Pedro,
I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is no more
complaint during loading of my simple one-page (index.jsp) web app with the following
META-INF/context.xml:
<Context>
<Valve
className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/>
<Context>
However, when I try to access my index page, there is no SAML traffic, the index page just
showed up.
I further tried to sub-class ServiceProviderAuthenticator with a default constructor to
print out a line to show that it is instantiated.
I used that class as the valve. The log did prove that the valve is instantiated during
loading time. But an access to the web app (well, just the index page) didn't cause
any SAML interaction at all.
So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator is supposed to
be used ?
Thanks,
Adam
PS: I examined the source code for ServiceProviderAuthenticator, its parent
AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I was expecting to
see the implemention of invoke(request, response) method with similar logic as in
SPFilter's doFilter(request, response) method. But neither of the 3 classes implement
invoke(...) method, why is that ? How does SAML processing come into the picture then ?
Another general question, is picket link SAML offering widely used in commercial products
?
-----Original Message-----
From: Adam Dong
Sent: Friday, August 29, 2014 3:00 PM
To: 'Pedro Igor Silva'
Cc: security-dev(a)lists.jboss.org
Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of
in Jboss ?
Pedro Igor,
Thank you so much. I will try it out and report the result back to this email group.
Adam Dong
-----Original Message-----
From: Pedro Igor Silva [mailto:psilva@redhat.com]
Sent: Friday, August 29, 2014 5:37 AM
To: Adam Dong
Cc: security-dev(a)lists.jboss.org
Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of
in Jboss ?
Hi Adam,
This is the right GAV:
<dependency>
<groupId>org.picketlink.distribution</groupId>
<artifactId>picketlink-tomcat7</artifactId>
<version>${picketlink.version}</version>
</dependency>
The picketlink-tomact7-single can not be used alone. Try to download from here:
https://repository.jboss.org/nexus/content/groups/public/org/picketlink/d...
Regards.
Pedro Igor
----- Original Message -----
From: "Adam Dong" <adamdong(a)vidder.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Wednesday, August 27, 2014 10:18:32 PM
Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of
in Jboss ?
OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on
picketlink.org site, replaced
picketlink-jbas7-2.6.0.Final.jar with it. Now I got
java.lang.NoClassDefFoundError:
org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator
And I checked, indeed AbstractSPFormAuthenticator is not in
picketlink-tomcat7-single-2.6.0.Final.jar, but in picketlink-jbas7-2.6.0.Final.jar.
Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ?
Should I grab those missing file from jbas7 jar file and put them into tomcat7 jar file ?
Would they be compatible ?
To check the compatibility, I found the following. ServiceProviderAuthenticator.class in
picketlink-tomcat7-single-2.6.0.Final.jar:
1667 Sun Jun 22 03:04:00 PDT 2014
org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class
The same class in picketlink-jbas7-2.6.0.Final.jar:
978 Sun Jun 22 03:03:56 PDT 2014
org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class
They are different. Is that correct ? Can I trust the AbstractSPFormAuthenticator.class in
jbas7 jar file to work with ServiceProviderAuthenticator.class in tomcat7 jar file ?
Thanks,
Adam Dong
-----Original Message-----
From: Adam Dong
Sent: Wednesday, August 27, 2014 2:29 PM
To: 'Pedro Igor Silva'
Cc: security-dev(a)lists.jboss.org
Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of
in Jboss ?
Pedro,
The following are the jar files I put under <Tomcat_home>/lib (I first put them
under my web app's WEB-INF/lib directory but tomcat couldn't find them):
bcprov-jdk15on-151.jar
jboss-logging-3.1.0.GA.jar
jboss-security-spi-4.0.18.final.jar
log4j-1.2.16.jar
picketlink-common-2.6.0.Final.jar
picketlink-config-2.6.0.Final.jar
picketlink-federation-2.6.0.Final.jar
picketlink-jbas7-2.6.0.Final.jar
Where do I get that jar file you mentioned ? All the picketlink related jar files I got
are from picketlink-installer-2.6.0.Final.zip, and in there the jar file you mentioned is
not present.
Thanks,
Adam Dong
-----Original Message-----
From: Pedro Igor Silva [mailto:psilva@redhat.com]
Sent: Wednesday, August 27, 2014 1:11 PM
To: Adam Dong
Cc: security-dev(a)lists.jboss.org
Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of
in Jboss ?
Which jar are u using ? picketlink-tomcat7-X.jar ?
----- Original Message -----
From: "Adam Dong" <adamdong(a)vidder.com>
To: security-dev(a)lists.jboss.org
Sent: Wednesday, August 27, 2014 3:18:51 PM
Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in
Jboss ?
Hi,
Any previous successful usage of putting ServiceProviderAuthenticator as a Valve in
Tomcat, by adding it in a web app’s META-INF/context.xml like below (as opposed to adding
it in jboss-web.xml on Jboss) ?
<Context>
<Valve
className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/>
</Context>
I tried with Tomcat 7 and get some complaints (see below) about
ServiceProviderAuthenticator overriding final method start()but the valve seemed being
pulled in.
java.lang.VerifyError: class
org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator
overrides final method start.()V
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144)
at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509)
at
com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561)
at org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637)
at org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599)
at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837)
at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247)
at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
I tried with Tomcat 6 and the valve didn’t get pulled in the request path, just as if it
were not there.
Any experience or idea ?
Thanks,
Adam Dong
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev