the system properties are missing.

                                   

                                  Something like:

                                   

                                  ${test::somevalue}  will yield "somevalue" if the system property "test" is not available

                                  ${test}  will throw exception if sys prop missing.

                                   

                                  The delimiter is "::"  because I wanted to use url as default values.

                                  • 29. Looking for Test Volunteers[Seam/PicketLink]
                                    matthew.hayes

                                    You read my mind (or my todo list).  Thanks, I'll check it out