6 Replies Latest reply on Feb 16, 2012 2:40 PM by Mark Allerton

    Custom Login-Module for JBOSS AS 7

    Vesuv Mitarbeiter Newbie

      Hi,

       

      I have installed Picketlink as an IDP and authenticate user of my SP with this application. So far so good. But i have to evaluate the roles, that the IDP gives to the SP, and to override them. For example, the IDP gives the role "Mandant", so the SP has the JAAS-Roles (for @RolesAllowed etc.) "Role1", "Role2", ...

       

      My idea is to make my own Login-Module, where i can override the method "getRolesSet". I have configured this module in the jboss.xml-File etc., but it is ignored by Picketlink. Does someone have an idea, what my mistake is? I use SAML2.0 with POST-Requests.

       

      Thanks,

      Martin

       

      Edit: I have found the problem. In the class "SPPostFormAuthenticator" are the following lines:

      if ((new ServerDetector().isJboss()) || (this.jbossEnv)) {
                          ServiceProviderSAMLContext.push(username, roles);
                          principal = this.context.getRealm().authenticate(username, password);
                          ServiceProviderSAMLContext.clear();
      }
       else {
                          principal = spUtil.createGenericPrincipal(request, username, roles);
       }
      

      The query returns false, although the Server is a JBOSS-Server. I don't know, whether the fault is on JBOSS or Picketlink.

      I have a "dirty solution":

      Make your own subclass of "SPPostFormAuthenticator", override the method "handleSAMLResponse" and change the query, so that it returns true. In this way, the login-module will get called.