JBoss.orgCommunity Documentation

Chapter 9. The S-RAMP Browser (UI)

9.1. Overview
9.2. Configuration
9.2.1. Security (Authentication)
9.2.2. Security (Authorization)

9.1. Overview

The Overlord S-RAMP project comes with a user interface that allows end users (or more likely business admins) to browse all of the artifacts in the S-RAMP repository. This UI is capable of viewing and manipulating all S-RAMP artifacts in a very generic way, supporting all aspects of the S-RAMP specification (properties, classifiers, relationships, etc).

The browser is a web based application built using GWT and Errai, and is compatible with all modern web browsers. Additionally, it is capable of scaling the interface down to a size that is useful on a smart phone.

9.2. Configuration

The UI can be configured via an external properties file named sramp-ui.properties located in the application server’s configuration directory. This configuration file can contain UI specific configuration such as:

# The location of the S-RAMP server's Atom API
s-ramp-ui.atom-api.endpoint
# Whether or not to validate the S-RAMP server endpoint when connecting to it
s-ramp-ui.atom-api.validating
# The authentication provider to use when connecting
s-ramp-ui.atom-api.authentication.provider
# BASIC auth username/password
s-ramp-ui.atom-api.authentication.basic.user
s-ramp-ui.atom-api.authentication.basic.password

Alternatively, a configuration file location can be provided by setting a Java system property (e.g. JAVA_OPTS) with the following name:

sramp-ui.config.file.name

The S-RAMP Browser is protected using standard web application security mechanisms configured in the web.xml.

When deployed to JBoss EAP 6.1, the UI uses SAML based single-sign-on (SSO) as the actual authentication mechanism. The SSO is provided via an Overlord SAML IDP web appliation (which is shared across all Overlord UI projects).

Overlord SSO is enabled in the S-RAMP Browser UI web application by configuring the web app to use a JBoss security domain named "overlord-sp" (i.e. an Overlord Service Provider). This security domain is configured in the JBoss standalone.xml config file like this:

<security-domain name="overlord-sp" cache-type="default">
  <authentication>
    <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule"
                  flag="required" />
  </authentication>
</security-domain>

As you can see, the security domain is configured to use SAML2. Additionally, the S-RAMP Browser UI web application includes a file called jboss-web.xml which includes the following markup:

  <valve>
    <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
  </valve>

These two classes work together with the IDP web application to provide web based single-sign-on. This functionality is provided by the PicketLink project, which also requires one final bit of configuration via a picketlink.xml file also included in the WEB-INF folder of the web appliation:

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" ServerEnvironment="tomcat"
    BindingType="REDIRECT" RelayState="someURL">
    <IdentityURL>${overlord-idp.url::/overlord-idp/}</IdentityURL>
    <ServiceURL>${s-ramp-ui.url::/s-ramp-ui/}</ServiceURL>
  </PicketLinkSP>
  <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
  </Handlers>
</PicketLink>

All of the above configuration enables SAML based SSO for the Browser web app. It’s worth pointing out that the IDP web app is configured to use a JBoss security domain called "overlord-idp". Its configuration looks something like:

<security-domain name="overlord-idp" cache-type="default">
  <authentication>
    <login-module code="UsersRoles" flag="required">
      <module-option name="usersProperties" value="${jboss.server.config.dir}/overlord-idp-users.properties" />
      <module-option name="rolesProperties" value="${jboss.server.config.dir}/overlord-idp-roles.properties" />
    </login-module>
  </authentication>
</security-domain>

The default login module is a simple file based configuration. As a result, you can manage users by modifying the following two files:

${jboss.server.config.dir}/overlord-idp-users.properties
${jboss.server.config.dir}/overlord-idp-roles.properties

Note that the configuration files are the same ones used by the S-RAMP repository security configuration.

Currently the S-RAMP Browser UI does not support any sort of fine grained authorization. As a result, the user must simply have the following role in order to log in and use the UI:

overlorduser