From psilva at redhat.com Wed Oct 8 09:51:33 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 8 Oct 2014 09:51:33 -0400 (EDT) Subject: [security-dev] PicketLink 2.7.0.CR1 Release In-Reply-To: <76778430.6264577.1412776256282.JavaMail.zimbra@redhat.com> Message-ID: <1873744080.6264813.1412776293206.JavaMail.zimbra@redhat.com> Hi All, PicketLink 2.7.0.CR1 has been released. More details at http://picketlink.org/news/2014/10/07/Release-2/. Regards. Pedro Igor From bburke at redhat.com Wed Oct 8 09:56:59 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 08 Oct 2014 09:56:59 -0400 Subject: [security-dev] PicketLink 2.7.0.CR1 Release In-Reply-To: <1873744080.6264813.1412776293206.JavaMail.zimbra@redhat.com> References: <1873744080.6264813.1412776293206.JavaMail.zimbra@redhat.com> Message-ID: <543542AB.6060404@redhat.com> awesome! I'll bump our pl versions. On 10/8/2014 9:51 AM, Pedro Igor Silva wrote: > Hi All, > > PicketLink 2.7.0.CR1 has been released. More details at http://picketlink.org/news/2014/10/07/Release-2/. > > Regards. > Pedro Igor > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From adamdong at vidder.com Wed Oct 8 20:42:32 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 9 Oct 2014 00:42:32 +0000 Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? Message-ID: Hi, guys, Thanks to some of your help. I have successfully configured ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to protect my web app whose web.xml needs to have , (with FORM being auth method) etc, and the whole thing worked as expected against my IDP. Now I have a special need to either let the SAML auth happen or bypass it (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here is what I tried but it didn't work: public class MyServiceProviderAuthenticator extends ServiceProviderAuthenticator { @Override public boolean authenticate(Request req, Response res, LoginConfig loginconfig) throws IOException { if ("true".equals(req.getParamter("bypass"))) { // bypass SAML authentication return true; } return super.authenticate(req, res, loginconfig); } } When that flag was not set, SAML interaction happened, everything worked. When the flag was set, this method simply returned true, then I simply got "HTTP Status 403 - Access to the requested resource has been denied." on the browser. Why the failure ? Is it because I didn't set the principal or didn't satisfy something that FORM-based auth needed. Thanks a lot in advance for any clue. Adam From mcirioli at redhat.com Wed Oct 8 21:15:55 2014 From: mcirioli at redhat.com (Michael Cirioli) Date: Wed, 8 Oct 2014 21:15:55 -0400 (EDT) Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? In-Reply-To: References: Message-ID: <405851574.1159152.1412817355883.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> Adam My guess is that the flag is not really being set (even though you may be passing it in the URL) - have you verified this is happening in your authenticate method either using a debugger or logging?? If the flag value is not what you expect let me know, I have implemented something similar to what you are attempting and may be able to help you work around it. -mike On Oct 8, 2014 8:43 PM, Adam Dong wrote: > > Hi, guys, > > Thanks to some of your help. I have successfully configured ServiceProviderAuthenticator asHi, guys, Thanks to some of your help. I have successfully configured ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to protect my web app whose web.xml needs to have , (with FORM being auth method) etc, and the whole thing worked as expected against my IDP. Now I have a special need to either let the SAML auth happen or bypass it (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here is what I tried but it didn't work: public class MyServiceProviderAuthenticator extends ServiceProviderAuthenticator { @Override public boolean authenticate(Request req, Response res, LoginConfig loginconfig) throws IOException { if ("true".equals(req.getParamter("bypass"))) { // bypass SAML authentication return true; } return super.authenticate(req, res, loginconfig); } } When that flag was not set, SAML interaction happened, everything worked. When the flag was set, this method simply returned true, then I simply got "HTTP Status 403 - Access to the requested resource has been denied." on the browser. Why the failure ? Is it because I didn't set the principal or didn't satisfy something that FORM-based auth needed. Thanks a lot in advance for any clue. Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Wed Oct 8 21:21:47 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 9 Oct 2014 01:21:47 +0000 Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? In-Reply-To: <405851574.1159152.1412817355883.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> References: <405851574.1159152.1412817355883.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> Message-ID: Mike, Thanks for the quick reply. I tried to make it simple in my previous email, in my real code, I have logging line right before "return true", so I was sure that it followed that branch. Adam -----Original Message----- From: Michael Cirioli [mailto:mcirioli at redhat.com] Sent: Wednesday, October 08, 2014 6:16 PM To: Adam Dong Cc: Kevin Dana; Gabor Lengyel; security-dev at lists.jboss.org Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? Adam My guess is that the flag is not really being set (even though you may be passing it in the URL) - have you verified this is happening in your authenticate method either using a debugger or logging?? If the flag value is not what you expect let me know, I have implemented something similar to what you are attempting and may be able to help you work around it. -mike On Oct 8, 2014 8:43 PM, Adam Dong wrote: > > Hi, guys, > > Thanks to some of your help. I have successfully configured > ServiceProviderAuthenticator asHi, guys, Thanks to some of your help. I have successfully configured ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to protect my web app whose web.xml needs to have , (with FORM being auth method) etc, and the whole thing worked as expected against my IDP. Now I have a special need to either let the SAML auth happen or bypass it (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here is what I tried but it didn't work: public class MyServiceProviderAuthenticator extends ServiceProviderAuthenticator { @Override public boolean authenticate(Request req, Response res, LoginConfig loginconfig) throws IOException { if ("true".equals(req.getParamter("bypass"))) { // bypass SAML authentication return true; } return super.authenticate(req, res, loginconfig); } } When that flag was not set, SAML interaction happened, everything worked. When the flag was set, this method simply returned true, then I simply got "HTTP Status 403 - Access to the requested resource has been denied." on the browser. Why the failure ? Is it because I didn't set the principal or didn't satisfy something that FORM-based auth needed. Thanks a lot in advance for any clue. Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From jcacek at redhat.com Thu Oct 9 04:32:44 2014 From: jcacek at redhat.com (Josef Cacek) Date: Thu, 9 Oct 2014 04:32:44 -0400 (EDT) Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? In-Reply-To: References: Message-ID: <549679464.38875156.1412843564652.JavaMail.zimbra@redhat.com> Hi Adam, the 403 means you are already authenticated but you don't have required roles. The solution for the bypass condition could look like: String username = "bypassed"; List roles = new ArrayList(); roles.add("AdminOrWhateverIsNeeded"); Principal principal = new GenericPrincipal(request.getContext().getRealm(), username, null, roles); request.setUserPrincipal(principal); Session session = request.getSessionInternal(true); session.setNote(Constants.SESS_USERNAME_NOTE, username); Not tested. :) -- josef ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Cc: "Kevin Dana" , "Gabor Lengyel" > Sent: Thursday, October 9, 2014 2:42:32 AM > Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? > > Hi, guys, > > Thanks to some of your help. I have successfully configured > ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to > protect my web app whose web.xml needs to have , > (with FORM being auth method) etc, and the whole thing worked > as expected against my IDP. > > Now I have a special need to either let the SAML auth happen or bypass it > (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here > is what I tried but it didn't work: > > public class MyServiceProviderAuthenticator extends > ServiceProviderAuthenticator > { > @Override > public boolean authenticate(Request req, Response res, LoginConfig > loginconfig) > throws IOException > { > if ("true".equals(req.getParamter("bypass"))) { // bypass SAML > authentication > return true; > } > return super.authenticate(req, res, loginconfig); > } > } > > When that flag was not set, SAML interaction happened, everything worked. > > When the flag was set, this method simply returned true, then I simply got > "HTTP Status 403 - Access to the requested resource has been denied." on the > browser. > > Why the failure ? Is it because I didn't set the principal or didn't satisfy > something that FORM-based auth needed. > > Thanks a lot in advance for any clue. > > Adam > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From psilva at redhat.com Thu Oct 9 07:04:36 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 9 Oct 2014 07:04:36 -0400 (EDT) Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? In-Reply-To: <549679464.38875156.1412843564652.JavaMail.zimbra@redhat.com> References: <549679464.38875156.1412843564652.JavaMail.zimbra@redhat.com> Message-ID: <1067874036.6812988.1412852676652.JavaMail.zimbra@redhat.com> In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there. ----- Original Message ----- From: "Josef Cacek" To: "Adam Dong" Cc: security-dev at lists.jboss.org Sent: Thursday, October 9, 2014 5:32:44 AM Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? Hi Adam, the 403 means you are already authenticated but you don't have required roles. The solution for the bypass condition could look like: String username = "bypassed"; List roles = new ArrayList(); roles.add("AdminOrWhateverIsNeeded"); Principal principal = new GenericPrincipal(request.getContext().getRealm(), username, null, roles); request.setUserPrincipal(principal); Session session = request.getSessionInternal(true); session.setNote(Constants.SESS_USERNAME_NOTE, username); Not tested. :) -- josef ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Cc: "Kevin Dana" , "Gabor Lengyel" > Sent: Thursday, October 9, 2014 2:42:32 AM > Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? > > Hi, guys, > > Thanks to some of your help. I have successfully configured > ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to > protect my web app whose web.xml needs to have , > (with FORM being auth method) etc, and the whole thing worked > as expected against my IDP. > > Now I have a special need to either let the SAML auth happen or bypass it > (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here > is what I tried but it didn't work: > > public class MyServiceProviderAuthenticator extends > ServiceProviderAuthenticator > { > @Override > public boolean authenticate(Request req, Response res, LoginConfig > loginconfig) > throws IOException > { > if ("true".equals(req.getParamter("bypass"))) { // bypass SAML > authentication > return true; > } > return super.authenticate(req, res, loginconfig); > } > } > > When that flag was not set, SAML interaction happened, everything worked. > > When the flag was set, this method simply returned true, then I simply got > "HTTP Status 403 - Access to the requested resource has been denied." on the > browser. > > Why the failure ? Is it because I didn't set the principal or didn't satisfy > something that FORM-based auth needed. > > Thanks a lot in advance for any clue. > > Adam > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From mcirioli at redhat.com Thu Oct 9 13:28:01 2014 From: mcirioli at redhat.com (Mike Cirioli) Date: Thu, 09 Oct 2014 13:28:01 -0400 Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? In-Reply-To: <1067874036.6812988.1412852676652.JavaMail.zimbra@redhat.com> References: <549679464.38875156.1412843564652.JavaMail.zimbra@redhat.com> <1067874036.6812988.1412852676652.JavaMail.zimbra@redhat.com> Message-ID: <5436C5A1.6070300@redhat.com> Adam - I agree with Josef and Pedro, it sounds like it might be a security constrain/role issue. I'm online (#iam, #jbossidentity) if you want to ping me this afternoon. -mike On 10/09/2014 07:04 AM, Pedro Igor Silva wrote: > In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there. > > ----- Original Message ----- > From: "Josef Cacek" > To: "Adam Dong" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 9, 2014 5:32:44 AM > Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? > > Hi Adam, > > the 403 means you are already authenticated but you don't have required roles. > > The solution for the bypass condition could look like: > > String username = "bypassed"; > List roles = new ArrayList(); > roles.add("AdminOrWhateverIsNeeded"); > Principal principal = new GenericPrincipal(request.getContext().getRealm(), username, null, roles); > request.setUserPrincipal(principal); > Session session = request.getSessionInternal(true); > session.setNote(Constants.SESS_USERNAME_NOTE, username); > > Not tested. :) > > -- josef > > > ----- Original Message ----- >> From: "Adam Dong" >> To: security-dev at lists.jboss.org >> Cc: "Kevin Dana" , "Gabor Lengyel" >> Sent: Thursday, October 9, 2014 2:42:32 AM >> Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? >> >> Hi, guys, >> >> Thanks to some of your help. I have successfully configured >> ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to >> protect my web app whose web.xml needs to have , >> (with FORM being auth method) etc, and the whole thing worked >> as expected against my IDP. >> >> Now I have a special need to either let the SAML auth happen or bypass it >> (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here >> is what I tried but it didn't work: >> >> public class MyServiceProviderAuthenticator extends >> ServiceProviderAuthenticator >> { >> @Override >> public boolean authenticate(Request req, Response res, LoginConfig >> loginconfig) >> throws IOException >> { >> if ("true".equals(req.getParamter("bypass"))) { // bypass SAML >> authentication >> return true; >> } >> return super.authenticate(req, res, loginconfig); >> } >> } >> >> When that flag was not set, SAML interaction happened, everything worked. >> >> When the flag was set, this method simply returned true, then I simply got >> "HTTP Status 403 - Access to the requested resource has been denied." on the >> browser. >> >> Why the failure ? Is it because I didn't set the principal or didn't satisfy >> something that FORM-based auth needed. >> >> Thanks a lot in advance for any clue. >> >> Adam >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev >> > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Thu Oct 9 13:30:28 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 9 Oct 2014 17:30:28 +0000 Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? In-Reply-To: <5436C5A1.6070300@redhat.com> References: <549679464.38875156.1412843564652.JavaMail.zimbra@redhat.com> <1067874036.6812988.1412852676652.JavaMail.zimbra@redhat.com> <5436C5A1.6070300@redhat.com> Message-ID: <37dc5a025a12405d8198641358a02512@BY2PR0401MB0934.namprd04.prod.outlook.com> I'm trying out what you guys suggested (meetings get in the way). Will report back. Many thanks, really appreciate all the help. Adam -----Original Message----- From: Mike Cirioli [mailto:mcirioli at redhat.com] Sent: Thursday, October 09, 2014 10:28 AM To: Pedro Igor Silva; Josef Cacek Cc: security-dev at lists.jboss.org; Adam Dong Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? Adam - I agree with Josef and Pedro, it sounds like it might be a security constrain/role issue. I'm online (#iam, #jbossidentity) if you want to ping me this afternoon. -mike On 10/09/2014 07:04 AM, Pedro Igor Silva wrote: > In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there. > > ----- Original Message ----- > From: "Josef Cacek" > To: "Adam Dong" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 9, 2014 5:32:44 AM > Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? > > Hi Adam, > > the 403 means you are already authenticated but you don't have required roles. > > The solution for the bypass condition could look like: > > String username = "bypassed"; > List roles = new ArrayList(); > roles.add("AdminOrWhateverIsNeeded"); > Principal principal = new > GenericPrincipal(request.getContext().getRealm(), username, null, > roles); request.setUserPrincipal(principal); > Session session = request.getSessionInternal(true); > session.setNote(Constants.SESS_USERNAME_NOTE, username); > > Not tested. :) > > -- josef > > > ----- Original Message ----- >> From: "Adam Dong" >> To: security-dev at lists.jboss.org >> Cc: "Kevin Dana" , "Gabor Lengyel" >> >> Sent: Thursday, October 9, 2014 2:42:32 AM >> Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? >> >> Hi, guys, >> >> Thanks to some of your help. I have successfully configured >> ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat >> to protect my web app whose web.xml needs to have >> , (with FORM being auth method) >> etc, and the whole thing worked as expected against my IDP. >> >> Now I have a special need to either let the SAML auth happen or >> bypass it (not just bypass SAML auth, but bypass the FORM-based auth >> altogether). Here is what I tried but it didn't work: >> >> public class MyServiceProviderAuthenticator extends >> ServiceProviderAuthenticator { >> @Override >> public boolean authenticate(Request req, Response res, LoginConfig >> loginconfig) >> throws IOException >> { >> if ("true".equals(req.getParamter("bypass"))) { // bypass SAML >> authentication >> return true; >> } >> return super.authenticate(req, res, loginconfig); >> } >> } >> >> When that flag was not set, SAML interaction happened, everything worked. >> >> When the flag was set, this method simply returned true, then I >> simply got "HTTP Status 403 - Access to the requested resource has >> been denied." on the browser. >> >> Why the failure ? Is it because I didn't set the principal or didn't >> satisfy something that FORM-based auth needed. >> >> Thanks a lot in advance for any clue. >> >> Adam >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev >> > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Thu Oct 9 16:49:25 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 9 Oct 2014 20:49:25 +0000 Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? References: <549679464.38875156.1412843564652.JavaMail.zimbra@redhat.com> <1067874036.6812988.1412852676652.JavaMail.zimbra@redhat.com> <5436C5A1.6070300@redhat.com> Message-ID: <1d88be4b0ab04799bb406465b51a9301@BY2PR0401MB0934.namprd04.prod.outlook.com> Josef's code worked. Thank you so much. Adam -----Original Message----- From: Adam Dong Sent: Thursday, October 09, 2014 10:30 AM To: 'Mike Cirioli'; Pedro Igor Silva; Josef Cacek Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? I'm trying out what you guys suggested (meetings get in the way). Will report back. Many thanks, really appreciate all the help. Adam -----Original Message----- From: Mike Cirioli [mailto:mcirioli at redhat.com] Sent: Thursday, October 09, 2014 10:28 AM To: Pedro Igor Silva; Josef Cacek Cc: security-dev at lists.jboss.org; Adam Dong Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? Adam - I agree with Josef and Pedro, it sounds like it might be a security constrain/role issue. I'm online (#iam, #jbossidentity) if you want to ping me this afternoon. -mike On 10/09/2014 07:04 AM, Pedro Igor Silva wrote: > In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there. > > ----- Original Message ----- > From: "Josef Cacek" > To: "Adam Dong" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 9, 2014 5:32:44 AM > Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? > > Hi Adam, > > the 403 means you are already authenticated but you don't have required roles. > > The solution for the bypass condition could look like: > > String username = "bypassed"; > List roles = new ArrayList(); > roles.add("AdminOrWhateverIsNeeded"); > Principal principal = new > GenericPrincipal(request.getContext().getRealm(), username, null, > roles); request.setUserPrincipal(principal); > Session session = request.getSessionInternal(true); > session.setNote(Constants.SESS_USERNAME_NOTE, username); > > Not tested. :) > > -- josef > > > ----- Original Message ----- >> From: "Adam Dong" >> To: security-dev at lists.jboss.org >> Cc: "Kevin Dana" , "Gabor Lengyel" >> >> Sent: Thursday, October 9, 2014 2:42:32 AM >> Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? >> >> Hi, guys, >> >> Thanks to some of your help. I have successfully configured >> ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat >> to protect my web app whose web.xml needs to have >> , (with FORM being auth method) >> etc, and the whole thing worked as expected against my IDP. >> >> Now I have a special need to either let the SAML auth happen or >> bypass it (not just bypass SAML auth, but bypass the FORM-based auth >> altogether). Here is what I tried but it didn't work: >> >> public class MyServiceProviderAuthenticator extends >> ServiceProviderAuthenticator { >> @Override >> public boolean authenticate(Request req, Response res, LoginConfig >> loginconfig) >> throws IOException >> { >> if ("true".equals(req.getParamter("bypass"))) { // bypass SAML >> authentication >> return true; >> } >> return super.authenticate(req, res, loginconfig); >> } >> } >> >> When that flag was not set, SAML interaction happened, everything worked. >> >> When the flag was set, this method simply returned true, then I >> simply got "HTTP Status 403 - Access to the requested resource has >> been denied." on the browser. >> >> Why the failure ? Is it because I didn't set the principal or didn't >> satisfy something that FORM-based auth needed. >> >> Thanks a lot in advance for any clue. >> >> Adam >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev >> > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Tue Oct 14 20:01:15 2014 From: adamdong at vidder.com (Adam Dong) Date: Wed, 15 Oct 2014 00:01:15 +0000 Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? Message-ID: Hi, Instead of having to choose SPPostSignatureFromAuthenticator or SPRedirectSignaturFormAuthenticator, can I just use ServiceProviderAuthenticator and somehow configure it (in picketlink.xml or metadata config file) to do post or redirect ? Another question, on SP side, I understand I need to have IDP's cert in my SP cert store to be able to validate assertion signature, but do I need to have IDP cert's root CA in my trust store ? In other words, does SP side code (picketlink library) check IDP cert's issuer against SP's trust store ? Thanks, Adam From psilva at redhat.com Wed Oct 15 05:40:08 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 15 Oct 2014 05:40:08 -0400 (EDT) Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? In-Reply-To: References: Message-ID: <1399193835.3650343.1413366008890.