pattern = Pattern.compile(samlTokenHttpHeaderRegEx, Pattern.DOTALL); Matcher m = pattern.matcher(content); m.matches(); m.group(samlTokenHttpHeaderRegExGroup)
org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule
Stefan Guilhen
This LoginModule authenticates clients by validating their SAML assertions with an external security token service (such as PicketLinkSTS). If the supplied assertion contains roles, these roles are extracted and included in the Group returned by the getRoleSets method.
The LoginModule could be also used to retrieve and validate SAML assertion token from HTTP request header.
This module defines the following module options:
configFile - this property identifies the properties file that will be used to establish communication with the external security token service.
cache.invalidation: set it to true if you require invalidation of JBoss Auth Cache at SAML Principal expiration.
jboss.security.security_domain -security domain at which Principal will expire if cache.invalidation is used.
roleKey: key of the attribute name that we need to use for Roles from the SAML assertion. This can be a comma-separated string values such as (Role,Membership)
localValidation: if you want to validate the assertion locally for signature and expiry
localValidationSecurityDomain: the security domain for the trust store information (via the JaasSecurityDomain)
tokenEncodingType: encoding type of SAML token delivered via http request's header.
Possible values are:
base64 - content encoded as base64. In case of encoding will vary between base64 and gzip use base64 and LoginModule will detect gzipped data.
gzip - gzipped content encoded as base64
none - content not encoded in any way
samlTokenHttpHeader - name of http request header to fetch SAML token from. For example: "Authorize"
samlTokenHttpHeaderRegEx - Java regular expression to be used to get SAML token from "samlTokenHttpHeader". Example: use: ."(.)".* to parse SAML token from header content like this: SAML_assertion="HHDHS=", at the same time set samlTokenHttpHeaderRegExGroup to 1.
samlTokenHttpHeaderRegExGroup - Group value to be used when parsing out value of http request header specified by "samlTokenHttpHeader" using "samlTokenHttpHeaderRegEx".
pattern = Pattern.compile(samlTokenHttpHeaderRegEx, Pattern.DOTALL); Matcher m = pattern.matcher(content); m.matches(); m.group(samlTokenHttpHeaderRegExGroup)
Any properties specified besides the above properties are assumed to be used to configure how the STSClient will connect to the STS. For example, the JBossWS StubExt.PROPERTY_SOCKET_FACTORY can be specified in order to inform the socket factory that must be used to connect to the STS. All properties will be set in the request context of the Dispatch instance used by the STSClient to send requests to the STS.
An example of a configFile can be seen bellow:
serviceName=PicketLinkSTS portName=PicketLinkSTSPort endpointAddress=[http://localhost:8080/picketlink-sts/PicketLinkSTS] username=JBoss password=JBoss
The first three properties specify the STS endpoint URL, service name, and port name. The last two properties specify the username and password that are to be used by the application server to authenticate to the STS and have the SAML assertions validated.
NOTE: Sub-classes can use getSTSClient() method to customize the STSClient class to make calls to STS
Example Configuration 1:
<application-policy xmlns="urn:jboss:security-beans:1.0" name="cache-test">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="configFile">sts-config.properties</module-option>
<module-option name="cache.invalidation">true</module-option>
<module-option name="localValidation">true</module-option>
<module-option name="localValidationSecurityDomain">MASSL</module-option>
</login-module>
</authentication>
</application-policy>
Example Configuration 2 using http header and local validation:
<application-policy xmlns="urn:jboss:security-beans:1.0" name="service">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="cache.invalidation">true</module-option>
<module-option name="localValidation">true</module-option>
<module-option name="localValidationSecurityDomain">java:jaas/localValidationDomain</module-option>
<module-option name="tokenEncodingType">gzip</module-option>
<module-option name="samlTokenHttpHeader">Auth</module-option>
<module-option name="samlTokenHttpHeaderRegEx">.*"(.*)".*</module-option>
<module-option name="samlTokenHttpHeaderRegExGroup">1</module-option>
</login-module>
<login-module code="org.picketlink.trust.jbossws.jaas.SAMLRoleLoginModule" flag="required"/>
</authentication>
</application-policy>
In case of local validation here is example of jboss-beans.xml file to use to configure JAAS Security Domain for (JBoss AS6 or EAP5):
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<!-- localValidationDomain bean -->
<bean name="LocalValidationBean" class="org.jboss.security.plugins.JaasSecurityDomain">
<constructor>
<parameter>localValidationDomain</parameter>
</constructor>
<property name="keyStoreURL">file://${jboss.server.home.dir}/conf/stspub.jks</property>
<property name="keyStorePass">keypass</property>
<property name="keyStoreAlias">sts</property>
<property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
</bean>
</deployment>
<security-domain name="localValidationDomain">
<jsse
keystore-password="keypass"
keystore-type="JKS"
keystore-url="file:///${jboss.server.config.dir}/stspub.jks"
server-alias="sts"/>
</security-domain>
and reference this security domain as: <module-option name="localValidationSecurityDomain">localValidationDomain</module-option>.