ESB project secured with SAML + roles
turtles Jun 8, 2012 3:51 AMHi,
I use SAML based authentication for an ESB service on the JBoss SOA-P 5.2 product:
jboss-esb.xml
<service category="ami" description="WS-TRUST example" invmScope="GLOBAL" name="name"> <security callbackHandler="org.jboss.soa.esb.services.security.auth.login.JBossSTSTokenCallbackHandler" moduleName="saml-validate-token" rolesAllowed="STSClient"> <property name="org.jboss.soa.esb.services.security.contextTimeout" value="0"/> </security>
Authentication (SAML validation) works fine unless I use rolesAllowed attribute. I tried following settings but still it doesn't work:
login-config.xml
<application-policy name="saml-validate-token"> <authentication> <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required"> <module-option name="configFile">/props/picketlink-sts-client.properties</module-option> <!--<module-option name="password-stacking">useFirstPass</module-option>--> <!--<module-option name="useOptionsCredentials">true</module-option>--> <!--<module-option name="endpointURI">http://security_saml/endpoint</module-option>--> </login-module> </authentication> <mapping> <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider" type="principal" /> <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider" type="role" /> </mapping> </application-policy>
Settings in the mapping element are ignored:
org.jboss.soa.esb.services.security.SecurityServiceException: Caller did not belong to any of the rolesAllowed [STSClient] at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:558) at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:433) at org.jboss.soa.esb.listeners.message.MessageAwareListener$TransactionalRunner.run(MessageAwareListener.java:550) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
SAML token containes required role:
<saml:Attribute Name='role'> <saml:AttributeValue>STSClient</saml:AttributeValue> </saml:Attribute>
I also tried use different versions of Picketlink libraries without success.
Does anyone have any idea why roles in SAML token are ignored? Thank you!