PicketLink 2.1.3 and JBossAS 5.1.0: library conflicts
We are attempting to set up a SAML 2.0 based WebSSO infrastructure based on PicketLink. Our current infrastructure is based on JBoss 5.1.0. (A move to JBoss AS 7 is planned for sometime in the next year, but is not something our operations teams are prepared to support at this time).
We have been able to get as far as successfully authenticating against an LDAP directory, and have a working sample like that. However, we require the propagation of LDAP Attributes to the SPs by means of SAML Attributes. This is where we get stuck. When Mapping modules are configured, the token response cannot be generated. This appears, on the surface, with an error of "PL00092: Null Value: requestType". A previous discussion refers to this, but does not appear to have a resolution. In attempting to debug it, we have discovered that there appears to be an issue with availability of correct libraries.
In the getAttributes() method of JBossAppServerAttributeManager, lines 56-60 read as follows:
SecurityContext sc = SecurityActions.getSecurityContext();
if (sc != null) {
String mappingType = MappingType.ATTRIBUTE.name();
MappingManager mm = sc.getMappingManager();
MappingContext<List<Attribute<Object>>> mc = mm.getMappingContext(mappingType);
On line 58, an exception is thrown attempting to access MappingType.ATTRIBUTE. In JBoss 5.1.0.GA, this class is provided from jboss-security-spi.jar, which is version 2.0.3.SP1, according to the manifest. The version there does not support this enum value, which causes an exception to be thrown. The exception is "caught" a couple of levels up the stack, back in the finally{} clause in the AbstractIDPValve class, at about line 600.
I've taken a stab at configuring some classloader isolation, but this is so far resulting in a number of errors when the SecurityManagers are being assigned, as they are loaded from outside the application context, by the server itself. Given the nature of LoginModule loading vs application classloading, I'm not sure this can be made to work at all.
Is PicketLink 2.1.3 compatible with JBossAS 5.1.0.GA, or is the update of the libraries incompatible with the older server version? If the latter is the case, what is the latest version of PicketLink which IS going to work on JBossAS 5.1.0.GA?
For reference, I have included the relevant PicketLink.xml and context.xml file contents, below, which should allow anyone with a JBoss 5.1.0.GA environment to replicate the issue locally.
Any and all help would be appreciated.
IDP context.xml:
<Context> <Valve className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve" /> <Valve className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve" attributeList="cn,mail" ignoreAttributesGeneration="false"/> </Context>
IDP picketlink.xml:
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager" > <IdentityURL>http://localhost:8080/websso/</IdentityURL> <Trust> <Domains>localhost</Domains> </Trust> </PicketLinkIDP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler" > <Option Key="ATTRIBUTE_KEYS" Value="mail,cn" /> <Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager" /> </Handler> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> </Handlers> <!-- The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation. This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration. --> <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" TokenTimeout="5000" ClockSkew="0"> <TokenProviders> <TokenProvider ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider" TokenType="urn:oasis:names:tc:SAML:2.0:assertion" TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" /> </TokenProviders> </PicketLinkSTS> </PicketLink>
IDP Security Context xml
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<!-- JAAS LoginModule configuration to be used by the IDP. -->
<application-policy xmlns="urn:jboss:security-beans:1.0"
name="websso">
<authentication>
<!-- Any existing security context will be restored on logout -->
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://ldappatdev.chboston.org:389</module-option>
<module-option name="bindDN">****</module-option>
<module-option name="bindCredential">****</module-option>
<module-option name="baseCtxDN">ou=users,dc=bchpatdir,dc=org</module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<module-option name="defaultRole">User</module-option>
<module-option name="rolesCtxDN">ou=users,dc=bchpatdir,dc=org</module-option>
<module-option name="roleFilter">(cn={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
<module-option name="bindDN">****</module-option>
<module-option name="bindCredential">****</module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<module-option name="java.naming.provider.url">ldap://ldappatdev.chboston.org:389</module-option>
<module-option name="baseCtxDN">ou=users,dc=bchpatdir,dc=org</module-option>
<module-option name="attributeList">mail,cn</module-option>
</mapping-module>
</mapping>
</application-policy>
</deployment>
SP context.xml
<Context> <Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator" /> </Context>
SP picketlink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL"> <IdentityURL>${idp.url::http://localhost:8080/websso/}</IdentityURL> <ServiceURL>${ssotestapp.url::http://localhost:8080/ssotestapp/} </ServiceURL> </PicketLinkSP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> </Handlers> </PicketLink>
SP security context xml:
<deployment xmlns="urn:jboss:bean-deployer:2.0"> <!-- JAAS LoginModule configuration to be used by the SP. --> <application-policy xmlns="urn:jboss:security-beans:1.0" name="sp"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required" /> </authentication> </application-policy> </deployment>