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Tuesday, October 14, 2014 9:01:15 PM > Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? > > Hi, > > Instead of having to choose SPPostSignatureFromAuthenticator or > SPRedirectSignaturFormAuthenticator, can I just use > ServiceProviderAuthenticator and somehow configure it (in picketlink.xml or > metadata config file) to do post or redirect ? Yes, you can. Please, take a look at [1]. You may also check the quickstarts for concrete examples. [1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration [2] https://github.com/jboss-developer/jboss-picketlink-quickstarts > > Another question, on SP side, I understand I need to have IDP's cert in my SP > cert store to be able to validate assertion > signature, but do I need to have IDP cert's root CA in my trust store ? In > other words, does SP side code (picketlink library) > check IDP cert's issuer against SP's trust store ? Yes, validation is performed on both sides. You need the issuer's public key on the keystore of the verifier. > > Thanks, > Adam > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From adamdong at vidder.com Thu Oct 16 11:50:09 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 16 Oct 2014 15:50:09 +0000 Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? In-Reply-To: <1399193835.3650343.1413366008890.JavaMail.zimbra@redhat.com> References: <1399193835.3650343.1413366008890.JavaMail.zimbra@redhat.com> Message-ID: Pedro, Thanks for the reply. Just to confirm: on SP side, I understand I need to have IDP's cert with public key inside, but do I need to have that cert chain's root CA cert in my trust store; in other words, does picketlink SP side library check trust on root CA ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, October 15, 2014 2:40 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Tuesday, October 14, 2014 9:01:15 PM > Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? > > Hi, > > Instead of having to choose SPPostSignatureFromAuthenticator or > SPRedirectSignaturFormAuthenticator, can I just use > ServiceProviderAuthenticator and somehow configure it (in > picketlink.xml or metadata config file) to do post or redirect ? Yes, you can. Please, take a look at [1]. You may also check the quickstarts for concrete examples. [1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration [2] https://github.com/jboss-developer/jboss-picketlink-quickstarts > > Another question, on SP side, I understand I need to have IDP's cert > in my SP cert store to be able to validate assertion signature, but do > I need to have IDP cert's root CA in my trust store ? In other words, > does SP side code (picketlink library) check IDP cert's issuer against > SP's trust store ? Yes, validation is performed on both sides. You need the issuer's public key on the keystore of the verifier. > > Thanks, > Adam > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From psilva at redhat.com Thu Oct 16 11:51:56 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Oct 2014 11:51:56 -0400 (EDT) Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? In-Reply-To: References: <1399193835.3650343.1413366008890.JavaMail.zimbra@redhat.com> Message-ID: <1058934227.5135012.1413474716898.JavaMail.zimbra@redhat.com> Yeah, sorry. You don't need root CA cert in key/trust store. PL does not validates the cert chain. ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 12:50:09 PM Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? Pedro, Thanks for the reply. Just to confirm: on SP side, I understand I need to have IDP's cert with public key inside, but do I need to have that cert chain's root CA cert in my trust store; in other words, does picketlink SP side library check trust on root CA ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, October 15, 2014 2:40 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Tuesday, October 14, 2014 9:01:15 PM > Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? > > Hi, > > Instead of having to choose SPPostSignatureFromAuthenticator or > SPRedirectSignaturFormAuthenticator, can I just use > ServiceProviderAuthenticator and somehow configure it (in > picketlink.xml or metadata config file) to do post or redirect ? Yes, you can. Please, take a look at [1]. You may also check the quickstarts for concrete examples. [1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration [2] https://github.com/jboss-developer/jboss-picketlink-quickstarts > > Another question, on SP side, I understand I need to have IDP's cert > in my SP cert store to be able to validate assertion signature, but do > I need to have IDP cert's root CA in my trust store ? In other words, > does SP side code (picketlink library) check IDP cert's issuer against > SP's trust store ? Yes, validation is performed on both sides. You need the issuer's public key on the keystore of the verifier. > > Thanks, > Adam > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From adamdong at vidder.com Thu Oct 16 11:54:13 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 16 Oct 2014 15:54:13 +0000 Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? Message-ID: To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ? Thanks, Adam From adamdong at vidder.com Thu Oct 16 11:59:58 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 16 Oct 2014 15:59:58 +0000 Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? In-Reply-To: <1058934227.5135012.1413474716898.JavaMail.zimbra@redhat.com> References: <1399193835.3650343.1413366008890.JavaMail.zimbra@redhat.com> <1058934227.5135012.1413474716898.JavaMail.zimbra@redhat.com> Message-ID: <1d7475d9c99643f38c8f5e6162d63531@BY2PR0401MB0934.namprd04.prod.outlook.com> So PL doesn't validate cert chain and I remember it doesn?t check the expiration time of the cert. Should it do both ? Are they part of digital signature verification ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, October 16, 2014 8:52 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? Yeah, sorry. You don't need root CA cert in key/trust store. PL does not validates the cert chain. ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 12:50:09 PM Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? Pedro, Thanks for the reply. Just to confirm: on SP side, I understand I need to have IDP's cert with public key inside, but do I need to have that cert chain's root CA cert in my trust store; in other words, does picketlink SP side library check trust on root CA ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, October 15, 2014 2:40 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Tuesday, October 14, 2014 9:01:15 PM > Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? > > Hi, > > Instead of having to choose SPPostSignatureFromAuthenticator or > SPRedirectSignaturFormAuthenticator, can I just use > ServiceProviderAuthenticator and somehow configure it (in > picketlink.xml or metadata config file) to do post or redirect ? Yes, you can. Please, take a look at [1]. You may also check the quickstarts for concrete examples. [1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration [2] https://github.com/jboss-developer/jboss-picketlink-quickstarts > > Another question, on SP side, I understand I need to have IDP's cert > in my SP cert store to be able to validate assertion signature, but do > I need to have IDP cert's root CA in my trust store ? In other words, > does SP side code (picketlink library) check IDP cert's issuer against > SP's trust store ? Yes, validation is performed on both sides. You need the issuer's public key on the keystore of the verifier. > > Thanks, > Adam > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From psilva at redhat.com Thu Oct 16 12:02:24 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Oct 2014 12:02:24 -0400 (EDT) Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? In-Reply-To: References: Message-ID: <2020054208.5149654.1413475344862.JavaMail.zimbra@redhat.com> If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it will allow you to authenticate. However, once you submit your credentials the IdP will process the AuthnRequest (which was previously stored) and it will fail because it is not signed. So the SAML response/assertion will never be sent to the SP. ----- Original Message ----- From: "Adam Dong" Cc: security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 12:54:13 PM Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Thu Oct 16 12:04:17 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Oct 2014 12:04:17 -0400 (EDT) Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? In-Reply-To: <1d7475d9c99643f38c8f5e6162d63531@BY2PR0401MB0934.namprd04.prod.outlook.com> References: <1399193835.3650343.1413366008890.JavaMail.zimbra@redhat.com> <1058934227.5135012.1413474716898.JavaMail.zimbra@redhat.com> <1d7475d9c99643f38c8f5e6162d63531@BY2PR0401MB0934.namprd04.prod.outlook.com> Message-ID: <1555067173.5150786.1413475457716.JavaMail.zimbra@redhat.com> Good point. I'm not sure if XML Sig enforce these policies. But only check if the right keys are being used. Need to take a look into the specs. ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 12:59:58 PM Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? So PL doesn't validate cert chain and I remember it doesn?t check the expiration time of the cert. Should it do both ? Are they part of digital signature verification ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, October 16, 2014 8:52 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? Yeah, sorry. You don't need root CA cert in key/trust store. PL does not validates the cert chain. ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 12:50:09 PM Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? Pedro, Thanks for the reply. Just to confirm: on SP side, I understand I need to have IDP's cert with public key inside, but do I need to have that cert chain's root CA cert in my trust store; in other words, does picketlink SP side library check trust on root CA ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, October 15, 2014 2:40 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? ----- Original Message ----- > From: "Adam Dong" > To: security-dev at lists.jboss.org > Sent: Tuesday, October 14, 2014 9:01:15 PM > Subject: [security-dev] How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ? > > Hi, > > Instead of having to choose SPPostSignatureFromAuthenticator or > SPRedirectSignaturFormAuthenticator, can I just use > ServiceProviderAuthenticator and somehow configure it (in > picketlink.xml or metadata config file) to do post or redirect ? Yes, you can. Please, take a look at [1]. You may also check the quickstarts for concrete examples. [1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration [2] https://github.com/jboss-developer/jboss-picketlink-quickstarts > > Another question, on SP side, I understand I need to have IDP's cert > in my SP cert store to be able to validate assertion signature, but do > I need to have IDP cert's root CA in my trust store ? In other words, > does SP side code (picketlink library) check IDP cert's issuer against > SP's trust store ? Yes, validation is performed on both sides. You need the issuer's public key on the keystore of the verifier. > > Thanks, > Adam > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From adamdong at vidder.com Thu Oct 16 12:08:10 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 16 Oct 2014 16:08:10 +0000 Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? In-Reply-To: <2020054208.5149654.1413475344862.JavaMail.zimbra@redhat.com> References: <2020054208.5149654.1413475344862.JavaMail.zimbra@redhat.com> Message-ID: <113b1141b07540e49272d67541e1b8e3@BY2PR0401MB0934.namprd04.prod.outlook.com> I see, that is PicketLink's IDP behavior. The IDP (from another vender) that my picketlink SP is interaction with does NOT want signed AuthnRequest, but it will sign assertion in response. So my question is from my picketlink SP point of view: could it be configured to not sign AuthnRequest, but still be able to verify signature of assertion in response. Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, October 16, 2014 9:02 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it will allow you to authenticate. However, once you submit your credentials the IdP will process the AuthnRequest (which was previously stored) and it will fail because it is not signed. So the SAML response/assertion will never be sent to the SP. ----- Original Message ----- From: "Adam Dong" Cc: security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 12:54:13 PM Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Thu Oct 16 12:10:56 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Oct 2014 12:10:56 -0400 (EDT) Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? In-Reply-To: <113b1141b07540e49272d67541e1b8e3@BY2PR0401MB0934.namprd04.prod.outlook.com> References: <2020054208.5149654.1413475344862.JavaMail.zimbra@redhat.com> <113b1141b07540e49272d67541e1b8e3@BY2PR0401MB0934.namprd04.prod.outlook.com> Message-ID: <1027364886.5154450.1413475856119.JavaMail.zimbra@redhat.com> I don't think so. That would be a RFE :) Everything is signed when you enable signatures .... Feel free to open a JIRA. That is something easy to support ... ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 1:08:10 PM Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator to do this ? I see, that is PicketLink's IDP behavior. The IDP (from another vender) that my picketlink SP is interaction with does NOT want signed AuthnRequest, but it will sign assertion in response. So my question is from my picketlink SP point of view: could it be configured to not sign AuthnRequest, but still be able to verify signature of assertion in response. Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, October 16, 2014 9:02 AM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it will allow you to authenticate. However, once you submit your credentials the IdP will process the AuthnRequest (which was previously stored) and it will fail because it is not signed. So the SAML response/assertion will never be sent to the SP. ----- Original Message ----- From: "Adam Dong" Cc: security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 12:54:13 PM Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From mcirioli at redhat.com Thu Oct 16 12:12:06 2014 From: mcirioli at redhat.com (Mike Cirioli) Date: Thu, 16 Oct 2014 12:12:06 -0400 Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? In-Reply-To: <113b1141b07540e49272d67541e1b8e3@BY2PR0401MB0934.namprd04.prod.outlook.com> References: <2020054208.5149654.1413475344862.JavaMail.zimbra@redhat.com> <113b1141b07540e49272d67541e1b8e3@BY2PR0401MB0934.namprd04.prod.outlook.com> Message-ID: <543FEE56.9040107@redhat.com> Adam - If i understand what you are asking correctly, that is exactly the scenario we have for all the SP's available through our internal PicketLink IdP. Authn requests are not signed, but all assertions are being signed by the IdP and validated by the SP's. -mike On 10/16/2014 12:08 PM, Adam Dong wrote: > I see, that is PicketLink's IDP behavior. > > The IDP (from another vender) that my picketlink SP is interaction with does NOT want signed AuthnRequest, but it will sign assertion in response. > > So my question is from my picketlink SP point of view: could it be configured to not sign AuthnRequest, but still be able to verify signature of assertion in response. > > Thanks, > Adam > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, October 16, 2014 9:02 AM > To: Adam Dong > Cc: security-dev at lists.jboss.org > Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? > > If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it will allow you to authenticate. However, once you submit your credentials the IdP will process the AuthnRequest (which was previously stored) and it will fail because it is not signed. > > So the SAML response/assertion will never be sent to the SP. > > ----- Original Message ----- > From: "Adam Dong" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 16, 2014 12:54:13 PM > Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? > > > To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ? > > Thanks, > Adam > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From mcirioli at redhat.com Thu Oct 16 12:13:51 2014 From: mcirioli at redhat.com (Mike Cirioli) Date: Thu, 16 Oct 2014 12:13:51 -0400 Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? In-Reply-To: <543FEE56.9040107@redhat.com> References: <2020054208.5149654.1413475344862.JavaMail.zimbra@redhat.com> <113b1141b07540e49272d67541e1b8e3@BY2PR0401MB0934.namprd04.prod.outlook.com> <543FEE56.9040107@redhat.com> Message-ID: <543FEEBF.6010005@redhat.com> Adam - I forgot to add that we are using the PL for some SP's as well as our IdP. -mike On 10/16/2014 12:12 PM, Mike Cirioli wrote: > Adam - > If i understand what you are asking correctly, that is exactly the > scenario we have for all the SP's available through our internal > PicketLink IdP. Authn requests are not signed, but all assertions are > being signed by the IdP and validated by the SP's. > > -mike > > On 10/16/2014 12:08 PM, Adam Dong wrote: >> I see, that is PicketLink's IDP behavior. >> >> The IDP (from another vender) that my picketlink SP is interaction with does NOT want signed AuthnRequest, but it will sign assertion in response. >> >> So my question is from my picketlink SP point of view: could it be configured to not sign AuthnRequest, but still be able to verify signature of assertion in response. >> >> Thanks, >> Adam >> >> -----Original Message----- >> From: Pedro Igor Silva [mailto:psilva at redhat.com] >> Sent: Thursday, October 16, 2014 9:02 AM >> To: Adam Dong >> Cc: security-dev at lists.jboss.org >> Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? >> >> If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it will allow you to authenticate. However, once you submit your credentials the IdP will process the AuthnRequest (which was previously stored) and it will fail because it is not signed. >> >> So the SAML response/assertion will never be sent to the SP. >> >> ----- Original Message ----- >> From: "Adam Dong" >> Cc: security-dev at lists.jboss.org >> Sent: Thursday, October 16, 2014 12:54:13 PM >> Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? >> >> >> To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ? >> >> Thanks, >> Adam >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Thu Oct 16 12:15:22 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Oct 2014 12:15:22 -0400 (EDT) Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? In-Reply-To: <543FEE56.9040107@redhat.com> References: <2020054208.5149654.1413475344862.JavaMail.zimbra@redhat.com> <113b1141b07540e49272d67541e1b8e3@BY2PR0401MB0934.namprd04.prod.outlook.com> <543FEE56.9040107@redhat.com> Message-ID: <834531698.5156860.1413476122481.JavaMail.zimbra@redhat.com> But I think we had an issue to change this behavior and always sign AuthnRequest when signatures are enabled. Maybe you are supporting that because you're not considering latest changes. ----- Original Message ----- From: "Mike Cirioli" To: "Adam Dong" , "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 1:12:06 PM Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? Adam - If i understand what you are asking correctly, that is exactly the scenario we have for all the SP's available through our internal PicketLink IdP. Authn requests are not signed, but all assertions are being signed by the IdP and validated by the SP's. -mike On 10/16/2014 12:08 PM, Adam Dong wrote: > I see, that is PicketLink's IDP behavior. > > The IDP (from another vender) that my picketlink SP is interaction with does NOT want signed AuthnRequest, but it will sign assertion in response. > > So my question is from my picketlink SP point of view: could it be configured to not sign AuthnRequest, but still be able to verify signature of assertion in response. > > Thanks, > Adam > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, October 16, 2014 9:02 AM > To: Adam Dong > Cc: security-dev at lists.jboss.org > Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? > > If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it will allow you to authenticate. However, once you submit your credentials the IdP will process the AuthnRequest (which was previously stored) and it will fail because it is not signed. > > So the SAML response/assertion will never be sent to the SP. > > ----- Original Message ----- > From: "Adam Dong" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 16, 2014 12:54:13 PM > Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? > > > To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ? > > Thanks, > Adam > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From mcirioli at redhat.com Thu Oct 16 12:58:51 2014 From: mcirioli at redhat.com (Mike Cirioli) Date: Thu, 16 Oct 2014 12:58:51 -0400 Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? In-Reply-To: <834531698.5156860.1413476122481.JavaMail.zimbra@redhat.com> References: <2020054208.5149654.1413475344862.JavaMail.zimbra@redhat.com> <113b1141b07540e49272d67541e1b8e3@BY2PR0401MB0934.namprd04.prod.outlook.com> <543FEE56.9040107@redhat.com> <834531698.5156860.1413476122481.JavaMail.zimbra@redhat.com> Message-ID: <543FF94B.9070801@redhat.com> I think you are correct Pedro, i was not thinking about the fact that enabling signing at the IdP side is separate from the SP side as well. Checking the configs on my dev idp I see the following: For my IdP: picketlink.xml -> supportSignatures=true sp-metadata.xml wantAssertionsSigned=true authnRequestsSigned=false for my test SP: picketink,xml --> SupportsSignature=true Looking at the SAMLtracer output, i see that the incoming authn request is being signed, but that the IdP is not validating the signature. -mike On 10/16/2014 12:15 PM, Pedro Igor Silva wrote: > But I think we had an issue to change this behavior and always sign AuthnRequest when signatures are enabled. Maybe you are supporting that because you're not considering latest changes. > > ----- Original Message ----- > From: "Mike Cirioli" > To: "Adam Dong" , "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 16, 2014 1:12:06 PM > Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? > > Adam - > If i understand what you are asking correctly, that is exactly the > scenario we have for all the SP's available through our internal > PicketLink IdP. Authn requests are not signed, but all assertions are > being signed by the IdP and validated by the SP's. > > -mike > > On 10/16/2014 12:08 PM, Adam Dong wrote: >> I see, that is PicketLink's IDP behavior. >> >> The IDP (from another vender) that my picketlink SP is interaction with does NOT want signed AuthnRequest, but it will sign assertion in response. >> >> So my question is from my picketlink SP point of view: could it be configured to not sign AuthnRequest, but still be able to verify signature of assertion in response. >> >> Thanks, >> Adam >> >> -----Original Message----- >> From: Pedro Igor Silva [mailto:psilva at redhat.com] >> Sent: Thursday, October 16, 2014 9:02 AM >> To: Adam Dong >> Cc: security-dev at lists.jboss.org >> Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? >> >> If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it will allow you to authenticate. However, once you submit your credentials the IdP will process the AuthnRequest (which was previously stored) and it will fail because it is not signed. >> >> So the SAML response/assertion will never be sent to the SP. >> >> ----- Original Message ----- >> From: "Adam Dong" >> Cc: security-dev at lists.jboss.org >> Sent: Thursday, October 16, 2014 12:54:13 PM >> Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? >> >> >> To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ? >> >> Thanks, >> Adam >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Thu Oct 16 14:14:05 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Oct 2014 14:14:05 -0400 (EDT) Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? In-Reply-To: <543FF94B.9070801@redhat.com> References: <2020054208.5149654.1413475344862.JavaMail.zimbra@redhat.com> <113b1141b07540e49272d67541e1b8e3@BY2PR0401MB0934.namprd04.prod.outlook.com> <543FEE56.9040107@redhat.com> <834531698.5156860.1413476122481.JavaMail.zimbra@redhat.com> <543FF94B.9070801@redhat.com> Message-ID: <877040870.5302006.1413483245268.JavaMail.zimbra@redhat.com> Yeah, there is IdP SSO Metadata wantAuthnRequestsSigned and SP SSO Metadata authnRequestsSigned The first is to indicate that IdP should enforce signatures