[security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?
Pedro Igor Silva
psilva at redhat.com
Wed Sep 17 23:51:52 EDT 2014
----- Original Message -----
> From: "Adam Dong" <adamdong at vidder.com>
> To: security-dev at lists.jboss.org
> Sent: Wednesday, September 17, 2014 9:59:11 PM
> Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly instead of in Jboss ?
>
> Just to follow up on this: I worked around this problem by using wild card as
> role name in <auth-constraint> for my app:
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
Yeah, like Michael said. That was the missing part in your config.
>
> Separately, there is a potential bug: in the quick start examples having a
> key store, the key pair in the store expired already:
>
> Valid from: Thu Jan 15 08:54:42 PST 2009 until: Wed Apr 15 09:54:42
> PDT 2009
>
> But xml signing and validation for assertion are still successful during SP
> and IDP exchanging SAML requests/responses.
> Should I file a bug ?
Even though it does not impact the quickstarts, better is update them. You can open a JIRA if you want.
>
> By the way, I filed another bug (with the possible solution code) about two
> weeks ago:
> PLINK-567: SAML2AttributeHandler couldn't handle multiple attribute
> elements with the same attribute name
>
> Which release would have the fix ?
Beta2 was the best version to put this issue. We had a few SAML issues fixes in this release.
But we can do that in CR1. If you have a patch, please attach it to the JIRA.
>
> Thanks,
> Adam Dong
>
> -----Original Message-----
> From: Adam Dong
> Sent: Monday, September 08, 2014 12:16 PM
> To: 'Michael Cirioli'
> Cc: security-dev at lists.jboss.org; Pedro Igor Silva
> Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat
> directly instead of in Jboss ?
>
> Thanks a lot Mike. That is exactly what I'm missing. Now the valve is
> working.
>
> The next problem is how to configure/pull in my own Role Validator whose
> useInRole() method just returns true, as opposed to using
> DefaultRoleValidator.
>
> With SPFilter, I could just add an init-parameter to pull in my own role
> validator :
> <filter>
> <filter-name>SPFilter</filter-name>
> <filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
> <init-param>
> <param-name>ROLE_VALIDATOR</param-name>
> <param-value>MyRoleValidator</param-value>
> </init-param>
>
> But with ServiceProviderAuthenticator (as a valve), I didn't find a way to do
> this.
>
> Any idea ?
>
> Thanks,
> Adam
>
> -----Original Message-----
> From: Michael Cirioli [mailto:mcirioli at redhat.com]
> Sent: Saturday, September 06, 2014 8:05 AM
> To: Adam Dong
> Cc: security-dev at lists.jboss.org; Pedro Igor Silva
> Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat
> directly instead of in Jboss ?
>
> Adam ,
> One thing you might check is if your security domain is properly configured
> and you have the correct security constraints applied in web.xml for.your
> index.jsp. if you have questions let me know and I can dig up some examples
> for you.
>
> -mike cirioli
>
> On Sep 5, 2014 2:18 AM, Adam Dong <adamdong at vidder.com> wrote:
> >
> > Pedro,
> >
> > I finally had time to try that jar file on Tomcat 7 (no Jboss), now
> > therePedro,
>
> I finally had time to try that jar file on Tomcat 7 (no Jboss), now there is
> no more complaint during loading of my simple one-page (index.jsp) web app
> with the following META-INF/context.xml:
> <Context>
> <Valve
> className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/>
> <Context>
>
> However, when I try to access my index page, there is no SAML traffic, the
> index page just showed up.
>
> I further tried to sub-class ServiceProviderAuthenticator with a default
> constructor to print out a line to show that it is instantiated.
> I used that class as the valve. The log did prove that the valve is
> instantiated during loading time. But an access to the web app (well, just
> the index page) didn't cause any SAML interaction at all.
>
> So what am I missing ? Did I misunderstand how ServiceProviderAuthenticator
> is supposed to be used ?
>
> Thanks,
> Adam
>
> PS: I examined the source code for ServiceProviderAuthenticator, its parent
> AbstractSPFormAuthenticator, and its grandparent BaseFormAuthenticator, I
> was expecting to see the implemention of invoke(request, response) method
> with similar logic as in SPFilter's doFilter(request, response) method. But
> neither of the 3 classes implement invoke(...) method, why is that ? How
> does SAML processing come into the picture then ?
>
> Another general question, is picket link SAML offering widely used in
> commercial products ?
>
>
>
>
> -----Original Message-----
> From: Adam Dong
> Sent: Friday, August 29, 2014 3:00 PM
> To: 'Pedro Igor Silva'
> Cc: security-dev at lists.jboss.org
> Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat
> directly instead of in Jboss ?
>
> Pedro Igor,
>
> Thank you so much. I will try it out and report the result back to this email
> group.
>
> Adam Dong
>
> -----Original Message-----
> From: Pedro Igor Silva [mailto:psilva at redhat.com]
> Sent: Friday, August 29, 2014 5:37 AM
> To: Adam Dong
> Cc: security-dev at lists.jboss.org
> Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat
> directly instead of in Jboss ?
>
> Hi Adam,
>
> This is the right GAV:
>
> <dependency>
> <groupId>org.picketlink.distribution</groupId>
> <artifactId>picketlink-tomcat7</artifactId>
> <version>${picketlink.version}</version>
> </dependency>
>
> The picketlink-tomact7-single can not be used alone. Try to download from
> here:
>
> https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat7/2.6.0.Final/picketlink-tomcat7-2.6.0.Final.jar
>
> Regards.
