[security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?

Adam Dong adamdong at vidder.com
Mon Sep 8 15:16:40 EDT 2014


Thanks a lot Mike. That is exactly what I'm missing. Now the valve is working.

The next problem is how to configure/pull in my own Role Validator whose useInRole() method just returns true, as opposed to using DefaultRoleValidator.

With SPFilter, I could just add an init-parameter to pull in my own role validator : 
    <filter>
        <filter-name>SPFilter</filter-name>
        <filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
    <init-param>
        <param-name>ROLE_VALIDATOR</param-name>
        <param-value>MyRoleValidator</param-value>
    </init-param>

But with ServiceProviderAuthenticator (as a valve), I didn't find a way to do this.

Any idea ?

Thanks,
Adam

-----Original Message-----
From: Michael Cirioli [mailto:mcirioli at redhat.com] 
Sent: Saturday, September 06, 2014 8:05 AM
To: Adam Dong
Cc: security-dev at lists.jboss.org; Pedro Igor Silva
Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?

Adam ,
One thing you might check is if your security domain is properly configured and you have the correct security constraints applied in web.xml for.your index.jsp.  if you have questions let me know and I can dig up some examples for you.

-mike cirioli

On Sep 5, 2014 2:18 AM, Adam Dong <adamdong at vidder.com> wrote:
>
> Pedro,
>
> I finally had time to try that jar file on Tomcat 7 (no Jboss), now therePedro,

 I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is no more complaint during loading of my simple one-page (index.jsp) web app with the following META-INF/context.xml:
<Context> 
<Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/>
<Context> 

However, when I try to access my index page, there is no SAML traffic, the index page just showed up.

I further tried to sub-class ServiceProviderAuthenticator with a default constructor to print out a line to show that it is instantiated. 
I used that class as the valve. The log did prove that the valve is instantiated during loading time. But an access to the web app (well, just the index page) didn't cause any SAML interaction at all.

So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator is supposed to be used ?

Thanks,
Adam

PS: I examined the source code for ServiceProviderAuthenticator, its parent AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I was expecting to see the implemention of invoke(request, response) method with similar logic as in SPFilter's doFilter(request, response) method. But neither of the 3 classes implement invoke(...) method, why is that ? How does SAML processing come into the picture then ?

Another general question, is picket link SAML offering widely used in commercial products ?




-----Original Message-----
From: Adam Dong 
Sent: Friday, August 29, 2014 3:00 PM
To: 'Pedro Igor Silva'
Cc: security-dev at lists.jboss.org
Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?

Pedro Igor,

Thank you so much. I will try it out and report the result back to this email group.

Adam Dong

-----Original Message-----
From: Pedro Igor Silva [mailto:psilva at redhat.com] 
Sent: Friday, August 29, 2014 5:37 AM
To: Adam Dong
Cc: security-dev at lists.jboss.org
Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?

Hi Adam,

  This is the right GAV:

     <dependency>
      <groupId>org.picketlink.distribution</groupId>
      <artifactId>picketlink-tomcat7</artifactId>
      <version>${picketlink.version}</version>
     </dependency>

  The picketlink-tomact7-single can not be used alone. Try to download from here:

     https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0.Final.jar

Regards.
Pedro Igor

----- Original Message -----
From: "Adam Dong" <adamdong at vidder.com>
To: "Pedro Igor Silva" <psilva at redhat.com>
Cc: security-dev at lists.jboss.org
Sent: Wednesday, August 27, 2014 10:18:32 PM
Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?


OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on picketlink.org site, replaced picketlink-jbas7-2.6.0.Final.jar with it. Now I got 

java.lang.NoClassDefFoundError: org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator

And I checked, indeed AbstractSPFormAuthenticator is not in picketlink-tomcat7-single-2.6.0.Final.jar, but in picketlink-jbas7-2.6.0.Final.jar.

Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ? 
Should I grab those missing file from jbas7 jar file and put them into tomcat7 jar file ? 
Would they be compatible ?