for authnrequests. The second one to indicate if authn requests must be signed by the SP. This is something we need to review in PL IdP. Today it is only considering the authnRequestsSigned from SP metadata. But it should also understand wantAuthnRequestsSigned. The same thing at the SP side, we need to consider authnRequestsSigned. And this is what Adam is looking for ... Regards. ----- Original Message ----- From: "Mike Cirioli" To: "Pedro Igor Silva" Cc: "Adam Dong" , security-dev at lists.jboss.org Sent: Thursday, October 16, 2014 1:58:51 PM Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? I think you are correct Pedro, i was not thinking about the fact that enabling signing at the IdP side is separate from the SP side as well. Checking the configs on my dev idp I see the following: For my IdP: picketlink.xml -> supportSignatures=true sp-metadata.xml wantAssertionsSigned=true authnRequestsSigned=false for my test SP: picketink,xml --> SupportsSignature=true Looking at the SAMLtracer output, i see that the incoming authn request is being signed, but that the IdP is not validating the signature. -mike On 10/16/2014 12:15 PM, Pedro Igor Silva wrote: > But I think we had an issue to change this behavior and always sign AuthnRequest when signatures are enabled. Maybe you are supporting that because you're not considering latest changes. > > ----- Original Message ----- > From: "Mike Cirioli" > To: "Adam Dong" , "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 16, 2014 1:12:06 PM > Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? > > Adam - > If i understand what you are asking correctly, that is exactly the > scenario we have for all the SP's available through our internal > PicketLink IdP. Authn requests are not signed, but all assertions are > being signed by the IdP and validated by the SP's. > > -mike > > On 10/16/2014 12:08 PM, Adam Dong wrote: >> I see, that is PicketLink's IDP behavior. >> >> The IDP (from another vender) that my picketlink SP is interaction with does NOT want signed AuthnRequest, but it will sign assertion in response. >> >> So my question is from my picketlink SP point of view: could it be configured to not sign AuthnRequest, but still be able to verify signature of assertion in response. >> >> Thanks, >> Adam >> >> -----Original Message----- >> From: Pedro Igor Silva [mailto:psilva at redhat.com] >> Sent: Thursday, October 16, 2014 9:02 AM >> To: Adam Dong >> Cc: security-dev at lists.jboss.org >> Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ? >> >> If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it will allow you to authenticate. However, once you submit your credentials the IdP will process the AuthnRequest (which was previously stored) and it will fail because it is not signed. >> >> So the SAML response/assertion will never be sent to the SP. >> >> ----- Original Message ----- >> From: "Adam Dong" >> Cc: security-dev at lists.jboss.org >> Sent: Thursday, October 16, 2014 12:54:13 PM >> Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ? >> >> >> To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ? >> >> Thanks, >> Adam >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev >> >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev From claudio at claudius.com.br Thu Oct 23 14:50:06 2014 From: claudio at claudius.com.br (Claudio Miranda) Date: Thu, 23 Oct 2014 16:50:06 -0200 Subject: [security-dev] SPFilter should check principal in POST calls Message-ID: Hi, related to PLINK2-20, our application cannot use SP valve, as there are two authentication mechanism (DatabaseServerLoginModule and SAML2LoginModule). So we use SPFilter and it the alternative authentication mechanism is working, except for the jsf requests, SPFilter intercepts it as POST requests and redirects to IDP, but the user is already authenticated. So, there is the following issue. https://issues.jboss.org/browse/PLINK2-20 Would you allow a contribution to add a servlet filter init param to optionally add the allowed request methods ? ALLOWED_METHODS GET,POST And change the below code to allow it ? boolean postMethod = "POST".equalsIgnoreCase(request.getMethod()); Defaults to POST to maintain compatibility. Comments ? Kind regards -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br From psilva at redhat.com Thu Oct 23 15:19:05 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 23 Oct 2014 15:19:05 -0400 (EDT) Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: References: Message-ID: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> Hey Claudio, Makes sense for me. Specially if we maintain backward compatibility. However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ... Please, send your contribution if you like to. Contribution is always welcome :) Regards. ----- Original Message ----- From: "Claudio Miranda" To: security-dev at lists.jboss.org Sent: Thursday, October 23, 2014 4:50:06 PM Subject: [security-dev] SPFilter should check principal in POST calls Hi, related to PLINK2-20, our application cannot use SP valve, as there are two authentication mechanism (DatabaseServerLoginModule and SAML2LoginModule). So we use SPFilter and it the alternative authentication mechanism is working, except for the jsf requests, SPFilter intercepts it as POST requests and redirects to IDP, but the user is already authenticated. So, there is the following issue. https://issues.jboss.org/browse/PLINK2-20 Would you allow a contribution to add a servlet filter init param to optionally add the allowed request methods ? ALLOWED_METHODS GET,POST And change the below code to allow it ? boolean postMethod = "POST".equalsIgnoreCase(request.getMethod()); Defaults to POST to maintain compatibility. Comments ? Kind regards -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From mraju at temenos.com Fri Oct 24 07:46:26 2014 From: mraju at temenos.com (Manohara Raju) Date: Fri, 24 Oct 2014 11:46:26 +0000 Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> Message-ID: Hi, Thanks for the response. We are using Picketlink as SP(service provider) and ADFS server as IDP. I tried adding the SP filter in web.xml of our java application, but not successful. Still issue persists. Please can you let me know, is it possible to have a call, so that can discuss and clarify on the configuration settings and about SP. Thanks a lot for the support. Regards, Manoharr. -----Original Message----- From: security-dev-bounces at lists.jboss.org [mailto:security-dev-bounces at lists.jboss.org] On Behalf Of Pedro Igor Silva Sent: Friday, October 24, 2014 12:49 AM To: Claudio Miranda Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SPFilter should check principal in POST calls Hey Claudio, Makes sense for me. Specially if we maintain backward compatibility. However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ... Please, send your contribution if you like to. Contribution is always welcome :) Regards. ----- Original Message ----- From: "Claudio Miranda" To: security-dev at lists.jboss.org Sent: Thursday, October 23, 2014 4:50:06 PM Subject: [security-dev] SPFilter should check principal in POST calls Hi, related to PLINK2-20, our application cannot use SP valve, as there are two authentication mechanism (DatabaseServerLoginModule and SAML2LoginModule). So we use SPFilter and it the alternative authentication mechanism is working, except for the jsf requests, SPFilter intercepts it as POST requests and redirects to IDP, but the user is already authenticated. So, there is the following issue. https://issues.jboss.org/browse/PLINK2-20 Would you allow a contribution to add a servlet filter init param to optionally add the allowed request methods ? ALLOWED_METHODS GET,POST And change the below code to allow it ? boolean postMethod = "POST".equalsIgnoreCase(request.getMethod()); Defaults to POST to maintain compatibility. Comments ? Kind regards -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail. From psilva at redhat.com Fri Oct 24 08:39:59 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 24 Oct 2014 08:39:59 -0400 (EDT) Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> Message-ID: <2018258544.10784871.1414154399335.JavaMail.zimbra@redhat.com> Hey Manohara, Is it possible to use the SP Authenticator Valve in your case ? As I've already mentioned in this thread, the SPFilter is not the best component to configure a SP. I think we already have use cases using ADFS and PL. But they are probably using the valve instead of the filter. Regards. ----- Original Message ----- From: "Manohara Raju" To: "Pedro Igor Silva" , "Claudio Miranda" Cc: security-dev at lists.jboss.org, "Vinod Raghavan" Sent: Friday, October 24, 2014 9:46:26 AM Subject: RE: SPFilter should check principal in POST calls Hi, Thanks for the response. We are using Picketlink as SP(service provider) and ADFS server as IDP. I tried adding the SP filter in web.xml of our java application, but not successful. Still issue persists. Please can you let me know, is it possible to have a call, so that can discuss and clarify on the configuration settings and about SP. Thanks a lot for the support. Regards, Manoharr. -----Original Message----- From: security-dev-bounces at lists.jboss.org [mailto:security-dev-bounces at lists.jboss.org] On Behalf Of Pedro Igor Silva Sent: Friday, October 24, 2014 12:49 AM To: Claudio Miranda Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SPFilter should check principal in POST calls Hey Claudio, Makes sense for me. Specially if we maintain backward compatibility. However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ... Please, send your contribution if you like to. Contribution is always welcome :) Regards. ----- Original Message ----- From: "Claudio Miranda" To: security-dev at lists.jboss.org Sent: Thursday, October 23, 2014 4:50:06 PM Subject: [security-dev] SPFilter should check principal in POST calls Hi, related to PLINK2-20, our application cannot use SP valve, as there are two authentication mechanism (DatabaseServerLoginModule and SAML2LoginModule). So we use SPFilter and it the alternative authentication mechanism is working, except for the jsf requests, SPFilter intercepts it as POST requests and redirects to IDP, but the user is already authenticated. So, there is the following issue. https://issues.jboss.org/browse/PLINK2-20 Would you allow a contribution to add a servlet filter init param to optionally add the allowed request methods ? ALLOWED_METHODS GET,POST And change the below code to allow it ? boolean postMethod = "POST".equalsIgnoreCase(request.getMethod()); Defaults to POST to maintain compatibility. Comments ? Kind regards -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail. From mraju at temenos.com Sun Oct 26 00:12:30 2014 From: mraju at temenos.com (Manohara Raju) Date: Sun, 26 Oct 2014 04:12:30 +0000 Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: <2018258544.10784871.1414154399335.JavaMail.zimbra@redhat.com> References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> <2018258544.10784871.1414154399335.JavaMail.zimbra@redhat.com> Message-ID: Hi Pedro, I have already used SP Authenticator valve at context.xml, still issue persists. Regards, Manoharr -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, October 24, 2014 6:10 PM To: Manohara Raju Cc: Claudio Miranda; security-dev at lists.jboss.org; Vinod Raghavan Subject: Re: SPFilter should check principal in POST calls Hey Manohara, Is it possible to use the SP Authenticator Valve in your case ? As I've already mentioned in this thread, the SPFilter is not the best component to configure a SP. I think we already have use cases using ADFS and PL. But they are probably using the valve instead of the filter. Regards. ----- Original Message ----- From: "Manohara Raju" To: "Pedro Igor Silva" , "Claudio Miranda" Cc: security-dev at lists.jboss.org, "Vinod Raghavan" Sent: Friday, October 24, 2014 9:46:26 AM Subject: RE: SPFilter should check principal in POST calls Hi, Thanks for the response. We are using