You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Matthew Broadhead <ma...@nbmlaw.co.uk> on 2017/09/25 15:56:27 UTC
fediz jaas config
hi,
i already have a working jaas.config setup with a custom LoginModule
MyLoginModule {
uk.me.kissy.jaas.MyLoginModule required debug=false dbPort="3306"
dbName="directory" dbUsername="directoryUser" dbPassword="<password>";
};
MyLoginModule is based off this tutorial
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html
and is basically one step up from a DataSourceRealm using 2 tables:
1. user
- username
- password
2. userrole
- username
- rolename
in fediz-1.4.2/services/sts/src/main/webapp/WEB-INF/endpoints i create a
file jaas.xml and created an endpoint
<beans ...>
<jaxws:endpoint id="transportSTS1" implementor="#transportSTSProviderBean"
address="/REALMA/STSServiceTransportUT"
wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
serviceName="ns1:SecurityTokenService"
endpointName="ns1:TransportUT_Port">
<jaxws:properties>
<entry key="ws-security.ut.validator">
<bean
class="org.apache.wss4j.dom.validate.JAASUsernameTokenValidator">
<property name="contextName" value="MyLoginModule" />
</bean>
</entry>
</jaxws:properties>
</jaxws:endpoint>
</beans>
now the stacktrace says it needs a claimHandlerList and claimsManager.
could someone point me to an example of how to do that?
Re: fediz jaas config
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
here is a gist showing where i have got to so far
https://gist.github.com/chongma/ee6836f99b1ba62b79851c9da050c81f
now i get Caused by:
org.apache.cxf.ws.security.sts.provider.STSException: Mandatory claim
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role' not found
so i need to look at supported claims. do these need to be mapped?
On 25/09/2017 18:11, Colm O hEigeartaigh wrote:
> The ClaimsManager is defined in the default STS configuration here:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/fediz-sts.xml#L106
>
> Where the default ClaimsHandlers read in some claims from a file:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/data/userClaims.xml
>
> For LDAP, we have a LDAPClaimsHandler in CXF, the Fediz configuration for
> that is here:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/endpoints/ldap.xml
>
> If you only require the role claims for your login scenario, I think you
> can get away with writing a custom ClaimsHandler implementation, and get
> the roles from the authenticated principal.
>
> Colm.
>
> On Mon, Sep 25, 2017 at 4:56 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> hi,
>>
>> i already have a working jaas.config setup with a custom LoginModule
>> MyLoginModule {
>> uk.me.kissy.jaas.MyLoginModule required debug=false dbPort="3306"
>> dbName="directory" dbUsername="directoryUser" dbPassword="<password>";
>> };
>>
>> MyLoginModule is based off this tutorial http://docs.oracle.com/javase/
>> 7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html and
>> is basically one step up from a DataSourceRealm using 2 tables:
>> 1. user
>> - username
>> - password
>> 2. userrole
>> - username
>> - rolename
>>
>> in fediz-1.4.2/services/sts/src/main/webapp/WEB-INF/endpoints i create a
>> file jaas.xml and created an endpoint
>> <beans ...>
>> <jaxws:endpoint id="transportSTS1" implementor="#transportSTSProviderBean"
>> address="/REALMA/STSServiceTransportUT"
>> wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
>> xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
>> serviceName="ns1:SecurityTokenService"
>> endpointName="ns1:TransportUT_Port">
>> <jaxws:properties>
>> <entry key="ws-security.ut.validator">
>> <bean class="org.apache.wss4j.dom.va
>> lidate.JAASUsernameTokenValidator">
>> <property name="contextName" value="MyLoginModule" />
>> </bean>
>> </entry>
>> </jaxws:properties>
>> </jaxws:endpoint>
>> </beans>
>>
>> now the stacktrace says it needs a claimHandlerList and claimsManager.
>> could someone point me to an example of how to do that?
>>
>
>
Re: fediz jaas config
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
actually i will probably move to ldap as i was already halfway to
migrating to apache ds. but thought it might be a good step to first get
a jaas loginmodule working first. however i messed around with the
claims stuff and it is not trivial so it is probably easier to migrate
to ldap instead.
