6 Replies Latest reply on Feb 16, 2012 2:40 PM by allertonm

    Custom Login-Module for JBOSS AS 7

    firstlion

      Hi,

       

      I have installed Picketlink as an IDP and authenticate user of my SP with this application. So far so good. But i have to evaluate the roles, that the IDP gives to the SP, and to override them. For example, the IDP gives the role "Mandant", so the SP has the JAAS-Roles (for @RolesAllowed etc.) "Role1", "Role2", ...

       

      My idea is to make my own Login-Module, where i can override the method "getRolesSet". I have configured this module in the jboss.xml-File etc., but it is ignored by Picketlink. Does someone have an idea, what my mistake is? I use SAML2.0 with POST-Requests.

       

      Thanks,

      Martin

       

      Edit: I have found the problem. In the class "SPPostFormAuthenticator" are the following lines:

      if ((new ServerDetector().isJboss()) || (this.jbossEnv)) {
                          ServiceProviderSAMLContext.push(username, roles);
                          principal = this.context.getRealm().authenticate(username, password);
                          ServiceProviderSAMLContext.clear();
      }
       else {
                          principal = spUtil.createGenericPrincipal(request, username, roles);
       }
      

      The query returns false, although the Server is a JBOSS-Server. I don't know, whether the fault is on JBOSS or Picketlink.

      I have a "dirty solution":

      Make your own subclass of "SPPostFormAuthenticator", override the method "handleSAMLResponse" and change the query, so that it returns true. In this way, the login-module will get called.

        • 1. Re: Custom Login-Module for JBOSS AS 7
          anil.saldhana

          http://community.jboss.org/wiki/SAMLWebBrowserSSOOnJBossAS70

           

          Did you try out the ServerEnvironment attribute set to "jboss" in picketlink-idfed.xml?

          • 2. Re: Custom Login-Module for JBOSS AS 7
            firstlion

            Thanks for your answer. Yes, the attribute is set to "jboss". But this doesn't change anything, because the ServerDetector just checks the following:

            Class clazz = SecurityActions.loadClass(super.getClass(), "org.jboss.system.Service");
            if (clazz != null)
            {
                    this.jboss = true;
                    return;
            }
            

            This is done twice in the class "SPPostFormAuthenticator", once at startup in the constructor and the second one in the query, that i mentioned before.

            So the parameter isn't used.

             

            Mfg Martin

            • 3. Re: Custom Login-Module for JBOSS AS 7
              anil.saldhana

              It is a bug. We will fix it.

              https://issues.jboss.org/browse/PLFED-246

              • 4. Re: Custom Login-Module for JBOSS AS 7
                firstlion

                Great, thank you.

                • 5. Re: Custom Login-Module for JBOSS AS 7
                  anil.saldhana

                  Fixed in trunk.

                   

                  You can checkout:  http://anonsvn.jboss.org/repos/picketlink/federation/trunk/

                   

                  mvn clean install

                   

                  The jar with the fix is : picketlink-fed-2.0.2-SNAPSHOT.jar    under the assembly/target

                   

                   

                  When 2.0.2.final happens, you will get the fix.

                  1 of 1 people found this helpful
                  • 6. Re: Custom Login-Module for JBOSS AS 7
                    allertonm

                    As far as I can tell, the version of ServerDetector in trunk does not work either - it's based on the faulty assumption that SecurityActions.loadClass will throw an exception if the class cannot be found. It does not, it returns null. Since the new check for the AS7 bootstrap is done in the exception handler for the attempt to find AS5's bootstrap, it never gets executed as no exception will be thrown.

                     

                    I rewrote the detectServer method like so and this appears to be working fine:

                     

                       private void detectServer() {
                            //Detect JBoss
                            Class me = getClass();
                            Class clazz = null;
                            clazz = SecurityActions.loadClass(me, "org.jboss.system.Service");
                            if (clazz != null) {
                                jboss = true;
                                return;
                            }
                            clazz = SecurityActions.loadClass(me, "org.jboss.as.server.Bootstrap");
                            if (clazz != null) {
                                jboss = true;
                                return;
                            }
                            clazz = SecurityActions.loadClass(me, "org.apache.cataline.Server");
                            if (clazz != null) {
                                tomcat = true;
                                return;
                            }
                        }
                    

                     

                    Also worth noting that the classname used to check for Tomcat is wrong too ("cataline" not "catalina".)