Cheatsheet:  PicketLink Security Token Service with JBoss AS 7.1.x

Introduction

 

This article is an addendum to PicketLink Security Token Service by Stefan Guilhen.  It shows necessary steps to make JBoss AS 7.1.1 work with latest version of PicketLink (version 2.0.3 Final) and the picketlink-sts.war included in PicketLink Web Applications for JBoss AS 7.1.x

 

Versions

 


Version
JBoss AS7.1.1.Final
PicketLink2.0.3.Final
PicketLink Web Applications2.0.3.Final

 

JBoss AS Configuration

Follow the last section (How do I install PL 2.0.2 (and above) in AS 7.1.x?) of PicketLink 2.0.3.Final article by Anil Saldhana.  After following the steps, you shoud:

  • have the latest picketlink jars in ${jboss.home.dir}/modules/org/picketlink/main
  • have ${jboss.home.dir}/modules/org/picketlink/main/module.xml updated to:

 

<module xmlns="urn:jboss:module:1.1" name="org.picketlink">
  <resources>
    <resource-root path="picketlink-fed-2.0.3.Final.jar"/>
    <resource-root path="picketlink-bindings-2.0.3.Final.jar"/>
    <resource-root path="picketlink-bindings-jboss-2.0.3.Final.jar"/>
  </resources>
  <dependencies>
    <module name="javax.api"/>
    <module name="javax.security.auth.message.api"/>
    <module name="javax.security.jacc.api"/>
    <module name="javax.transaction.api"/>
    <module name="javax.xml.bind.api"/>
    <module name="javax.xml.stream.api"/>
    <module name="javax.servlet.api"/>
    <module name="org.jboss.common-core"/>
    <module name="org.jboss.logging"/>
    <module name="org.jboss.as.web"/>
    <module name="org.jboss.security.xacml"/>
    <module name="org.picketbox"/>
    <module name="javax.xml.ws.api"/>
    <module name="org.apache.log4j"/>
    <!-- <module name="org.apache.santuario.xmlsec"/> --> <!-- Comment this line out -->
    <module name="sun.jdk"/> <!-- Add this new module dependency -->
  </dependencies>
</module>

 

  • have added the below lines in ${jboss.home.dir}/modules/sun/jdk/main/module.xml

 

<path name="javax/xml/crypto/dsig"/>
<path name="javax/xml/crypto"/>
<path name="javax/xml/crypto/dsig/dom"/>
<path name="javax/xml/crypto/dsig/keyinfo"/>
<path name="com/sun/org/apache/xml/internal/security/transforms/implementations"/>
<path name="org/jcp/xml/dsig/internal/dom"/> 

 

  • have unpacked all web applications in ${jboss.home.dir}/standalone/deployments
  • have modified the ${jboss.home.dir}/configuration/standalone.xml to include security domain entries for the sample web applications above

 

<security-domain name="idp" cache-type="default">
  <authentication>
    <login-module code="UsersRoles" flag="required">
      <module-option name="usersProperties" value="users.properties"/>
      <module-option name="rolesProperties" value="roles.properties"/>
    </login-module>
  </authentication>
</security-domain>
<security-domain name="picketlink-sts" cache-type="default">
  <authentication>
    <login-module code="UsersRoles" flag="required">
      <module-option name="usersProperties" value="sts-users.properties"/>
      <module-option name="rolesProperties" value="sts-roles.properties"/>
    </login-module>
  </authentication>
</security-domain>
<security-domain name="sp" cache-type="default">
  <authentication>
    <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
  </authentication>
</security-domain>

 

Modify picketlink-sts.war

The picketlink-sts.war does not include the user and role property files for authentication.  To make it work, you can either update the war file or change the recommended security-domain entry for "picketlink-sts" to tell it to use external properties files instead.

Update picketlink-war file

  • Unpack the war file contents [jar xf picketlink-sts.war]
  • Create both sts-users.properties and sts-roles.properties files under WEB-INF/classes.  You can either copy the users and roles from idp.war (same location WEB-INF/classes) or create it yourself.  You need to add a user=password entry for sts-users.properties and add the role configured from WEB-INF/web.xml  in sts-roles.properties
sts-users.properties

tomcat=tomcat

sts-roles.properties

 

tomcat=manager,sales,employee,STSClient

 

  • Update the jar file with the latest WEB-INF [jar uf picketlink-sts.war WEB-INF]

 

Update standalone.xml

The other way of doing it is to point the authentication mechanism to use external property files, modify the picketlink-sts security-domain section in standalone.xml (below).  Then create the same sts-users.properties and sts-roles.properties  files from above section in the directory ${jboss.home.dir}/standalone/configuration.

 

 

<security-domain name="picketlink-sts" cache-type="default">
  <authentication>
    <login-module code="UsersRoles" flag="required">
      <module-option name="usersProperties" value="${jboss.server.config.dir}/sts-users.properties"/>
      <module-option name="rolesProperties" value="${jboss.server.config.dir}/sts-roles.properties"/>
    </login-module>
  </authentication>
</security-domain>

 

Check STS wsdl

To make sure everything is configure correctly, check the wsdl - http://localhost:8080/picketlink-sts/PicketLinkSTSService?wsdl

It should ask for authentication before providing the wsdl.

Run Client Application

To run the client application in PicketLink Security Token Service by Stefan Guilhen.  Modify the endpoint and user/password:

 

   public void testSTS() throws Exception
   {
      // create a WSTrustClient instance.
      WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort", 
            "http://localhost:8080/picketlink-sts/PicketLinkSTSService", 
            new SecurityInfo("tomcat", "tomcat"));
. . .

 

To change the SAML to 1.1, change the token type:

 

      // issue a SAML assertion using the client API.
      Element assertion = null;
      try 
      {
         assertion = client.issueToken(SAMLUtil.SAML11_TOKEN_TYPE);
      }
      catch (WSTrustException wse)
      {
         System.out.println("Unable to issue assertion: " + wse.getMessage());
         wse.printStackTrace();
         System.exit(1);
      }

 

If everything is working fine, you should get the SAML assertion

 

<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="ID_eb76fdfc-8614-462f-933e-cb8d17cb5e4e" IssueInstant="2012-04-09T21:43:36.572Z" Issuer="PicketLinkSTS" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2012-04-09T21:43:36.572Z" NotOnOrAfter="2012-04-09T23:43:36.572Z"/><saml:AuthenticationStatement AuthenticationInstant="2012-04-09T21:43:36.572Z" AuthenticationMethod="urn:picketlink:auth"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">tomcat</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>HDnMXVoONxX3EtDGVhI3y5n88ho=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>Lw/KCB//ahqDl9YFvA54jAiHA4uyte2xzqU1B+5qJTzy/ADKULWnjSV6gG5BNF2BwqgRwYD0GW3K
W/mEeHefJ6IZD/rHxMChGDYM4v/1ST27RV/tGWXSMOeilK0pMFvO0yWrljQarJvCV1cYwZR+zbaQ
davemRmvg95GxbwaJl4=</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue><dsig:RSAKeyValue><dsig:Modulus>suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1
dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw
lYGGtrP5VQv00dfNPbs=</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></saml:Assertion>

 

Links