Picketlink as SP(service provider) and ADFS server as IDP. I tried adding the SP filter in web.xml of our java application, but not successful. Still issue persists. Please can you let me know, is it possible to have a call, so that can discuss and clarify on the configuration settings and about SP. Thanks a lot for the support. Regards, Manoharr. -----Original Message----- From: security-dev-bounces at lists.jboss.org [mailto:security-dev-bounces at lists.jboss.org] On Behalf Of Pedro Igor Silva Sent: Friday, October 24, 2014 12:49 AM To: Claudio Miranda Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SPFilter should check principal in POST calls Hey Claudio, Makes sense for me. Specially if we maintain backward compatibility. However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ... Please, send your contribution if you like to. Contribution is always welcome :) Regards. ----- Original Message ----- From: "Claudio Miranda" To: security-dev at lists.jboss.org Sent: Thursday, October 23, 2014 4:50:06 PM Subject: [security-dev] SPFilter should check principal in POST calls Hi, related to PLINK2-20, our application cannot use SP valve, as there are two authentication mechanism (DatabaseServerLoginModule and SAML2LoginModule). So we use SPFilter and it the alternative authentication mechanism is working, except for the jsf requests, SPFilter intercepts it as POST requests and redirects to IDP, but the user is already authenticated. So, there is the following issue. https://issues.jboss.org/browse/PLINK2-20 Would you allow a contribution to add a servlet filter init param to optionally add the allowed request methods ? ALLOWED_METHODS GET,POST And change the below code to allow it ? boolean postMethod = "POST".equalsIgnoreCase(request.getMethod()); Defaults to POST to maintain compatibility. Comments ? Kind regards -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail. The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail. From mraju at temenos.com Sun Oct 26 00:44:39 2014 From: mraju at temenos.com (Manohara Raju) Date: Sun, 26 Oct 2014 04:44:39 +0000 Subject: [security-dev] SPFilter should check principal in POST calls References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> <2018258544.10784871.1414154399335.JavaMail.zimbra@redhat.com> Message-ID: Hi Pedro, Its also set in jboss-web.xml also as below: tsp org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator Thanks, Manoharr -----Original Message----- From: Manohara Raju Sent: Sunday, October 26, 2014 9:43 AM To: 'Pedro Igor Silva' Cc: Claudio Miranda; security-dev at lists.jboss.org; Vinod Raghavan Subject: RE: SPFilter should check principal in POST calls Hi Pedro, I have already used SP Authenticator valve at context.xml, still issue persists. Regards, Manoharr -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, October 24, 2014 6:10 PM To: Manohara Raju Cc: Claudio Miranda; security-dev at lists.jboss.org; Vinod Raghavan Subject: Re: SPFilter should check principal in POST calls Hey Manohara, Is it possible to use the SP Authenticator Valve in your case ? As I've already mentioned in this thread, the SPFilter is not the best component to configure a SP. I think we already have use cases using ADFS and PL. But they are probably using the valve instead of the filter. Regards. ----- Original Message ----- From: "Manohara Raju" To: "Pedro Igor Silva" , "Claudio Miranda" Cc: security-dev at lists.jboss.org, "Vinod Raghavan" Sent: Friday, October 24, 2014 9:46:26 AM Subject: RE: SPFilter should check principal in POST calls Hi, Thanks for the response. We are using Picketlink as SP(service provider) and ADFS server as IDP. I tried adding the SP filter in web.xml of our java application, but not successful. Still issue persists. Please can you let me know, is it possible to have a call, so that can discuss and clarify on the configuration settings and about SP. Thanks a lot for the support. Regards, Manoharr. -----Original Message----- From: security-dev-bounces at lists.jboss.org [mailto:security-dev-bounces at lists.jboss.org] On Behalf Of Pedro Igor Silva Sent: Friday, October 24, 2014 12:49 AM To: Claudio Miranda Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SPFilter should check principal in POST calls Hey Claudio, Makes sense for me. Specially if we maintain backward compatibility. However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ... Please, send your contribution if you like to. Contribution is always welcome :) Regards. ----- Original Message ----- From: "Claudio Miranda" To: security-dev at lists.jboss.org Sent: Thursday, October 23, 2014 4:50:06 PM Subject: [security-dev] SPFilter should check principal in POST calls Hi, related to PLINK2-20, our application cannot use SP valve, as there are two authentication mechanism (DatabaseServerLoginModule and SAML2LoginModule). So we use SPFilter and it the alternative authentication mechanism is working, except for the jsf requests, SPFilter intercepts it as POST requests and redirects to IDP, but the user is already authenticated. So, there is the following issue. https://issues.jboss.org/browse/PLINK2-20 Would you allow a contribution to add a servlet filter init param to optionally add the allowed request methods ? ALLOWED_METHODS GET,POST And change the below code to allow it ? boolean postMethod = "POST".equalsIgnoreCase(request.getMethod()); Defaults to POST to maintain compatibility. Comments ? Kind regards -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail. The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail. From giriraj.sharma27 at gmail.com Sun Oct 26 05:50:28 2014 From: giriraj.sharma27 at gmail.com (Giriraj Sharma) Date: Sun, 26 Oct 2014 15:20:28 +0530 Subject: [security-dev] Implementing CORS filter to Picketlink HTTP Security API Message-ID: Hi, In order to implement the first cut of CORS (Cross-Origin Resource Sharing) filter in Picketlink Http Security API, I have wrapped up with following two initial ideas as providing CORS Configuration which can be then loaded and parsed using CORSConfigurationLoader and handled by CORSRequestHandler and CORSResponseWrapper, *#1. We can have a configuration file such as* *cors-sample.configuration * cors.allowGenericHttpRequests=true cors.allowOrigin=https://www.example.org:9000, http://example.com:8008 cors.allowSubdomains=false cors.supportedMethods=GET, PUT, HEAD, POST, DELETE, OPTIONS cors.supportedHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization cors.exposedHeaders= cors.supportsCredentials=true cors.maxAge=3600 *#2*. *We can have a servlet CORS filter in web.xml such as* *CORS.xml * Either configuration could be used for making(implementing) use of CORS requests in any application. If this looks fine, I will go forward with its implementation ? Regards, -- Giriraj Sharma, Department of Computer Science National Institute of Technology Hamirpur Himachal Pradesh, India -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20141026/7c4def1b/attachment.html From psilva at redhat.com Mon Oct 27 07:04:59 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 27 Oct 2014 07:04:59 -0400 (EDT) Subject: [security-dev] Implementing CORS filter to Picketlink HTTP Security API In-Reply-To: References: Message-ID: <112579301.420019.1414407899756.JavaMail.zimbra@redhat.com> Hey Sharma ! It looks fine. But what about having this options in our config api ? Something like: http() .path("/somePath") .cors() //options ----- Original Message ----- From: "Giriraj Sharma" To: security-dev at lists.jboss.org Cc: "Pedro Igor Craveiro e Silva" Sent: Sunday, October 26, 2014 7:50:28 AM Subject: [security-dev] Implementing CORS filter to Picketlink HTTP Security API Hi, In order to implement the first cut of CORS ( Cross-Origin Resource Sharing ) filter in Picketlink Http Security API, I have wrapped up with following two initial ideas as providing CORS Configuration which can be then loaded and parsed using CORSConfigurationLoader and handled by CORSRequestHandler and CORSResponseWrapper, #1. We can have a configuration file such as cors-sample.configuration cors.allowGenericHttpRequests=true cors.allowOrigin= https://www.example.org:9000 , http://example.com:8008 cors.allowSubdomains=false cors.supportedMethods=GET, PUT, HEAD, POST, DELETE, OPTIONS cors.supportedHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization cors.exposedHeaders= cors.supportsCredentials=true cors.maxAge=3600 #2 . We can have a servlet CORS filter in web.xml such as CORS.xml Either configuration could be used for making(implementing) use of CORS requests in any application. If this looks fine, I will go forward with its implementation ? Regards, -- Giriraj Sharma, Department of Computer Science National Institute of Technology Hamirpur Himachal Pradesh, India _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From giriraj.sharma27 at gmail.com Mon Oct 27 08:34:50 2014 From: giriraj.sharma27 at gmail.com (Giriraj Sharma) Date: Mon, 27 Oct 2014 18:04:50 +0530 Subject: [security-dev] Implementing CORS filter to Picketlink HTTP Security API In-Reply-To: <112579301.420019.1414407899756.JavaMail.zimbra@redhat.com> References: <112579301.420019.1414407899756.JavaMail.zimbra@redhat.com> Message-ID: Thanks pedro, So, I hope it would be good to have http config api for providing cors configuration and to keep config-file and sevlet filter as alternative means to provide cors configuration i.e., having impl for all the three ways. This would enable a user to use cors as a part of PL HTTP API or just the cors itself alone using config-file or servlet filter . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20141027/707f664c/attachment.html From psilva at redhat.com Mon Oct 27 08:39:03 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 27 Oct 2014 08:39:03 -0400 (EDT) Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> <2018258544.10784871.1414154399335.JavaMail.zimbra@redhat.com> Message-ID: <1585546650.468216.1414413543489.JavaMail.zimbra@redhat.com> Are you setting both valve and filter ? You only need one or another ... Btw, I've reviewed the SPFilter. I think I've a new version for this component that should behave just like the valve. I can send you some jars so you can try it out. Also, let's move this discussion to [1], ok ? https://issues.jboss.org/browse/PLINK2-120 Regards. ----- Original Message ----- From: "Manohara Raju" To: "Pedro Igor Silva" Cc: "Claudio Miranda" , security-dev at lists.jboss.org, "Vinod Raghavan" Sent: Sunday, October 26, 2014 2:44:39 AM Subject: RE: SPFilter should check principal in POST calls Hi Pedro, Its also set in jboss-web.xml also as below: tsp org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator Thanks, Manoharr -----Original Message----- From: Manohara Raju Sent: Sunday, October 26, 2014 9:43 AM To: 'Pedro Igor Silva' Cc: Claudio Miranda; security-dev at lists.jboss.org; Vinod Raghavan Subject: RE: SPFilter should check principal in POST calls Hi Pedro, I have already used SP Authenticator valve at context.xml, still issue persists. Regards, Manoharr -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, October 24, 2014 6:10 PM To: Manohara Raju Cc: Claudio Miranda; security-dev at lists.jboss.org; Vinod Raghavan Subject: Re: SPFilter should check principal in POST calls Hey Manohara, Is it possible to use the SP Authenticator Valve in your case ? As I've already mentioned in this thread, the SPFilter is not the best component to configure a SP. I think we already have use cases using ADFS and PL. But they are probably using the valve instead of the filter. Regards. ----- Original Message ----- From: "Manohara Raju" To: "Pedro Igor Silva" , "Claudio Miranda" Cc: security-dev at lists.jboss.org, "Vinod Raghavan" Sent: Friday, October 24, 2014 9:46:26 AM Subject: RE: SPFilter should check principal in POST calls Hi, Thanks for the response. We are using Picketlink as SP(service provider) and ADFS server as IDP. I tried adding the SP filter in web.xml of our java application, but not