1 2 3 4 5 Previous Next 61 Replies Latest reply on Feb 28, 2013 12:29 PM by meetoblivion Go to original post
      • 15. Re: PicketLink 2.0.2.Final is released
        anil.saldhana

        Glen,  I create the zip file in my computer. Guess the old jars also got mixed into it.  You just need the 2.0.2 jars.  I will rezip and fix the downloads section.

         

        By the way, I created a section at the end for installation on AS 7.1.x  https://community.jboss.org/wiki/PicketLink202Final  .  See if gets confusing there.

        • 16. Re: PicketLink 2.0.2.Final is released
          anil.saldhana

          Glen Mazza wrote:

           

          Anil, I would go a step further, instead of having a "full" and a "lite" download, it's better to have a "jar" and a "war" one, with the JAR download being your present "lite" one and the WAR download (optional for some users) *not* having any of the PicketLink JARs within it.  The WAR download should rely on what is in modules/org/picketlink/main rather than its own PicketLink JARs. 

           

          As I see it, only two steps/downloads are needed: 

           

          1.)  Use the "jar" download to update the JARs in modules/org/picketlink/main -- what you presently call the "lite" download has all this.  I would go a step further and include the updated modules.xml file within the JAR download and a short README telling people to nuke (not append) the old files in this directory and replace it with these. 

           

          2.) For those users who need it, Install the WAR download into standalone/deployments.  Again, this download shouldn't need any PicketLink JARs within it, as JBoss should smoothly run OOTB relying on the updated JARs in modules/org/picketlink/main.

          Yeah.  This approach is very intuitive.  Will adopt it right now and fix the downloads.  Thanks Glen.

          • 17. Re: PicketLink 2.0.2.Final is released
            anil.saldhana

            I have updated the downloads section of PicketLink ( http://www.jboss.org/picketlink/downloads  ) to have a jar zip  and a web app zip.   Hopefully the last section of https://community.jboss.org/wiki/PicketLink202Final  will make it intuitive.

            • 18. Re: PicketLink 2.0.2.Final is released
              gerry.matte

              Do you want me to remove my comment from your announcement ? 

              The repackaging of the jars will make my comment irelevant.

              • 19. Re: PicketLink 2.0.2.Final is released
                anil.saldhana

                Gerry, did it just now. I hope you try the instructions again and tell us if something is not intuitive and broken.

                • 20. Re: PicketLink 2.0.2.Final is released
                  gerry.matte

                  I will do that for sure.

                  Not today tho - I have a houseguest to entertain.

                  • 21. Re: PicketLink 2.0.2.Final is released
                    mazzag

                    Much better, Anil.  But two more questions (perhaps both related to each other):

                     

                    1.) Why do you have separate PicketLink 2.0.2 JAR downloads for Tomcat/JBoss 5,6  and JBoss7?  Their contents--except for one missing file--are absolutely identical -- can we consolidate that to one download?

                     

                    2.) Why is the Picketlink for JBoss 7 2.0.2 JAR download missing the picketlink-trust-jbossws-2.0.2.Final.jar file (it just has 3 of the 4 JARs)?  The other download has it, and it's that JAR I'm probably most interested in, as I wish to see the Picketlink STS.

                     

                    Thanks,
                    Glen

                    • 22. Re: PicketLink 2.0.2.Final is released
                      mazzag

                      Anil, your instructions here: https://community.jboss.org/docs/DOC-17614, when you mention our possible need to configure additional security domains in config/standalone.xml, you might also want to mention this link: https://community.jboss.org/wiki/SAMLEnabledPOJOWebServices#comment-9127.  The bottom of that link provides samples for the three different STS configuration files that that security domain configuration needs.  (sts-user, sts-roles, and sts-config.properties).

                      • 23. Re: PicketLink 2.0.2.Final is released
                        anil.saldhana

                        Glen Mazza wrote:

                         

                        Much better, Anil.  But two more questions (perhaps both related to each other):

                         

                        1.) Why do you have separate PicketLink 2.0.2 JAR downloads for Tomcat/JBoss 5,6  and JBoss7?  Their contents--except for one missing file--are absolutely identical -- can we consolidate that to one download?

                         

                        2.) Why is the Picketlink for JBoss 7 2.0.2 JAR download missing the picketlink-trust-jbossws-2.0.2.Final.jar file (it just has 3 of the 4 JARs)?  The other download has it, and it's that JAR I'm probably most interested in, as I wish to see the Picketlink STS.

                         

                        Thanks,
                        Glen

                        The trust jar contains deeper integration with JBossWS (handlers etc) which we have not finished/tested for AS7.x

                        Until that happens, I have to keep the jars separate.

                        Things like SAML for EJB3 etc.

                        Hopefully soon, we will add that support.

                         

                        The base PicketLink STS support for all the sts usage is available.

                        • 24. Re: PicketLink 2.0.2.Final is released
                          mazzag

                          OK, things looking much better now.  An earlier error I had reported about it not being able to find particular JARs was an error on my part -- I misspelled the PL jars in the module.xml file (.final instead of correct .Final needs to be in the name).  I deleted those postings from this thread.

