You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Matthew Broadhead <ma...@nbmlaw.co.uk> on 2017/09/25 15:56:27 UTC

fediz jaas config

hi,

i already have a working jaas.config setup with a custom LoginModule
MyLoginModule {
uk.me.kissy.jaas.MyLoginModule required debug=false dbPort="3306" 
dbName="directory" dbUsername="directoryUser" dbPassword="<password>";
};

MyLoginModule is based off this tutorial 
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html 
and is basically one step up from a DataSourceRealm using 2 tables:
1. user
- username
- password
2. userrole
- username
- rolename

in fediz-1.4.2/services/sts/src/main/webapp/WEB-INF/endpoints i create a 
file jaas.xml and created an endpoint
<beans ...>
<jaxws:endpoint id="transportSTS1" implementor="#transportSTSProviderBean"
         address="/REALMA/STSServiceTransportUT" 
wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
         serviceName="ns1:SecurityTokenService" 
endpointName="ns1:TransportUT_Port">
         <jaxws:properties>
             <entry key="ws-security.ut.validator">
                 <bean 
class="org.apache.wss4j.dom.validate.JAASUsernameTokenValidator">
                     <property name="contextName" value="MyLoginModule" />
                 </bean>
             </entry>
         </jaxws:properties>
     </jaxws:endpoint>
</beans>

now the stacktrace says it needs a claimHandlerList and claimsManager.  
could someone point me to an example of how to do that?

Re: fediz jaas config

Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.

here is a gist showing where i have got to so far 
https://gist.github.com/chongma/ee6836f99b1ba62b79851c9da050c81f

now i get Caused by: 
org.apache.cxf.ws.security.sts.provider.STSException: Mandatory claim 
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role' not found 
so i need to look at supported claims.  do these need to be mapped?


On 25/09/2017 18:11, Colm O hEigeartaigh wrote:
> The ClaimsManager is defined in the default STS configuration here:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/fediz-sts.xml#L106
>
> Where the default ClaimsHandlers read in some claims from a file:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/data/userClaims.xml
>
> For LDAP, we have a LDAPClaimsHandler in CXF, the Fediz configuration for
> that is here:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/endpoints/ldap.xml
>
> If you only require the role claims for your login scenario, I think you
> can get away with writing a custom ClaimsHandler implementation, and get
> the roles from the authenticated principal.
>
> Colm.
>
> On Mon, Sep 25, 2017 at 4:56 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> hi,
>>
>> i already have a working jaas.config setup with a custom LoginModule
>> MyLoginModule {
>> uk.me.kissy.jaas.MyLoginModule required debug=false dbPort="3306"
>> dbName="directory" dbUsername="directoryUser" dbPassword="<password>";
>> };
>>
>> MyLoginModule is based off this tutorial http://docs.oracle.com/javase/
>> 7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html and
>> is basically one step up from a DataSourceRealm using 2 tables:
>> 1. user
>> - username
>> - password
>> 2. userrole
>> - username
>> - rolename
>>
>> in fediz-1.4.2/services/sts/src/main/webapp/WEB-INF/endpoints i create a
>> file jaas.xml and created an endpoint
>> <beans ...>
>> <jaxws:endpoint id="transportSTS1" implementor="#transportSTSProviderBean"
>>          address="/REALMA/STSServiceTransportUT"
>> wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
>> xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
>>          serviceName="ns1:SecurityTokenService"
>> endpointName="ns1:TransportUT_Port">
>>          <jaxws:properties>
>>              <entry key="ws-security.ut.validator">
>>                  <bean class="org.apache.wss4j.dom.va
>> lidate.JAASUsernameTokenValidator">
>>                      <property name="contextName" value="MyLoginModule" />
>>                  </bean>
>>              </entry>
>>          </jaxws:properties>
>>      </jaxws:endpoint>
>> </beans>
>>
>> now the stacktrace says it needs a claimHandlerList and claimsManager.
>> could someone point me to an example of how to do that?
>>
>
>

Re: fediz jaas config

Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.

actually i will probably move to ldap as i was already halfway to 
migrating to apache ds. but thought it might be a good step to first get 
a jaas loginmodule working first.  however i messed around with the 
claims stuff and it is not trivial so it is probably easier to migrate 
to ldap instead.

