Perimeter SSO with a Valve and Login Module
All,
I'm trying to get a perimeter SSO system working with JBoss EAP 6.2 using OpenJDK 1.7. I followed the advice on https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html/Development_Guide/Use_A_… and created a custom valve, which works. The problem is that the custom login module I created to pull the user's role information is never called. Here's what I see in the logs:
06:53:45,418 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1) Security checking request GET /echo/echo
06:53:45,419 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1) Checking constraint 'SecurityConstraint[MyResourceName]' against GET /echo --> true
06:53:45,419 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1) Checking constraint 'SecurityConstraint[MyResourceName]' against GET /echo --> true
06:53:45,420 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1) Calling hasUserDataPermission()
06:53:45,420 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1) User data constraint has no restrictions
06:53:45,420 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1) Calling authenticate()
06:53:45,421 INFO [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) TREMOLO : Starting
06:53:45,428 INFO [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) TREMOLO : logger initialized
06:53:45,428 INFO [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Header Name - 'autoidmrequest'
06:53:45,429 INFO [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) User Attribute - 'from-assertion-uid'
06:53:45,429 INFO [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Keystore Path - '/home/jboss71/autoIdmSession.jks'
06:53:45,429 INFO [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Encryption Alias - 'lastmile'
06:53:45,429 INFO [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) TREMOLO : config loaded
06:53:45,430 INFO [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Full Path to KeyStore : '/home/jboss71/autoIdmSession.jks
06:53:45,435 INFO [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) TREMOLO : keystore loaded
06:53:45,442 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Header value : 'eyJpdiI6Ikl6QWRGajY0RWtKT2ZvYnJvb1YrcEFcdTAwM2RcdTAwM2QiLCJlbmNyeXB0ZWRSZXF1ZXN0IjoiM0hFL09hWk9pM3pVbElYNGhFYjh3Q0NlZUhGV1Y2alFjNTRYVXBVOEZZVXc2NW90aHNWeG11L2VzcnpqN1dvSnFmeGJ0aWNRbkFUUC9ETVJpeW9UNGZPUTlFdlBFeGRGL3lXOWxGWmY1elhTblBiWm9lZ0twSW5EbzlUbm40clBKbEk4TzVMYnpYK2pMcnpIVlRzbnkxazJRdkpONDRZRWtETXN0RHZ2ZmpQb002TmNDakRNbmI0eUxVNlM3aUtaK2dEL0hxY080ZldIeE9BS2xLUmg5am02eS9RTVRSUVBXd2g5b3JsdGM2UnphUnh0VG5GZkcvdjZxbDdrZExFSzBpZm1rSVhGSExndDFVMDlqMFVLeVJsaW5kb09TVkhqWnQ0SW1YMGJIcFlIQldlU0xVanRwQXUzcy9mVXM0dDlFeXZWU0ZyNHZZcVhoSjlQWXpHTDN6a1p5M2xiYXNPOVRscExGUzg0U0svWWhrVXJ2MnZnSFJWNnpoWG1YMG12US8vOTJGUW1pOVR1VWpnNE1QRno0YnppVGRMRC8rZjcrc1Zqd1huM0F0MGFsbHNnbWRkMFZKR0RqWmFod3oxckFBQ1Azb1lobisxd2VMZ3g5c054Vlp6T25tejlNNnRBSUtqNnlqZlQ2aEF6dWdjL1RmU0FRalJjRzJnWHZFOVEifQ=='
06:53:45,731 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Attribute : from-assertion-uid : 'testStaticGroupSucceed'
06:53:45,740 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) User Attribute from-assertion-uid found
06:53:45,740 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Attribute : from-assertion-sn : 'User'
06:53:45,745 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Attribute : from-assertion-cn : 'Test User'
06:53:45,746 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Attribute : role : 'Users'
06:53:45,746 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Role Attribute role found
06:53:45,751 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1) Authenticated 'testStaticGroupSucceed' with type 'FORM'
06:53:45,752 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1) Calling accessControl()
06:53:45,752 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1) Checking roles com.tremolosecurity.lastmile.jboss71.loginModule.UnisonPrincipal@4ffe0934
06:53:45,756 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1) No role found: Users
06:53:45,956 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1) Failed accessControl() test
So the authentication works without issue, but the authorization fails to find the Users role (which is sent based on the above logs). I created a login module that extends UsernamePasswordLoginModule and overrides getIdentity, getUserPassword and getRoleSets (I modeled it on how the PicketLinks SAML2 sp login module is written). I added the following to my standalone.xml:
<security-domain name="unisonsecuritydomain" cache-type="default">
<authentication>
<login-module code="com.tremolosecurity.lastmile.jboss71.loginModule.UnisonLoginModule" flag="required" module="com.tremolosecurity.lastmile.jboss71"/>
</authentication>
</security-domain>
And have the following jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>unisonsecuritydomain</security-domain> <valve> <class-name>com.tremolosecurity.lastmile.jboss71.valve.UnisonValve</class-name> ... </valve> </jboss-web>
I also added the module as a global module in JBoss. I know the module is loading because the valve is in the module and that loads without issue. Also, if I deploy the webapp without the unisonsecuritydomain in standalone.xml the deployment fails. However I added logging statements to the login module which are never called. Also, if I break the domain configuration by specifying a bad class name or module name I don't get any failures from JBoss.
Any help would be greatly appreciated.
Thanks
Marc