On 25/09/2017 18:11, Colm O hEigeartaigh wrote:
> The ClaimsManager is defined in the default STS configuration here:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/fediz-sts.xml#L106
>
> Where the default ClaimsHandlers read in some claims from a file:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/data/userClaims.xml
>
> For LDAP, we have a LDAPClaimsHandler in CXF, the Fediz configuration for
> that is here:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/endpoints/ldap.xml
>
> If you only require the role claims for your login scenario, I think you
> can get away with writing a custom ClaimsHandler implementation, and get
> the roles from the authenticated principal.
>
> Colm.
>
> On Mon, Sep 25, 2017 at 4:56 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> hi,
>>
>> i already have a working jaas.config setup with a custom LoginModule
>> MyLoginModule {
>> uk.me.kissy.jaas.MyLoginModule required debug=false dbPort="3306"
>> dbName="directory" dbUsername="directoryUser" dbPassword="<password>";
>> };
>>
>> MyLoginModule is based off this tutorial http://docs.oracle.com/javase/
>> 7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html and
>> is basically one step up from a DataSourceRealm using 2 tables:
>> 1. user
>> - username
>> - password
>> 2. userrole
>> - username
>> - rolename
>>
>> in fediz-1.4.2/services/sts/src/main/webapp/WEB-INF/endpoints i create a
>> file jaas.xml and created an endpoint
>> <beans ...>
>> <jaxws:endpoint id="transportSTS1" implementor="#transportSTSProviderBean"
>> address="/REALMA/STSServiceTransportUT"
>> wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
>> xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
>> serviceName="ns1:SecurityTokenService"
>> endpointName="ns1:TransportUT_Port">
>> <jaxws:properties>
>> <entry key="ws-security.ut.validator">
>> <bean class="org.apache.wss4j.dom.va
>> lidate.JAASUsernameTokenValidator">
>> <property name="contextName" value="MyLoginModule" />
>> </bean>
>> </entry>
>> </jaxws:properties>
>> </jaxws:endpoint>
>> </beans>
>>
>> now the stacktrace says it needs a claimHandlerList and claimsManager.
>> could someone point me to an example of how to do that?
>>
>
>
Re: fediz jaas config
Posted by Colm O hEigeartaigh <co...@apache.org>.
The ClaimsManager is defined in the default STS configuration here:
https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/fediz-sts.xml#L106
Where the default ClaimsHandlers read in some claims from a file:
https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/data/userClaims.xml
For LDAP, we have a LDAPClaimsHandler in CXF, the Fediz configuration for
that is here:
https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/endpoints/ldap.xml
If you only require the role claims for your login scenario, I think you
can get away with writing a custom ClaimsHandler implementation, and get
the roles from the authenticated principal.
Colm.
On Mon, Sep 25, 2017 at 4:56 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> hi,
>
> i already have a working jaas.config setup with a custom LoginModule
> MyLoginModule {
> uk.me.kissy.jaas.MyLoginModule required debug=false dbPort="3306"
> dbName="directory" dbUsername="directoryUser" dbPassword="<password>";
> };
>
> MyLoginModule is based off this tutorial http://docs.oracle.com/javase/
> 7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html and
> is basically one step up from a DataSourceRealm using 2 tables:
> 1. user
> - username
> - password
> 2. userrole
> - username
> - rolename
>
> in fediz-1.4.2/services/sts/src/main/webapp/WEB-INF/endpoints i create a
> file jaas.xml and created an endpoint
> <beans ...>
> <jaxws:endpoint id="transportSTS1" implementor="#transportSTSProviderBean"
> address="/REALMA/STSServiceTransportUT"
> wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
> xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> serviceName="ns1:SecurityTokenService"
> endpointName="ns1:TransportUT_Port">
> <jaxws:properties>
> <entry key="ws-security.ut.validator">
> <bean class="org.apache.wss4j.dom.va
> lidate.JAASUsernameTokenValidator">
> <property name="contextName" value="MyLoginModule" />
> </bean>
> </entry>
> </jaxws:properties>
> </jaxws:endpoint>
> </beans>
>
> now the stacktrace says it needs a claimHandlerList and claimsManager.
> could someone point me to an example of how to do that?
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com