To check the compatibility, I found the following. ServiceProviderAuthenticator.class in picketlink-tomcat7-single-2.6.0.Final.jar:
  1667 Sun Jun 22 03:04:00 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class

The same class in picketlink-jbas7-2.6.0.Final.jar:
   978 Sun Jun 22 03:03:56 PDT 2014 org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class


They are different. Is that correct ? Can I trust the AbstractSPFormAuthenticator.class in jbas7 jar file to work with ServiceProviderAuthenticator.class in tomcat7 jar file ?

Thanks,
Adam Dong


-----Original Message-----
From: Adam Dong
Sent: Wednesday, August 27, 2014 2:29 PM
To: 'Pedro Igor Silva'
Cc: security-dev at lists.jboss.org
Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?


Pedro,

The following are the jar files I put under <Tomcat_home>/lib (I first put them under my web app's WEB-INF/lib directory but tomcat couldn't find them):

bcprov-jdk15on-151.jar               
jboss-logging-3.1.0.GA.jar           
jboss-security-spi-4.0.18.final.jar  
log4j-1.2.16.jar                     
picketlink-common-2.6.0.Final.jar
picketlink-config-2.6.0.Final.jar
picketlink-federation-2.6.0.Final.jar
picketlink-jbas7-2.6.0.Final.jar

Where do I get that jar file you mentioned ? All the picketlink related jar files I got are from picketlink-installer-2.6.0.Final.zip, and in there the jar file you mentioned is not present.

Thanks,
Adam Dong

-----Original Message-----
From: Pedro Igor Silva [mailto:psilva at redhat.com] 
Sent: Wednesday, August 27, 2014 1:11 PM
To: Adam Dong
Cc: security-dev at lists.jboss.org
Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?

Which jar are u using ? picketlink-tomcat7-X.jar ?



----- Original Message -----
From: "Adam Dong" <adamdong at vidder.com>
To: security-dev at lists.jboss.org
Sent: Wednesday, August 27, 2014 3:18:51 PM
Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?



Hi, 



Any previous successful usage of putting ServiceProviderAuthenticator as a Valve in Tomcat, by adding it in a web app’s META-INF/context.xml like below (as opposed to adding it in jboss-web.xml on Jboss) ? 



<Context> 

<Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/> 

</Context> 





I tried with Tomcat 7 and get some complaints (see below) about ServiceProviderAuthenticator overriding final method start()but the valve seemed being pulled in. 



java.lang.VerifyError: class org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator overrides final method start.()V 

at java.lang.ClassLoader.defineClass1(Native Method) 

at java.lang.ClassLoader.defineClass(ClassLoader.java:800) 

at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) 

at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) 

at java.net.URLClassLoader.access$100(URLClassLoader.java:71) 

at java.net.URLClassLoader$1.run(URLClassLoader.java:361) 

at java.net.URLClassLoader$1.run(URLClassLoader.java:355) 

at java.security.AccessController.doPrivileged(Native Method) 

at java.net.URLClassLoader.findClass(URLClassLoader.java:354) 

at java.lang.ClassLoader.loadClass(ClassLoader.java:425) 

at java.lang.ClassLoader.loadClass(ClassLoader.java:358) 

at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144) 

at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288) 

at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) 

at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) 

at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) 

at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) 

at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) 

at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) 

at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) 

at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) 

at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) 

at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) 

at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) 

at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) 

at org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637) 

at org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599) 

at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837) 

at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385) 

at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) 

at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) 

at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) 

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) 

at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) 

at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) 

at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) 

at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) 

at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247) 

at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898) 

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) 

at java.util.concurrent.FutureTask.run(FutureTask.java:262) 

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 

at java.lang.Thread.run(Thread.java:745) 



I tried with Tomcat 6 and the valve didn’t get pulled in the request path, just as if it were not there. 



Any experience or idea ? 



Thanks, 

Adam Dong 

_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev

_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev



More information about the security-dev mailing list