> Pedro Igor
>
> ----- Original Message -----
> From: "Adam Dong" <adamdong at vidder.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Wednesday, August 27, 2014 10:18:32 PM
> Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat
> directly instead of in Jboss ?
>
>
> OK, I found picketlink-tomcat7-single-2.6.0.Final.jar on picketlink.org site,
> replaced picketlink-jbas7-2.6.0.Final.jar with it. Now I got
>
> java.lang.NoClassDefFoundError:
> org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator
>
> And I checked, indeed AbstractSPFormAuthenticator is not in
> picketlink-tomcat7-single-2.6.0.Final.jar, but in
> picketlink-jbas7-2.6.0.Final.jar.
>
> Is picketlink-tomcat7-single-2.6.0.Final.jar missing a few files ?
> Should I grab those missing file from jbas7 jar file and put them into
> tomcat7 jar file ?
> Would they be compatible ?
>
>
>
> To check the compatibility, I found the following.
> ServiceProviderAuthenticator.class in
> picketlink-tomcat7-single-2.6.0.Final.jar:
> 1667 Sun Jun 22 03:04:00 PDT 2014
> org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class
>
> The same class in picketlink-jbas7-2.6.0.Final.jar:
> 978 Sun Jun 22 03:03:56 PDT 2014
> org/picketlink/identity/federation/bindings/tomcat/sp/ServiceProviderAuthenticator.class
>
>
> They are different. Is that correct ? Can I trust the
> AbstractSPFormAuthenticator.class in jbas7 jar file to work with
> ServiceProviderAuthenticator.class in tomcat7 jar file ?
>
> Thanks,
> Adam Dong
>
>
> -----Original Message-----
> From: Adam Dong
> Sent: Wednesday, August 27, 2014 2:29 PM
> To: 'Pedro Igor Silva'
> Cc: security-dev at lists.jboss.org
> Subject: RE: [security-dev] Use ServiceProviderAuthenticator in Tomcat
> directly instead of in Jboss ?
>
>
> Pedro,
>
> The following are the jar files I put under <Tomcat_home>/lib (I first put
> them under my web app's WEB-INF/lib directory but tomcat couldn't find
> them):
>
> bcprov-jdk15on-151.jar
> jboss-logging-3.1.0.GA.jar
> jboss-security-spi-4.0.18.final.jar
> log4j-1.2.16.jar
> picketlink-common-2.6.0.Final.jar
> picketlink-config-2.6.0.Final.jar
> picketlink-federation-2.6.0.Final.jar
> picketlink-jbas7-2.6.0.Final.jar
>
> Where do I get that jar file you mentioned ? All the picketlink related jar
> files I got are from picketlink-installer-2.6.0.Final.zip, and in there the
> jar file you mentioned is not present.
>
> Thanks,
> Adam Dong
>
> -----Original Message-----
> From: Pedro Igor Silva [mailto:psilva at redhat.com]
> Sent: Wednesday, August 27, 2014 1:11 PM
> To: Adam Dong
> Cc: security-dev at lists.jboss.org
> Subject: Re: [security-dev] Use ServiceProviderAuthenticator in Tomcat
> directly instead of in Jboss ?
>
> Which jar are u using ? picketlink-tomcat7-X.jar ?
>
>
>
> ----- Original Message -----
> From: "Adam Dong" <adamdong at vidder.com>
> To: security-dev at lists.jboss.org
> Sent: Wednesday, August 27, 2014 3:18:51 PM
> Subject: [security-dev] Use ServiceProviderAuthenticator in Tomcat directly
> instead of in Jboss ?
>
>
>
> Hi,
>
>
>
> Any previous successful usage of putting ServiceProviderAuthenticator as a
> Valve in Tomcat, by adding it in a web app’s META-INF/context.xml like below
> (as opposed to adding it in jboss-web.xml on Jboss) ?
>
>
>
> <Context>
>
> <Valve
> className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/>
>
> </Context>
>
>
>
>
>
> I tried with Tomcat 7 and get some complaints (see below) about
> ServiceProviderAuthenticator overriding final method start()but the valve
> seemed being pulled in.
>
>
>
> java.lang.VerifyError: class
> org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator
> overrides final method start.()V
>
> at java.lang.ClassLoader.defineClass1(Native Method)
>
> at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
>
> at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
>
> at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
>
> at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
>
> at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
>
> at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>
> at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>
> at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>
> at
> org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144)
>
> at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288)
>
> at
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509)
>
> at
> com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182)
>
> at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342)
>
> at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770)
>
> at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
>
> at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
>
> at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
>
> at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
>
> at
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
>
> at
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
>
> at
> com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648)
>
> at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561)
>
> at
> org.apache.catalina.startup.ContextConfig.processContextConfig(ContextConfig.java:637)
>
> at
> org.apache.catalina.startup.ContextConfig.contextConfig(ContextConfig.java:599)
>
> at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:837)
>
> at
> org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:385)
>
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
>
> at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
>
> at
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
>
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110)
>
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139)
>
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>
> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
>
> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>
> at
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247)
>
> at
> org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898)
>
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
> at java.lang.Thread.run(Thread.java:745)
>
>
>
> I tried with Tomcat 6 and the valve didn’t get pulled in the request path,
> just as if it were not there.
>
>
>
> Any experience or idea ?
>
>
>
> Thanks,
>
> Adam Dong
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list