On 25/09/2017 18:11, Colm O hEigeartaigh wrote:
> The ClaimsManager is defined in the default STS configuration here:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/fediz-sts.xml#L106
>
> Where the default ClaimsHandlers read in some claims from a file:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/data/userClaims.xml
>
> For LDAP, we have a LDAPClaimsHandler in CXF, the Fediz configuration for
> that is here:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/endpoints/ldap.xml
>
> If you only require the role claims for your login scenario, I think you
> can get away with writing a custom ClaimsHandler implementation, and get
> the roles from the authenticated principal.
>
> Colm.
>
> On Mon, Sep 25, 2017 at 4:56 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> hi,
>>
>> i already have a working jaas.config setup with a custom LoginModule
>> MyLoginModule {
>> uk.me.kissy.jaas.MyLoginModule required debug=false dbPort="3306"
>> dbName="directory" dbUsername="directoryUser" dbPassword="<password>";
>> };
>>
>> MyLoginModule is based off this tutorial http://docs.oracle.com/javase/
>> 7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html and
>> is basically one step up from a DataSourceRealm using 2 tables:
>> 1. user
>> - username
>> - password
>> 2. userrole
>> - username
>> - rolename
>>
>> in fediz-1.4.2/services/sts/src/main/webapp/WEB-INF/endpoints i create a
>> file jaas.xml and created an endpoint
>> <beans ...>
>> <jaxws:endpoint id="transportSTS1" implementor="#transportSTSProviderBean"
>>          address="/REALMA/STSServiceTransportUT"
>> wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
>> xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
>>          serviceName="ns1:SecurityTokenService"
>> endpointName="ns1:TransportUT_Port">
>>          <jaxws:properties>
>>              <entry key="ws-security.ut.validator">
>>                  <bean class="org.apache.wss4j.dom.va
>> lidate.JAASUsernameTokenValidator">
>>                      <property name="contextName" value="MyLoginModule" />
>>                  </bean>
>>              </entry>
>>          </jaxws:properties>
>>      </jaxws:endpoint>
>> </beans>
>>
>> now the stacktrace says it needs a claimHandlerList and claimsManager.
>> could someone point me to an example of how to do that?
>>
>
>

Re: fediz jaas config

Posted by Colm O hEigeartaigh <co...@apache.org>.

The ClaimsManager is defined in the default STS configuration here:

https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/fediz-sts.xml#L106

Where the default ClaimsHandlers read in some claims from a file:

https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/data/userClaims.xml

For LDAP, we have a LDAPClaimsHandler in CXF, the Fediz configuration for
that is here:

https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/endpoints/ldap.xml

If you only require the role claims for your login scenario, I think you
can get away with writing a custom ClaimsHandler implementation, and get
the roles from the authenticated principal.

Colm.

On Mon, Sep 25, 2017 at 4:56 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:

> hi,
>
> i already have a working jaas.config setup with a custom LoginModule
> MyLoginModule {
> uk.me.kissy.jaas.MyLoginModule required debug=false dbPort="3306"
> dbName="directory" dbUsername="directoryUser" dbPassword="<password>";
> };
>
> MyLoginModule is based off this tutorial http://docs.oracle.com/javase/
> 7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html and
> is basically one step up from a DataSourceRealm using 2 tables:
> 1. user
> - username
> - password
> 2. userrole
> - username
> - rolename
>
> in fediz-1.4.2/services/sts/src/main/webapp/WEB-INF/endpoints i create a
> file jaas.xml and created an endpoint
> <beans ...>
> <jaxws:endpoint id="transportSTS1" implementor="#transportSTSProviderBean"
>         address="/REALMA/STSServiceTransportUT"
> wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
> xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
>         serviceName="ns1:SecurityTokenService"
> endpointName="ns1:TransportUT_Port">
>         <jaxws:properties>
>             <entry key="ws-security.ut.validator">
>                 <bean class="org.apache.wss4j.dom.va
> lidate.JAASUsernameTokenValidator">
>                     <property name="contextName" value="MyLoginModule" />
>                 </bean>
>             </entry>
>         </jaxws:properties>
>     </jaxws:endpoint>
> </beans>
>
> now the stacktrace says it needs a claimHandlerList and claimsManager.
> could someone point me to an example of how to do that?
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com