org.picketlink.identity.federation.bindings.jboss.auth

Class SAML2STSCommonLoginModule

java.lang.Object

org.jboss.security.auth.spi.AbstractServerLoginModule

org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule

org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSCommonLoginModule

All Implemented Interfaces:

LoginModule

Direct Known Subclasses:

SAML2STSLoginModule

public abstract class SAML2STSCommonLoginModule
extends SAMLTokenFromHttpRequestAbstractLoginModule

This LoginModule authenticates clients by validating their SAML assertions with an external security token service (such as PicketLinkSTS). If the supplied assertion contains roles, these roles are extracted and included in the Group returned by the getRoleSets method.

This module defines the following module options:

• configFile - this property identifies the properties file that will be used to establish communication with the external security token service.
• cache.invalidation: set it to true if you require invalidation of JBoss Auth Cache at SAML Principal expiration.
• jboss.security.security_domain: name of the security domain where this login module is configured. This is only required if the cache.invalidation option is configured.
• roleKey: a comma separated list of strings that define the attributes in SAML assertion for user roles
• localValidation: if you want to validate the assertion locally for signature and expiry
• localValidationSecurityDomain: the security domain for the trust store information (via the JaasSecurityDomain)
• tokenEncodingType: encoding type of SAML token delivered via http request's header. Possible values are: base64 - content encoded as base64. In case of encoding will vary between base64 and gzip use base64 and LoginModule will detect gzipped data. gzip - gzipped content encoded as base64 none - content not encoded in any way
• samlTokenHttpHeader - name of http request header to fetch SAML token from. For example: "Authorize"
• samlTokenHttpHeaderRegEx - Java regular expression to be used to get SAML token from "samlTokenHttpHeader". Example: use: ."(.)".* to parse SAML token from header content like this: SAML_assertion="HHDHS=", at the same time set samlTokenHttpHeaderRegExGroup to 1.
• samlTokenHttpHeaderRegExGroup - Group value to be used when parsing out value of http request header specified by "samlTokenHttpHeader" using "samlTokenHttpHeaderRegEx".

Any properties specified besides the above properties are assumed to be used to configure how the STSClient will connect to the STS. For example, the JBossWS StubExt.PROPERTY_SOCKET_FACTORY can be specified in order to inform the socket factory that must be used to connect to the STS. All properties will be set in the request context of the Dispatch instance used by the STSClient to send requests to the STS.

An example of a configFile can be seen bellow:

 serviceName=PicketLinkSTS
 portName=PicketLinkSTSPort
 endpointAddress=http://localhost:8080/picketlink-sts/PicketLinkSTS
 username=JBoss
 password=JBoss
 

The first three properties specify the STS endpoint URL, service name, and port name. The last two properties specify the username and password that are to be used by the application server to authenticate to the STS and have the SAML assertions validated.

NOTE: Sub-classes can use getSTSClient() method to customize the STSClient class to make calls to STS/

Author:

Stefan Guilhen, Anil.Saldhana@redhat.com

Field Summary

Fields

Modifier and Type	Field and Description
protected AssertionType	assertion
protected SamlCredential	credential
protected boolean	enableCacheInvalidation
static String	ENDPOINT_ADDRESS Key to specify the end point address
static String	INITIAL_CLIENTS_IN_POOL Paramater name.
protected int	initialClientsInPool Maximal number of clients in the STS Client Pool.
protected boolean	localTestingOnly
protected boolean	localValidation
protected String	localValidationSecurityDomain
protected Map<String,Object>	options Options that are computed by this login module.
static String	PASSWORD_KEY Key to specify the password
static String	PORT_NAME Key to specify the port name
protected Principal	principal
protected Map<String,Object>	rawOptions Original Options that are sent by the JDK JAAS Framework
protected String	roleKey
protected String	securityDomain
static String	SERVICE_NAME Key to specify the service name
static String	STS_CONFIG_FILE This is an option that should identify the configuration file for WSTrustClient.
protected String	stsConfigurationFile
static String	USERNAME_KEY Key to specify the username

Fields inherited from class org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule

BASE64_TOKEN_ENCODING, GZIP_TOKEN_ENCODING, logger, NONE_TOKEN_ENCODING, REG_EX_GROUP_KEY, REG_EX_PATTERN_KEY, SAML_TOKEN_HTTP_HEADER_KEY, TOKEN_ENCODING_TYPE_KEY, tokenEncoding, WEB_REQUEST_KEY

Fields inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule

callbackHandler, jbossModuleName, log, loginOk, principalClassModuleName, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass

Constructor Summary

Constructors

Constructor and Description
SAML2STSCommonLoginModule()

Method Summary

Modifier and Type	Method and Description
boolean	abort() Called if the overall authentication failed (phase 2).
boolean	commit() Method to commit the authentication process (phase 2).
protected abstract JBossAuthCacheInvalidationFactory.TimeCacheExpiry	getCacheExpiry()
protected Principal	getIdentity() Overriden by subclasses to return the Principal that corresponds to the user primary identity.
protected Group[]	getRoleSets() Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user.
protected STSClient	getSTSClient() Get the STSClient object with which we can make calls to the STS
void	initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options) Initialize the login module.
protected abstract boolean	localValidation(Element assertionElement) Locally validate the SAML Assertion element
boolean	login() Looks for javax.security.auth.login.name and javax.security.auth.login.password values in the sharedState map if the useFirstPass option was true and returns true if they exist.
boolean	logout() Remove the user identity and roles added to the Subject during commit.

