1 Reply Latest reply on Jun 22, 2014 2:07 PM by Marc Boorshtein

    Perimeter SSO with a Valve and Login Module

    Marc Boorshtein Newbie

      All,

       

      I'm trying to get a perimeter SSO system working with JBoss EAP 6.2 using OpenJDK 1.7.  I followed the advice on https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html/Development_Guide/Use_A_… and created a custom valve, which works.  The problem is that the custom login module I created to pull the user's role information is never called.  Here's what I see in the logs:

       

      06:53:45,418 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1) Security checking request GET /echo/echo

      06:53:45,419 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1)   Checking constraint 'SecurityConstraint[MyResourceName]' against GET /echo --> true

      06:53:45,419 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1)   Checking constraint 'SecurityConstraint[MyResourceName]' against GET /echo --> true

      06:53:45,420 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1)  Calling hasUserDataPermission()

      06:53:45,420 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1)   User data constraint has no restrictions

      06:53:45,420 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1)  Calling authenticate()

      06:53:45,421 INFO  [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) TREMOLO : Starting

      06:53:45,428 INFO  [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) TREMOLO : logger initialized

      06:53:45,428 INFO  [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Header Name - 'autoidmrequest'

      06:53:45,429 INFO  [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) User Attribute - 'from-assertion-uid'

      06:53:45,429 INFO  [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Keystore Path - '/home/jboss71/autoIdmSession.jks'

      06:53:45,429 INFO  [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Encryption Alias - 'lastmile'

      06:53:45,429 INFO  [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) TREMOLO : config loaded

      06:53:45,430 INFO  [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Full Path to KeyStore : '/home/jboss71/autoIdmSession.jks

      06:53:45,435 INFO  [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) TREMOLO : keystore loaded

      06:53:45,442 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Header value : 'eyJpdiI6Ikl6QWRGajY0RWtKT2ZvYnJvb1YrcEFcdTAwM2RcdTAwM2QiLCJlbmNyeXB0ZWRSZXF1ZXN0IjoiM0hFL09hWk9pM3pVbElYNGhFYjh3Q0NlZUhGV1Y2alFjNTRYVXBVOEZZVXc2NW90aHNWeG11L2VzcnpqN1dvSnFmeGJ0aWNRbkFUUC9ETVJpeW9UNGZPUTlFdlBFeGRGL3lXOWxGWmY1elhTblBiWm9lZ0twSW5EbzlUbm40clBKbEk4TzVMYnpYK2pMcnpIVlRzbnkxazJRdkpONDRZRWtETXN0RHZ2ZmpQb002TmNDakRNbmI0eUxVNlM3aUtaK2dEL0hxY080ZldIeE9BS2xLUmg5am02eS9RTVRSUVBXd2g5b3JsdGM2UnphUnh0VG5GZkcvdjZxbDdrZExFSzBpZm1rSVhGSExndDFVMDlqMFVLeVJsaW5kb09TVkhqWnQ0SW1YMGJIcFlIQldlU0xVanRwQXUzcy9mVXM0dDlFeXZWU0ZyNHZZcVhoSjlQWXpHTDN6a1p5M2xiYXNPOVRscExGUzg0U0svWWhrVXJ2MnZnSFJWNnpoWG1YMG12US8vOTJGUW1pOVR1VWpnNE1QRno0YnppVGRMRC8rZjcrc1Zqd1huM0F0MGFsbHNnbWRkMFZKR0RqWmFod3oxckFBQ1Azb1lobisxd2VMZ3g5c054Vlp6T25tejlNNnRBSUtqNnlqZlQ2aEF6dWdjL1RmU0FRalJjRzJnWHZFOVEifQ=='

      06:53:45,731 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Attribute : from-assertion-uid : 'testStaticGroupSucceed'

      06:53:45,740 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) User Attribute from-assertion-uid found

      06:53:45,740 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Attribute : from-assertion-sn : 'User'

      06:53:45,745 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Attribute : from-assertion-cn : 'Test User'

      06:53:45,746 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Attribute : role : 'Users'

      06:53:45,746 DEBUG [com.tremolosecurity.lastmile.jboss71.valve.UnisonValve] (http-/0.0.0.0:8080-1) Role Attribute role found

      06:53:45,751 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1) Authenticated 'testStaticGroupSucceed' with type 'FORM'

      06:53:45,752 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1)  Calling accessControl()

      06:53:45,752 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1)   Checking roles com.tremolosecurity.lastmile.jboss71.loginModule.UnisonPrincipal@4ffe0934

      06:53:45,756 DEBUG [org.apache.catalina.realm] (http-/0.0.0.0:8080-1) No role found:  Users

      06:53:45,956 DEBUG [org.apache.catalina.authenticator] (http-/0.0.0.0:8080-1)  Failed accessControl() test

      So the authentication works without issue, but the authorization fails to find the Users role (which is sent based on the above logs).  I created a login module that extends UsernamePasswordLoginModule and overrides getIdentity, getUserPassword and getRoleSets (I modeled it on how the PicketLinks SAML2 sp login module is written).  I added the following to my standalone.xml:

       

      <security-domain name="unisonsecuritydomain" cache-type="default">

                          <authentication>

                              <login-module code="com.tremolosecurity.lastmile.jboss71.loginModule.UnisonLoginModule" flag="required" module="com.tremolosecurity.lastmile.jboss71"/>

                          </authentication>

                      </security-domain>

      And have the following jboss-web.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>
              <security-domain>unisonsecuritydomain</security-domain>
              <valve>
                  <class-name>com.tremolosecurity.lastmile.jboss71.valve.UnisonValve</class-name>
                 ...
      
      
      
      
      
      
                  </valve>
      </jboss-web>
      

      I also added the module as a global module in JBoss.  I know the module is loading because the valve is in the module and that loads without issue.  Also, if I deploy the webapp without the unisonsecuritydomain in standalone.xml the deployment fails.  However I added logging statements to the login module which are never called.  Also, if I break the domain configuration by specifying a bad class name or module name I don't get any failures from JBoss.

       

      Any help would be greatly appreciated.

       

      Thanks

      Marc