                           

                          I removed the unsupported trust JAR and its entry from modules.xml and restarted the JBoss AS with all of the WARs in the deployments/PicketLink folder.  Two WARs (idp.war and idp-sig.war) fail with the below error causing the rest to shutdown.  But when I removed those two WARs and restarted JBoss the remaining WARs, including the STS one, started up fine.    The server log file reports this as the problem when idp.war and idp-sig.war are present:

                          18:56:48,469 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS015871: Deploy of deployment "sales-saml11.war" was rolled back with no failure message
                          18:56:48,483 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS015871: Deploy of deployment "idp-sig.war" was rolled back with no failure message
                          18:56:48,492 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS015870: Deploy of deployment "idp.war" was rolled back with failure message {"JBAS014771: Services with missing/unavailable dependencies" => ["jboss.web.deployment.default-host./idp.realmjboss.security.security-domain.idpMissing[jboss.web.deployment.default-host./idp.realmjboss.security.security-domain.idp]"]}
                          ...several more lines...
                          18:56:48,781 INFO  [org.jboss.as.controller] (DeploymentScanner-threads - 2) JBAS014774: Service status report
                          JBAS014775:    New missing/unsatisfied dependencies:
                                service jboss.security.security-domain.idp (missing) dependents: [service jboss.web.deployment.default-host./idp.realm, service jboss.web.deployment.default-host./idp-sig.realm] 
                          
                          18:56:48,783 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS014654: Composite operation was rolled back
                          ...several more composite rollback messages...
                          18:56:48,793 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS014654: Composite operation was rolled back
                          18:56:48,802 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) {"JBAS014653: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"JBAS014771: Services with missing/unavailable dependencies" => ["jboss.web.deployment.default-host./idp.realmjboss.security.security-domain.idpMissing[jboss.web.deployment.default-host./idp.realmjboss.security.security-domain.idp]"]}}}
                          

                          I don't think I need idp.war and idp-sig.war to play with the STS but if the error is on my side why these two WARs aren't starting please advise.  (Incidentally, if these two WARs won't start because the trust JAR isn't ready for AS7 perhaps best to remove them from the "WAR" download so others won't have to spend time debugging this issue.)

                           

                          Thanks Anil.

                          • 25. Re: PicketLink 2.0.2.Final is released
                            pcraveiro

                            Hi Glen,

                             

                                Did you configure the standalone.xml with a security-domain named "idp" ?

                             

                                Make sure you have the following configuration in your standalone.xml:

                             

                            <subsystem xmlns="urn:jboss:domain:security:1.1">

                                        <security-domains>

                                          <security-domain name="idp" cache-type="default"> <!-- This is for the IDP, this login module allows authenticate user using the user.properties and roles.properties inside the idp.war -->

                                                <authentication>

                                                    <login-module code="UsersRoles" flag="required"/>

                                                </authentication>

                                            </security-domain>

                                            <security-domain name="sp" cache-type="default"> <!-- This is for the SPs, this login module allows create a security context for users based on the SAML assertion returned by the IDP -->

                                                <authentication>

                                                    <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>

                                                </authentication>

                                            </security-domain>

                                           ...

                            </subsystem>

                             

                            Regards.

                            Pedro Igor

                            • 26. Re: PicketLink 2.0.2.Final is released
                              mazzag

                              Thanks Pedro!  That was it!  All WARs now start fine.  (Anil, for your instructions here: https://community.jboss.org/docs/DOC-17614 when you say that we may to update our standalone.xml with additional <security-domain/>s , best to let the reader know the three we need to include for all WARs to work.  They are the ones named "picketlink-sts", "sp", and "idp" within the sample standalone.xml you provided.)

                              &secr

                              • 27. Re: PicketLink 2.0.2.Final is released
                                anil.saldhana

                                Glen,  thanks to you for trying out and giving us feedback.  I have updated the last section.

                                • 28. Re: PicketLink 2.0.2.Final is released
                                  gerry.matte

                                  Ok.

                                  I reviewed Glen's successes and I repeated the configuration steps using the new downloads.

                                  Everything works (Hurray !).

                                  I must have used an incorrect idp.war file - that's the only real change that I can see.

                                   

                                  I can now login/logout of employee/employee-post, sales/sales/post ....

                                   

                                  If I may make a few suggestions:

                                  1.     include the module.xml within the picketlink-jars-as7-2.0.2.Final.zip as an easy way to avoid typing errors.  Like Glen, I originally did not use the uppercase F in Final.....  (I've attached my module.xml)

                                  2.     also include the standalone.xml security-domain tags required by the webapps - I would insert them in the same zip file as above since they are part of the one-time configuration tasks for all webapps to work with JBoss 7.

                                   

                                  Thanks to Glen, Anil, and Pedro !

                                   

                                  Now to learn how to use a database as the user store - ideally the same schema as the Seam 3 Security webapp idmconsole  ....

                                  • 29. Re: PicketLink 2.0.2.Final is released
                                    mazzag

                                    Hi Gerry, are you sure you needed the security-domain with the name of "cache-test" in your standalone.xml?  I was guessing that that's only for Anil's testing and just the other three security domains were needed.

                                     

                                    Unfortunately I can't share your success in being able to successfully log into the applications, such as the employee one:  http://localhost:8080/employee.  Just to confirm I'm doing things right, for employee login you're using the "idp" security domain defined in standalone.xml, which defines a users.properties and a roles.properties, and you keep those two properties files in the standalone/configuration folder?

                                     

                                    in my users.properties I have this entry:  UserA=PassA

                                    in my roles.properties I have this: UserA=manager

                                     

                                    Yet when I try to log into the Employee application I get an invalid password/missing user error:

                                     

                                     

                                    08:03:08,326 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
                                         at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:269) [picketbox-4.0.6.final.jar:4.0.6.final]
                                         at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:155) [picketbox-4.0.6.final.jar:4.0.6.final]
                                         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_02]
                                         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_02]
                                    

                                    Anybody have an idea what the problem is?  Thanks!