successful. Still issue persists. Please can you let me know, is it possible to have a call, so that can discuss and clarify on the configuration settings and about SP. Thanks a lot for the support. Regards, Manoharr. -----Original Message----- From: security-dev-bounces at lists.jboss.org [mailto:security-dev-bounces at lists.jboss.org] On Behalf Of Pedro Igor Silva Sent: Friday, October 24, 2014 12:49 AM To: Claudio Miranda Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SPFilter should check principal in POST calls Hey Claudio, Makes sense for me. Specially if we maintain backward compatibility. However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ... Please, send your contribution if you like to. Contribution is always welcome :) Regards. ----- Original Message ----- From: "Claudio Miranda" To: security-dev at lists.jboss.org Sent: Thursday, October 23, 2014 4:50:06 PM Subject: [security-dev] SPFilter should check principal in POST calls Hi, related to PLINK2-20, our application cannot use SP valve, as there are two authentication mechanism (DatabaseServerLoginModule and SAML2LoginModule). So we use SPFilter and it the alternative authentication mechanism is working, except for the jsf requests, SPFilter intercepts it as POST requests and redirects to IDP, but the user is already authenticated. So, there is the following issue. https://issues.jboss.org/browse/PLINK2-20 Would you allow a contribution to add a servlet filter init param to optionally add the allowed request methods ? ALLOWED_METHODS GET,POST And change the below code to allow it ? boolean postMethod = "POST".equalsIgnoreCase(request.getMethod()); Defaults to POST to maintain compatibility. Comments ? Kind regards -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail. The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail. From adamdong at vidder.com Tue Oct 28 14:22:27 2014 From: adamdong at vidder.com (Adam Dong) Date: Tue, 28 Oct 2014 18:22:27 +0000 Subject: [security-dev] question about setting NameIDPolicy format Message-ID: <918d48691eaa4c30ab154bc854066767@BY2PR0401MB0934.namprd04.prod.outlook.com> Hi, On SP side, how to configure/set the NameIDPolicy format that is used to construct AuthnRequest ? Does the configuration mechanism exist ? In picketlink.xml ? Thanks, Adam From psilva at redhat.com Tue Oct 28 15:00:50 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 28 Oct 2014 15:00:50 -0400 (EDT) Subject: [security-dev] question about setting NameIDPolicy format In-Reply-To: <918d48691eaa4c30ab154bc854066767@BY2PR0401MB0934.namprd04.prod.outlook.com> References: <918d48691eaa4c30ab154bc854066767@BY2PR0401MB0934.namprd04.prod.outlook.com> Message-ID: <422571450.1576452.1414522850940.JavaMail.zimbra@redhat.com> Hi, Did you try passing the NAMEID_FORMAT option above to the SAML2AuthenticationHandler [1] ? [1] https://docs.jboss.org/author/display/PLINK/SAML2AuthenticationHandler Regards. ----- Original Message ----- From: "Adam Dong" Cc: security-dev at lists.jboss.org Sent: Tuesday, October 28, 2014 4:22:27 PM Subject: [security-dev] question about setting NameIDPolicy format Hi, On SP side, how to configure/set the NameIDPolicy format that is used to construct AuthnRequest ? Does the configuration mechanism exist ? In picketlink.xml ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Tue Oct 28 15:05:07 2014 From: adamdong at vidder.com (Adam Dong) Date: Tue, 28 Oct 2014 19:05:07 +0000 Subject: [security-dev] question about setting NameIDPolicy format In-Reply-To: <422571450.1576452.1414522850940.JavaMail.zimbra@redhat.com> References: <918d48691eaa4c30ab154bc854066767@BY2PR0401MB0934.namprd04.prod.outlook.com> <422571450.1576452.1414522850940.JavaMail.zimbra@redhat.com> Message-ID: <2c7b03fcecff476c8692b18b8ee5d03d@BY2PR0401MB0934.namprd04.prod.outlook.com> Pedro, That worked. Thanks a lot. Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Tuesday, October 28, 2014 12:01 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] question about setting NameIDPolicy format Hi, Did you try passing the NAMEID_FORMAT option above to the SAML2AuthenticationHandler [1] ? [1] https://docs.jboss.org/author/display/PLINK/SAML2AuthenticationHandler Regards. ----- Original Message ----- From: "Adam Dong" Cc: security-dev at lists.jboss.org Sent: Tuesday, October 28, 2014 4:22:27 PM Subject: [security-dev] question about setting NameIDPolicy format Hi, On SP side, how to configure/set the NameIDPolicy format that is used to construct AuthnRequest ? Does the configuration mechanism exist ? In picketlink.xml ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From claudio at claudius.com.br Wed Oct 29 14:00:59 2014 From: claudio at claudius.com.br (Claudio Miranda) Date: Wed, 29 Oct 2014 16:00:59 -0200 Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> Message-ID: On Thu, Oct 23, 2014 at 5:19 PM, Pedro Igor Silva wrote: > However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ... > > Please, send your contribution if you like to. Contribution is always welcome :) Hi Pedro, I saw that only GET is allowed because every POST is redirected to IDP in case a saml response is part of the POST request. So, my modification just checks if there are a post response. I tried to test in wildfly 9 recent snapshop, but it throws a NPE in io.undertow.security.impl.SecurityContextImpl.authenticationComplete. The tests are performed with jboss-picketlink-quickstarts (idp, sales-post, employee) https://github.com/picketlink/picketlink/pull/428 Also a minor fix, to correct a wrong wildfly name in picketlink-wildfly-common artifact name https://github.com/picketlink/picketlink-bindings/pull/108 -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br From psilva at redhat.com Wed Oct 29 14:05:17 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 29 Oct 2014 14:05:17 -0400 (EDT) Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> Message-ID: <1865085009.2473045.1414605917026.JavaMail.zimbra@redhat.com> Thanks for your contribution Claudio. But as I mentioned before, I did some changes to the SPFilter to get it in sync with the JBossWeb valve. Please, take a look at the PR associated with the issue below https://issues.jboss.org/browse/PLINK2-120 I've also added a new page on Confluence describing how to use it. Would be nice if you could test it and see if it works for you. Regards. ----- Original Message ----- From: "Claudio Miranda" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Wednesday, October 29, 2014 4:00:59 PM Subject: Re: [security-dev] SPFilter should check principal in POST calls On Thu, Oct 23, 2014 at 5:19 PM, Pedro Igor Silva wrote: > However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ... > > Please, send your contribution if you like to. Contribution is always welcome :) Hi Pedro, I saw that only GET is allowed because every POST is redirected to IDP in case a saml response is part of the POST request. So, my modification just checks if there are a post response. I tried to test in wildfly 9 recent snapshop, but it throws a NPE in io.undertow.security.impl.SecurityContextImpl.authenticationComplete. The tests are performed with jboss-picketlink-quickstarts (idp, sales-post, employee) https://github.com/picketlink/picketlink/pull/428 Also a minor fix, to correct a wrong wildfly name in picketlink-wildfly-common artifact name https://github.com/picketlink/picketlink-bindings/pull/108 -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br From claudio at claudius.com.br Wed Oct 29 14:06:45 2014 From: claudio at claudius.com.br (Claudio Miranda) Date: Wed, 29 Oct 2014 16:06:45 -0200 Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> Message-ID: On Wed, Oct 29, 2014 at 4:00 PM, Claudio Miranda wrote: > So, my modification just checks if there are a post response. I tried > to test in wildfly 9 recent snapshop, but it throws a NPE in > io.undertow.security.impl.SecurityContextImpl.authenticationComplete. > The tests are performed with jboss-picketlink-quickstarts (idp, > sales-post, employee) Huh, I just see SPFilter was modified and I didn't rebase my repo, I will take a look into it. -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br From claudio at claudius.com.br Wed Oct 29 14:36:42 2014 From: claudio at claudius.com.br (Claudio Miranda) Date: Wed, 29 Oct 2014 16:36:42 -0200 Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: <1865085009.2473045.1414605917026.JavaMail.zimbra@redhat.com> References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> <1865085009.2473045.1414605917026.JavaMail.zimbra@redhat.com> Message-ID: On Wed, Oct 29, 2014 at 4:05 PM, Pedro Igor Silva wrote: > But as I mentioned before, I did some changes to the SPFilter to get it in sync with the JBossWeb valve. Please, take a look at the PR associated with the issue below > > https://issues.jboss.org/browse/PLINK2-120 Awesome, I will perform some teste on SPFilter. -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br From haritha.pe at gmail.com Wed Oct 29 15:31:59 2014 From: haritha.pe at gmail.com (Haritha) Date: Wed, 29 Oct 2014 15:31:59 -0400 Subject: [security-dev] Error deploying Picketlink-authorization-idm-ldap Message-ID: Hi Team , I have downloaded the quick starts Picketlink-authorization-idm-ldap and modified my own ldap server and tried deploying in jboss eap 6 but Iam getting following error Component.securityinitializer.create is missing [jboss.ejb3.singletondefaulttimeout Sent from my iPhone -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20141029/6e5c1bd4/attachment.html From claudio at claudius.com.br Wed Oct 29 15:41:09 2014 From: claudio at claudius.com.br (Claudio Miranda) Date: Wed, 29 Oct 2014 17:41:09 -0200 Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> <1865085009.2473045.1414605917026.JavaMail.zimbra@redhat.com> Message-ID: SPFilter worked, thanks Pedro ! On Wed, Oct 29, 2014 at 4:36 PM, Claudio Miranda wrote: > On Wed, Oct 29, 2014 at 4:05 PM, Pedro Igor Silva wrote: >> But as I mentioned before, I did some changes to the SPFilter to get it in sync with the JBossWeb valve. Please, take a look at the PR associated with the issue below >> >> https://issues.jboss.org/browse/PLINK2-120 > > > Awesome, I will perform some teste on SPFilter. > > -- > Claudio Miranda > > claudio at claudius.com.br > http://www.claudius.com.br -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br From psilva at redhat.com Wed Oct 29 17:43:14 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 29 Oct 2014 17:43:14 -0400 (EDT) Subject: [security-dev] SPFilter should check principal in POST calls In-Reply-To: References: <648174739.10480169.1414091945423.JavaMail.zimbra@redhat.com> <1865085009.2473045.1414605917026.JavaMail.zimbra@redhat.com> Message-ID: <1382788671.2638167.1414618994858.JavaMail.zimbra@redhat.com> Nice, going to mark that issue as resolved now. Thanks Claudio ! ----- Original Message ----- From: "Claudio Miranda" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Wednesday, October 29, 2014 5:41:09 PM Subject: Re: [security-dev] SPFilter should check principal in POST calls SPFilter worked, thanks Pedro ! On Wed, Oct 29, 2014 at 4:36 PM, Claudio Miranda wrote: > On Wed, Oct 29, 2014 at 4:05 PM, Pedro Igor Silva wrote: >> But as I mentioned before, I did some changes to the SPFilter to get it in sync with the JBossWeb valve. Please, take a look at the PR associated with the issue below >> >> https://issues.jboss.org/browse/PLINK2-120 > > > Awesome, I will perform some teste on SPFilter. > > -- > Claudio Miranda > > claudio at claudius.com.br > http://www.claudius.com.br -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br From snhp20524 at gmail.com Thu Oct 30 08:17:04 2014 From: snhp20524 at gmail.com (Snhp) Date: Thu, 30 Oct 2014 08:17:04 -0400 Subject: [security-dev] Picketlink integration with IDM Message-ID: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> Hi All, Can someone share examples on Picketlink integration with IDM (red hat) ? Iam trying to configure IDM instead