Fully Qualified Name
org.picketlink.trust.jbossws.jaas.JBWSTokenIssuingLoginModule
Objective
A variant of the PicketLink STSIssuingLoginModule that allows us to:
-
Inject BinaryTokenHandler or SAML2Handler or both as client side handlers to the STS WS call.
-
Inject the JaasSecurityDomainServerSocketFactory DomainSocketFactory as a request property to the BindingProvider set to the key "org.jboss.ws.socketFactory". This is useful for mutually authenticated SSL with the STS where in we use a trust store defined by a JaasSecurityDomain instance.
Configuration
Options Include:
-
configFile: a properties file that gives details on the STS to the login module. This can be optional if you want to specify values directly.
-
handlerChain: Comma separated list of handlers you need to set for handling outgoing message to STS.
Values: binary (to inject BinaryTokenHandler), saml2 (to inject SAML2Handler), map (to inject MapBasedTokenHandler) or class name of your own handler with default constructor.
-
cache.invalidation: set it to "true" if you want the JBoss auth cache to invalidate caches based on saml token expiry. By default, this value is false.
-
inject.callerprincipal: set it to "true" if the login module should add a group principal called "CallerPrincipal" to the subject. This is useful in JBoss AS for programmatic security in web/ejb components.
-
groupPrincipalName: by default, JBoss AS security uses "Roles" as the group principal name in the subject. You can give a different value.
-
endpointAddress: endpoint url of STS
-
serviceName: service Name of STS
-
portName: port name of STS
-
username: username of account on STS.
-
password: password of account on STS
-
wsaIssuer: if you need to customize the WS-Addressing Issuer address in the WS-Trust call to the STS.
-
wspAppliesTo: if you need to customize the WS-Policy AppliesTo in the WS-Trust call to the STS.
-
securityDomainForFactory: if you have a JaasSecurityDomain mbean service in JBoss AS that provides the truststore.
-
map.token.key: key to find binary token in JAAS sharedState map. Defaults to "ClientID".
-
soapBinding: allow to change SOAP binding for SAML reuest.
-
requestType: allows to override SAML request type when sending request to STS. Default: "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue"
Other possible value: "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate".
Note: The configFile option is optional. If you provide that, then it should be as below.
Configuration file such as sts-client.properties.
serviceName=PicketLinkSTS
portName=PicketLinkSTSPort
endpointAddress=http://localhost:8080/picketlink-sts/PicketLinkSTS
username=admin
password=admin
wsaIssuer=http://localhost:8080/someissuer
wspAppliesTo=http://localhost:8080/testws
Note:
-
the password can be masked according to http://community.jboss.org/wiki/PicketLinkConfigurationMaskpassword which would give us something like, password=MASK-dsfdsfdslkfh
-
wsaIssuer can be optionally added if you want a value for the WS-Addressing issuer in the WS-Trust call to the STS.
-
wspAppliesTo can be optionally added if you want a value for WS-Policy AppliesTo in the WS-Trust call to the STS.
-
serviceName, portName, endpointAddress are mandatory.
-
username and password keys are not needed if you are using mutual authenticated ssl (MASSL) with the STS.
SSL DomainSocketFactory in use by the client side
Many a times, the login module has to communicate with the STS over a mutually authenticated SSL. In this case, you want to specify the truststore. JBoss AS provides JaasSecurityDomain mbean to specify truststore. For this reason, there is a special JaasSecurityDomainServerSocketFactory that can be used for making the JBWS calls. Specify the "securityDomainForFactory" module option with the security domain name (in the JaasSecurityDomain mbean service).
Example configurations
Either you specify the module options directly or you can use a properties file for the STS related properties.
Configuration specified directly
<application-policy name="saml-issue-token">
<authentication>
<login-module code="org.picketlink.identity.federation.core.wstrust.auth.JBWSTokenIssuingLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="endpointAddress">http://somests</module-option>
<module-option name="serviceName">PicketLinkSTS</module-option>
<module-option name="portName">PicketLinkPort</module-option>
<module-option name="username">admin</module-option>
<module-option name="password">admin</module-option>
<module-option name="inject.callerprincipal">true</module-option>
<module-option name="groupPrincipalName">Membership</module-option>
</login-module>
</authentication>
</application-policy>
Configuration with configFileOption
<application-policy name="saml-issue-token">
<authentication>
<login-module code="org.picketlink.identity.federation.core.wstrust.auth.JBWSTokenIssuingLoginModule" flag="required">
<module-option name="configFile">/sts-client.properties</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="cache.invalidation">true</module-option>
<module-option name="inject.callerprincipal">true</module-option>
<module-option name="groupPrincipalName">Membership</module-option>
</login-module>
</authentication>
</application-policy>
Dealing with Roles
If the STS sends roles via Attribute Statements in the SAML assertion, then the user has to use the SAMLRoleLoginModule.
<application-policy name="saml">
<authentication>
<login-module code="org.picketlink.trust.jbossws.jaas.JBWSTokenIssuingLoginModule" flag="required">
<module-option name="endpointAddress">SOME_URL</module-option>
<module-option name="serviceName">SecurityTokenService</module-option>
<module-option name="portName">RequestSecurityToken</module-option>
<module-option name="inject.callerprincipal">true</module-option>
<module-option name="handlerChain">binary</module-option>
</login-module>
<login-module code="org.picketlink.trust.jbossws.jaas.SAMLRoleLoginModule" flag="required"/>
</authentication>
</application-policy>
If the STS does not send roles, then the user has to configure a different JAAS login module to pick the roles for the username. Something like the UsernamePasswordLoginModule.
<application-policy xmlns="urn:jboss:security-beans:1.0" name="binary">
<authentication>
<login-module code="org.picketlink.trust.jbossws.jaas.JBWSTokenIssuingLoginModule" flag="required">
<module-option name="endpointAddress">http://localhost:8080/picketlink-sts/PicketLinkSTS</module-option>
<module-option name="serviceName">PicketLinkSTS</module-option>
<module-option name="portName">PicketLinkSTSPort</module-option>
<module-option name="inject.callerprincipal">true</module-option>
<module-option name="handlerChain">binary</module-option>
<module-option name="username">admin</module-option>
<module-option name="password">MASK-0BbleBL2LZk=</module-option>
<module-option name="salt">18273645</module-option>
<module-option name="iterationCount">56</module-option>
<module-option name="useOptionsCredentials">true</module-option>
<module-option name="overrideDispatch">true</module-option>
<module-option name="wspAppliesTo">http://services.testcorp.org/provider1</module-option>
<module-option name="wsaIssuer">http://something</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">sts-users.properties</module-option>
<module-option name="rolesProperties">sts-roles.properties</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>