Methods inherited from class org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule

getCredentialFromHttpRequest, getSamlTokenHttpHeader, getSamlTokenHttpHeaderRegEx, getSamlTokenHttpHeaderRegExGroup, getTokenEncoding

Methods inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule

addValidOptions, checkOptions, createGroup, createIdentity, getCallerPrincipalGroup, getUnauthenticatedIdentity, getUseFirstPass

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

stsConfigurationFile

protected String stsConfigurationFile

principal

protected Principal principal

credential

protected SamlCredential credential

assertion

protected AssertionType assertion

enableCacheInvalidation

protected boolean enableCacheInvalidation

securityDomain

protected String securityDomain

localValidation

protected boolean localValidation

localValidationSecurityDomain

protected String localValidationSecurityDomain

roleKey

protected String roleKey

initialClientsInPool

protected int initialClientsInPool

Maximal number of clients in the STS Client Pool.

options

protected Map<String,Object> options

Options that are computed by this login module. Few options are removed and the rest are set in the dispatch sts call

rawOptions

protected Map<String,Object> rawOptions

Original Options that are sent by the JDK JAAS Framework

STS_CONFIG_FILE

public static final String STS_CONFIG_FILE

This is an option that should identify the configuration file for WSTrustClient.

See Also:

Constant Field Values

ENDPOINT_ADDRESS

public static final String ENDPOINT_ADDRESS

Key to specify the end point address

See Also:

Constant Field Values

PORT_NAME

public static final String PORT_NAME

Key to specify the port name

See Also:

Constant Field Values

SERVICE_NAME

public static final String SERVICE_NAME

Key to specify the service name

See Also:

Constant Field Values

USERNAME_KEY

public static final String USERNAME_KEY

Key to specify the username

See Also:

Constant Field Values

PASSWORD_KEY

public static final String PASSWORD_KEY

Key to specify the password

See Also:

Constant Field Values

localTestingOnly

protected boolean localTestingOnly

INITIAL_CLIENTS_IN_POOL

public static final String INITIAL_CLIENTS_IN_POOL

Paramater name.

See Also:

Constant Field Values

Constructor Detail

SAML2STSCommonLoginModule

public SAML2STSCommonLoginModule()

Method Detail

initialize

public void initialize(Subject subject,
                       CallbackHandler callbackHandler,
                       Map<String,?> sharedState,
                       Map<String,?> options)

Description copied from class: AbstractServerLoginModule

Initialize the login module. This stores the subject, callbackHandler and sharedState and options for the login session. Subclasses should override if they need to process their own options. A call to super.initialize(...) must be made in the case of an override.

Specified by:

initialize in interface LoginModule

Overrides:

initialize in class SAMLTokenFromHttpRequestAbstractLoginModule

Parameters:

subject - the Subject to update after a successful login.

callbackHandler - the CallbackHandler that will be used to obtain the the user identity and credentials.

sharedState - a Map shared between all configured login module instances

options - the parameters passed to the login module.

login

public boolean login()
              throws LoginException

Description copied from class: AbstractServerLoginModule

Looks for javax.security.auth.login.name and javax.security.auth.login.password values in the sharedState map if the useFirstPass option was true and returns true if they exist. If they do not or are null this method returns false. Note that subclasses that override the login method must set the loginOk ivar to true if the login succeeds in order for the commit phase to populate the Subject. This implementation sets loginOk to true if the login() method returns true, otherwise, it sets loginOk to false.

Specified by:

login in interface LoginModule

Overrides:

login in class AbstractServerLoginModule

Throws:

LoginException

commit

public boolean commit()
               throws LoginException

Description copied from class: AbstractServerLoginModule

Method to commit the authentication process (phase 2). If the login method completed successfully as indicated by loginOk == true, this method adds the getIdentity() value to the subject getPrincipals() Set. It also adds the members of each Group returned by getRoleSets() to the subject getPrincipals() Set.

Specified by:

commit in interface LoginModule

Overrides:

commit in class AbstractServerLoginModule

Returns:

true always.

Throws:

LoginException

See Also:

Subject;, Group;

abort

public boolean abort()
              throws LoginException

Called if the overall authentication failed (phase 2).

Specified by:

abort in interface LoginModule

Overrides:

abort in class AbstractServerLoginModule

Returns:

true always

Throws:

LoginException

logout

public boolean logout()
               throws LoginException

Description copied from class: AbstractServerLoginModule

Remove the user identity and roles added to the Subject during commit.

Specified by:

logout in interface LoginModule

Overrides:

logout in class AbstractServerLoginModule

Returns:

true always.

Throws:

LoginException

getIdentity

protected Principal getIdentity()

Description copied from class: AbstractServerLoginModule

Overriden by subclasses to return the Principal that corresponds to the user primary identity.

Specified by:

getIdentity in class AbstractServerLoginModule

getRoleSets

protected Group[] getRoleSets()
                       throws LoginException

Description copied from class: AbstractServerLoginModule

Overriden by subclasses to return the Groups that correspond to the to the role sets assigned to the user. Subclasses should create at least a Group named "Roles" that contains the roles assigned to the user. A second common group is "CallerPrincipal" that provides the application identity of the user rather than the security domain identity.

Specified by:

getRoleSets in class AbstractServerLoginModule

Returns:

Group[] containing the sets of roles

Throws:

LoginException

getSTSClient

protected STSClient getSTSClient()

Get the STSClient object with which we can make calls to the STS

Returns:

localValidation

protected abstract boolean localValidation(Element assertionElement)
                                    throws Exception

Locally validate the SAML Assertion element

Parameters:

assertionElement -

Returns:

Throws:

Exception

getCacheExpiry

protected abstract JBossAuthCacheInvalidationFactory.TimeCacheExpiry getCacheExpiry()
                                                                             throws Exception

Throws:

Exception