LDAP/Database.. Sent from my iPad From claudio at claudius.com.br Thu Oct 30 08:55:33 2014 From: claudio at claudius.com.br (Claudio Miranda) Date: Thu, 30 Oct 2014 10:55:33 -0200 Subject: [security-dev] Picketlink integration with IDM In-Reply-To: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> References: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> Message-ID: On Thu, Oct 30, 2014 at 10:17 AM, Snhp wrote: > Can someone share examples on Picketlink integration with IDM (red hat) ? Take a look at picketlink quickstarts [1], there is samples for IDP, and SSO with 2 basic applications IDP picketlink-federation-saml-idp-basic picketlink-federation-saml-sp-post-basic picketlink-federation-saml-sp-redirect-basic https://github.com/jboss-developer/jboss-picketlink-quickstarts -- Claudio Miranda claudio at claudius.com.br http://www.claudius.com.br From psilva at redhat.com Thu Oct 30 09:40:44 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 30 Oct 2014 09:40:44 -0400 (EDT) Subject: [security-dev] Picketlink integration with IDM In-Reply-To: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> References: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> Message-ID: <998811273.3152066.1414676444406.JavaMail.zimbra@redhat.com> Do you mean using PL IDM to authenticate users from your PL IDP ? ----- Original Message ----- From: "Snhp" To: security-dev at lists.jboss.org Sent: Thursday, October 30, 2014 10:17:04 AM Subject: [security-dev] Picketlink integration with IDM Hi All, Can someone share examples on Picketlink integration with IDM (red hat) ? Iam trying to configure IDM instead LDAP/Database.. Sent from my iPad _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From snhp20524 at gmail.com Thu Oct 30 10:10:59 2014 From: snhp20524 at gmail.com (Snhp) Date: Thu, 30 Oct 2014 10:10:59 -0400 Subject: [security-dev] Picketlink integration with IDM In-Reply-To: <998811273.3152066.1414676444406.JavaMail.zimbra@redhat.com> References: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> <998811273.3152066.1414676444406.JavaMail.zimbra@redhat.com> Message-ID: My requirement is to authenticate users from red hat idm or Ipa Sent from my iPhone > On Oct 30, 2014, at 9:40 AM, Pedro Igor Silva wrote: > > Do you mean using PL IDM to authenticate users from your PL IDP ? > > ----- Original Message ----- > From: "Snhp" > To: security-dev at lists.jboss.org > Sent: Thursday, October 30, 2014 10:17:04 AM > Subject: [security-dev] Picketlink integration with IDM > > Hi All, > > Can someone share examples on Picketlink integration with IDM (red hat) ? > > Iam trying to configure IDM instead LDAP/Database.. > > Sent from my iPad > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Thu Oct 30 11:39:45 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 30 Oct 2014 11:39:45 -0400 (EDT) Subject: [security-dev] Picketlink integration with IDM In-Reply-To: References: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> <998811273.3152066.1414676444406.JavaMail.zimbra@redhat.com> Message-ID: <1118311522.3329906.1414683585363.JavaMail.zimbra@redhat.com> I think you can get some guidance from our IT team. ----- Original Message ----- From: "Snhp" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, October 30, 2014 12:10:59 PM Subject: Re: [security-dev] Picketlink integration with IDM My requirement is to authenticate users from red hat idm or Ipa Sent from my iPhone > On Oct 30, 2014, at 9:40 AM, Pedro Igor Silva wrote: > > Do you mean using PL IDM to authenticate users from your PL IDP ? > > ----- Original Message ----- > From: "Snhp" > To: security-dev at lists.jboss.org > Sent: Thursday, October 30, 2014 10:17:04 AM > Subject: [security-dev] Picketlink integration with IDM > > Hi All, > > Can someone share examples on Picketlink integration with IDM (red hat) ? > > Iam trying to configure IDM instead LDAP/Database.. > > Sent from my iPad > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From snhp20524 at gmail.com Thu Oct 30 14:49:18 2014 From: snhp20524 at gmail.com (Snhp) Date: Thu, 30 Oct 2014 14:49:18 -0400 Subject: [security-dev] Picketlink integration with IDM In-Reply-To: <1118311522.3329906.1414683585363.JavaMail.zimbra@redhat.com> References: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> <998811273.3152066.1414676444406.JavaMail.zimbra@redhat.com> <1118311522.3329906.1414683585363.JavaMail.zimbra@redhat.com> Message-ID: <4115B564-42E3-4CFB-AA7C-6896A575570D@gmail.com> Iam new to Picketlink idm .. Can you someone guide me the design approach for the below requirement 1) user login through web app using login page. 2) web app should invoke picket link idm API's to connect to red hat idm or IPA server for validating user identities Appreciate your comments and sample code if available Sent from my iPhone > On Oct 30, 2014, at 11:39 AM, Pedro Igor Silva wrote: > > I think you can get some guidance from our IT team. > > ----- Original Message ----- > From: "Snhp" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 30, 2014 12:10:59 PM > Subject: Re: [security-dev] Picketlink integration with IDM > > My requirement is to authenticate users from red hat idm or Ipa > > Sent from my iPhone > >> On Oct 30, 2014, at 9:40 AM, Pedro Igor Silva wrote: >> >> Do you mean using PL IDM to authenticate users from your PL IDP ? >> >> ----- Original Message ----- >> From: "Snhp" >> To: security-dev at lists.jboss.org >> Sent: Thursday, October 30, 2014 10:17:04 AM >> Subject: [security-dev] Picketlink integration with IDM >> >> Hi All, >> >> Can someone share examples on Picketlink integration with IDM (red hat) ? >> >> Iam trying to configure IDM instead LDAP/Database.. >> >> Sent from my iPad >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Thu Oct 30 15:00:35 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 30 Oct 2014 15:00:35 -0400 (EDT) Subject: [security-dev] Picketlink integration with IDM In-Reply-To: <4115B564-42E3-4CFB-AA7C-6896A575570D@gmail.com> References: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> <998811273.3152066.1414676444406.JavaMail.zimbra@redhat.com> <1118311522.3329906.1414683585363.JavaMail.zimbra@redhat.com> <4115B564-42E3-4CFB-AA7C-6896A575570D@gmail.com> Message-ID: <1531266737.3503248.1414695635324.JavaMail.zimbra@redhat.com> We don't have any example for that, yet. But I think you can create a LoginModule that uses PL IDM to connect to rht idp or ipa. In the next EAP release you'll be able to configure PL IDM using a subsystem and get a reference to the PartitionManager from your LoginModule. But for now, I think you can try to build the partition manager inside your LM with all the necessary configuration to communicate with rht idm or ipa. Take a look at [1] about how to configure a LDAP identity store. [1] https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authorization-idm-ldap. ----- Original Message ----- From: "Snhp" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, October 30, 2014 4:49:18 PM Subject: Re: [security-dev] Picketlink integration with IDM Iam new to Picketlink idm .. Can you someone guide me the design approach for the below requirement 1) user login through web app using login page. 2) web app should invoke picket link idm API's to connect to red hat idm or IPA server for validating user identities Appreciate your comments and sample code if available Sent from my iPhone > On Oct 30, 2014, at 11:39 AM, Pedro Igor Silva wrote: > > I think you can get some guidance from our IT team. > > ----- Original Message ----- > From: "Snhp" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 30, 2014 12:10:59 PM > Subject: Re: [security-dev] Picketlink integration with IDM > > My requirement is to authenticate users from red hat idm or Ipa > > Sent from my iPhone > >> On Oct 30, 2014, at 9:40 AM, Pedro Igor Silva wrote: >> >> Do you mean using PL IDM to authenticate users from your PL IDP ? >> >> ----- Original Message ----- >> From: "Snhp" >> To: security-dev at lists.jboss.org >> Sent: Thursday, October 30, 2014 10:17:04 AM >> Subject: [security-dev] Picketlink integration with IDM >> >> Hi All, >> >> Can someone share examples on Picketlink integration with IDM (red hat) ? >> >> Iam trying to configure IDM instead LDAP/Database.. >> >> Sent from my iPad >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev From snhp20524 at gmail.com Fri Oct 31 12:18:09 2014 From: snhp20524 at gmail.com (Snhp) Date: Fri, 31 Oct 2014 12:18:09 -0400 Subject: [security-dev] Picketlink integration with IDM In-Reply-To: <1531266737.3503248.1414695635324.JavaMail.zimbra@redhat.com> References: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> <998811273.3152066.1414676444406.JavaMail.zimbra@redhat.com> <1118311522.3329906.1414683585363.JavaMail.zimbra@redhat.com> <4115B564-42E3-4CFB-AA7C-6896A575570D@gmail.com> <1531266737.3503248.1414695635324.JavaMail.zimbra@redhat.com> Message-ID: <599AED0F-545A-4C95-95D4-95454A9903B0@gmail.com> Thanks Pedro, I have looked at the example but Picketlink IDentityManagementConfiguration class supports only ldap connection.. We need to extend the class to support IPA server ... We were able to connect IPA server from key cloak .. Sent from my iPhone > On Oct 30, 2014, at 3:00 PM, Pedro Igor Silva wrote: > > We don't have any example for that, yet. > > But I think you can create a LoginModule that uses PL IDM to connect to rht idp or ipa. In the next EAP release you'll be able to configure PL IDM using a subsystem and get a reference to the PartitionManager from your LoginModule. > > But for now, I think you can try to build the partition manager inside your LM with all the necessary configuration to communicate with rht idm or ipa. Take a look at [1] about how to configure a LDAP identity store. > > [1] https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authorization-idm-ldap. > > ----- Original Message ----- > From: "Snhp" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 30, 2014 4:49:18 PM > Subject: Re: [security-dev] Picketlink integration with IDM > > Iam new to Picketlink idm .. Can you someone guide me the design approach for the below requirement > > 1) user login through web app using login page. > > 2) web app should invoke picket link idm API's to connect to red hat idm or IPA server for validating user identities > > Appreciate your comments and sample code if available > > > > Sent from my iPhone > >> On Oct 30, 2014, at 11:39 AM, Pedro Igor Silva wrote: >> >> I think you can get some guidance from our IT team. >> >> ----- Original Message ----- >> From: "Snhp" >> To: "Pedro Igor Silva" >> Cc: security-dev at lists.jboss.org >> Sent: Thursday, October 30, 2014 12:10:59 PM >> Subject: Re: [security-dev] Picketlink integration with IDM >> >> My requirement is to authenticate users from red hat idm or Ipa >> >> Sent from my iPhone >> >>> On Oct 30, 2014, at 9:40 AM, Pedro Igor Silva wrote: >>> >>> Do you mean using PL IDM to authenticate users from your PL IDP ? >>> >>> ----- Original Message ----- >>> From: "Snhp" >>> To: security-dev at lists.jboss.org >>> Sent: Thursday, October 30, 2014 10:17:04 AM >>> Subject: [security-dev] Picketlink integration with IDM >>> >>> Hi All, >>> >>> Can someone share examples on Picketlink integration with IDM (red hat) ? >>> >>> Iam trying to configure IDM instead LDAP/Database.. >>> >>> Sent from my iPad >>> _______________________________________________ >>> security-dev mailing list >>> security-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Fri Oct 31 15:40:05 2014 From: adamdong at vidder.com (Adam Dong) Date: Fri, 31 Oct 2014 19:40:05 +0000 Subject: [security-dev] How to config SP to talk to multiple IDPs Message-ID: Hi, How to configure ServiceProviderAuthenticator to multiplex among multiple IDPs depending on some request parameter (a flag to indicate which IDP to talk to) ? Note that I am NOT talking about IDP discovery where I have to set up a common domain. When can we expect SPFilter to be updated up to the level of ServiceProviderAuthenticator ? Thanks, Adam