0 Replies Latest reply on Jun 8, 2012 3:51 AM by turtles

    ESB project secured with SAML + roles

    turtles
    turtles Jun 8, 2012 3:51 AM

      Hi,

       

      I use SAML based authentication for an ESB service on the JBoss SOA-P 5.2 product:

       

      jboss-esb.xml

      <service category="ami" description="WS-TRUST example" invmScope="GLOBAL" name="name">
   <security callbackHandler="org.jboss.soa.esb.services.security.auth.login.JBossSTSTokenCallbackHandler"
           moduleName="saml-validate-token" rolesAllowed="STSClient">
    <property name="org.jboss.soa.esb.services.security.contextTimeout" value="0"/>
   </security>

       

      Authentication (SAML validation) works fine unless I use rolesAllowed attribute. I tried following settings but still it doesn't work:

       

      login-config.xml

       

      <application-policy name="saml-validate-token">
    <authentication>
        <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
            <module-option name="configFile">/props/picketlink-sts-client.properties</module-option>
            <!--<module-option name="password-stacking">useFirstPass</module-option>-->
            <!--<module-option name="useOptionsCredentials">true</module-option>-->
            <!--<module-option name="endpointURI">http://security_saml/endpoint</module-option>-->
        </login-module>
    </authentication>
    <mapping>
        <mapping-module
            code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider"
            type="principal" />
        <mapping-module
            code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider"
            type="role" />
    </mapping>
  </application-policy>

       

      Settings in the mapping element are ignored:

       

      org.jboss.soa.esb.services.security.SecurityServiceException: Caller did not belong to any of the rolesAllowed [STSClient]
     at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:558)
     at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:433)
     at org.jboss.soa.esb.listeners.message.MessageAwareListener$TransactionalRunner.run(MessageAwareListener.java:550)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)

       

      SAML token containes required role:

       

      <saml:Attribute Name='role'>
  <saml:AttributeValue>STSClient</saml:AttributeValue>
</saml:Attribute>

       

      I also tried use different versions of Picketlink libraries without success.

       

      Does anyone have any idea why roles in SAML token are ignored? Thank you!

      • 669 Views
      • Tags: