Cheatsheet:  PicketLink Security Token Service with JBoss AS 7.1.x

    Introduction

     

    This article is an addendum to PicketLink Security Token Service by Stefan Guilhen.  It shows necessary steps to make JBoss AS 7.1.1 work with latest version of PicketLink (version 2.0.3 Final) and the picketlink-sts.war included in PicketLink Web Applications for JBoss AS 7.1.x

     

    Versions

     


    Version
    JBoss AS7.1.1.Final
    PicketLink2.0.3.Final
    PicketLink Web Applications2.0.3.Final

     

    JBoss AS Configuration

    Follow the last section (How do I install PL 2.0.2 (and above) in AS 7.1.x?) of PicketLink 2.0.3.Final article by Anil Saldhana.  After following the steps, you shoud:

    • have the latest picketlink jars in ${jboss.home.dir}/modules/org/picketlink/main
    • have ${jboss.home.dir}/modules/org/picketlink/main/module.xml updated to:

     

    <module xmlns="urn:jboss:module:1.1" name="org.picketlink">
      <resources>
        <resource-root path="picketlink-fed-2.0.3.Final.jar"/>
        <resource-root path="picketlink-bindings-2.0.3.Final.jar"/>
        <resource-root path="picketlink-bindings-jboss-2.0.3.Final.jar"/>
      </resources>
      <dependencies>
        <module name="javax.api"/>
        <module name="javax.security.auth.message.api"/>
        <module name="javax.security.jacc.api"/>
        <module name="javax.transaction.api"/>
        <module name="javax.xml.bind.api"/>
        <module name="javax.xml.stream.api"/>
        <module name="javax.servlet.api"/>
        <module name="org.jboss.common-core"/>
        <module name="org.jboss.logging"/>
        <module name="org.jboss.as.web"/>
        <module name="org.jboss.security.xacml"/>
        <module name="org.picketbox"/>
        <module name="javax.xml.ws.api"/>
        <module name="org.apache.log4j"/>
        <!-- <module name="org.apache.santuario.xmlsec"/> --> <!-- Comment this line out -->
        <module name="sun.jdk"/> <!-- Add this new module dependency -->
      </dependencies>
    </module>
    
    

     

    • have added the below lines in ${jboss.home.dir}/modules/sun/jdk/main/module.xml

     

    <path name="javax/xml/crypto/dsig"/>
    <path name="javax/xml/crypto"/>
    <path name="javax/xml/crypto/dsig/dom"/>
    <path name="javax/xml/crypto/dsig/keyinfo"/>
    <path name="com/sun/org/apache/xml/internal/security/transforms/implementations"/>
    <path name="org/jcp/xml/dsig/internal/dom"/> 
    

     

    • have unpacked all web applications in ${jboss.home.dir}/standalone/deployments
    • have modified the ${jboss.home.dir}/configuration/standalone.xml to include security domain entries for the sample web applications above

     

    <security-domain name="idp" cache-type="default">
      <authentication>
        <login-module code="UsersRoles" flag="required">
          <module-option name="usersProperties" value="users.properties"/>
          <module-option name="rolesProperties" value="roles.properties"/>
        </login-module>
      </authentication>
    </security-domain>
    <security-domain name="picketlink-sts" cache-type="default">
      <authentication>
        <login-module code="UsersRoles" flag="required">
          <module-option name="usersProperties" value="sts-users.properties"/>
          <module-option name="rolesProperties" value="sts-roles.properties"/>
        </login-module>
      </authentication>
    </security-domain>
    <security-domain name="sp" cache-type="default">
      <authentication>
        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
      </authentication>
    </security-domain>
    
    

     

    Modify picketlink-sts.war

    The picketlink-sts.war does not include the user and role property files for authentication.  To make it work, you can either update the war file or change the recommended security-domain entry for "picketlink-sts" to tell it to use external properties files instead.

    Update picketlink-war file

    • Unpack the war file contents [jar xf picketlink-sts.war]
    • Create both sts-users.properties and sts-roles.properties files under WEB-INF/classes.  You can either copy the users and roles from idp.war (same location WEB-INF/classes) or create it yourself.  You need to add a user=password entry for sts-users.properties and add the role configured from WEB-INF/web.xml  in sts-roles.properties
    sts-users.properties

    tomcat=tomcat

    sts-roles.properties

     

    tomcat=manager,sales,employee,STSClient

     

    • Update the jar file with the latest WEB-INF [jar uf picketlink-sts.war WEB-INF]

     

    Update standalone.xml

    The other way of doing it is to point the authentication mechanism to use external property files, modify the picketlink-sts security-domain section in standalone.xml (below).  Then create the same sts-users.properties and sts-roles.properties  files from above section in the directory ${jboss.home.dir}/standalone/configuration.

     

     

    <security-domain name="picketlink-sts" cache-type="default">
      <authentication>
        <login-module code="UsersRoles" flag="required">
          <module-option name="usersProperties" value="${jboss.server.config.dir}/sts-users.properties"/>
          <module-option name="rolesProperties" value="${jboss.server.config.dir}/sts-roles.properties"/>
        </login-module>
      </authentication>
    </security-domain>
    

     

    Check STS wsdl

    To make sure everything is configure correctly, check the wsdl - http://localhost:8080/picketlink-sts/PicketLinkSTSService?wsdl

    It should ask for authentication before providing the wsdl.

    Run Client Application

    To run the client application in PicketLink Security Token Service by Stefan Guilhen.  Modify the endpoint and user/password:

     

       public void testSTS() throws Exception
       {
          // create a WSTrustClient instance.
          WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort", 
                "http://localhost:8080/picketlink-sts/PicketLinkSTSService", 
                new SecurityInfo("tomcat", "tomcat"));
    . . .
    
    

     

    To change the SAML to 1.1, change the token type:

     

          // issue a SAML assertion using the client API.
          Element assertion = null;
          try 
          {
             assertion = client.issueToken(SAMLUtil.SAML11_TOKEN_TYPE);
          }
          catch (WSTrustException wse)
          {
             System.out.println("Unable to issue assertion: " + wse.getMessage());
             wse.printStackTrace();
             System.exit(1);
          }
    

     

    If everything is working fine, you should get the SAML assertion

     

    <?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="ID_eb76fdfc-8614-462f-933e-cb8d17cb5e4e" IssueInstant="2012-04-09T21:43:36.572Z" Issuer="PicketLinkSTS" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2012-04-09T21:43:36.572Z" NotOnOrAfter="2012-04-09T23:43:36.572Z"/><saml:AuthenticationStatement AuthenticationInstant="2012-04-09T21:43:36.572Z" AuthenticationMethod="urn:picketlink:auth"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">tomcat</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>HDnMXVoONxX3EtDGVhI3y5n88ho=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>Lw/KCB//ahqDl9YFvA54jAiHA4uyte2xzqU1B+5qJTzy/ADKULWnjSV6gG5BNF2BwqgRwYD0GW3K
    W/mEeHefJ6IZD/rHxMChGDYM4v/1ST27RV/tGWXSMOeilK0pMFvO0yWrljQarJvCV1cYwZR+zbaQ
    davemRmvg95GxbwaJl4=</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1
    dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw
    lYGGtrP5VQv00dfNPbs=</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></saml:Assertion>
    
    

     

    Links