org.picketlink.identity.federation.bindings.tomcat.PicketLinkAuthenticator
An authenticator that delegates actual authentication to a realm, and in turn to a security manager, by presenting a "conventional" identity. The security manager must accept the conventional identity and generate the real identity for the authenticated principal.
Your web.xml will define some security constraints. But it will define a <login-config> that is different from the servlet specifcation mandated BASIC, CLIENT-CERT, FORM or DIGEST methods. We suggest the use of SECURITY_DOMAIN as the method.
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Access - Get Only</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>STSClient</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>STSClient</role-name>
</security-role>
<login-config>
<auth-method>SECURITY_DOMAIN</auth-method>
<realm-name>SECURITY_DOMAIN</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
Important
Note that we defined two pages in the <form-login-config> : login.html and error.html . Both pages must exists inside your deployment.
Change your WEB-INF/jboss-web.xml to configure the PicketLinkAuthenticator as a valve:
<jboss-web> <security-domain>authenticator</security-domain> <context-root>authenticator</context-root> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.PicketLinkAuthenticator </class-name> </valve> </jboss-web>
We also defined a <security-domain> configuration with the name of the security domain that you configured in your standalone.xml:
<security-domain name="authenticator" cache-type="default">
<authentication>
<login-module code="org.picketlink.test.trust.loginmodules.TestRequestUserLoginModule" flag="required">
<module-option name="usersProperties" value="users.properties"/>
<module-option name="rolesProperties" value="roles.properties"/>
</login-module>
</authentication>
</security-domain>
Tip
To use PicketLink you need to define it as a module dependency using the META-INF/jboss-deployment-structure.xml.
Your web.xml will define some security constraints. But it will define a <login-config> that is different from the servlet specifcation mandated BASIC, CLIENT-CERT, FORM or DIGEST methods. We suggest the use of SECURITY-DOMAIN as the method.
Create a context.xml in your WEB-INF directory of your web-archive.
<Context> <Valve className="org.picketlink.identity.federation.bindings.tomcat.PicketLinkAuthenticator" /> </Context>
Your web.xml may look as follows:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<description>Sales Application</description>
<security-constraint>
<display-name>Restricted</display-name>
<web-resource-collection>
<web-resource-name>Restricted Access</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Sales</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>Sales</role-name>
</security-role>
<login-config>
<auth-method>SECURITY-DOMAIN</auth-method>
</login-config>
</web-app>
Warning
NOTE: The use of SECURITY-DOMAIN as the auth-method.
The war should be packaged as a regular web archive.
If you have a large number of web applications and it is not practical to include context.xml in all the war files, then you can configure the "authenticators" attribute in the war-deployers-jboss-beans.xml file in /server/default/deployers/jbossweb.deployer/META-INF of your JBoss AS instance.
<property name="authenticators">
<map class="java.util.Properties" keyClass="java.lang.String" valueClass="java.lang.String">
<entry>
<key>BASIC</key>
<value>org.apache.catalina.authenticator.BasicAuthenticator</value>
</entry>
<entry>
<key>CLIENT-CERT</key>
<value>org.apache.catalina.authenticator.SSLAuthenticator</value>
</entry>
<entry>
<key>DIGEST</key>
<value>org.apache.catalina.authenticator.DigestAuthenticator</value>
</entry>
<entry>
<key>FORM</key>
<value>org.apache.catalina.authenticator.FormAuthenticator</value>
</entry>
<entry>
<key>NONE</key>
<value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
</entry>
<key>SECURITY-DOMAIN</key>
<value>org.picketlink.identity.federation.bindings.tomcat.PicketLinkAuthenticator</value>
</entry>
</map>
</property>
-
Go to the deploy directory.
-
cp -R jmx-console.war test.war
-
In deploy/test.war/WEB-INF/web.xml, change the auth-method element to SECURITY-DOMAIN.
-
<login-config> <auth-method>SECURITY-DOMAIN</auth-method> <realm-name>JBoss JMX Console</realm-name> </login-config> -
Also uncomment the security constraints in web.xml. It should look as follows.
-
<!-- A security constraint that restricts access to the HTML JMX console to users with the role JBossAdmin. Edit the roles to what you want and uncomment the WEB-INF/jboss-web.xml/security-domain element to enable secured access to the HTML JMX console. --> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> -
In the /server/default/conf/jboss-log4j.xml , add trace category for org.jboss.security.
-
Start JBoss AS.
-
Go to the following url: http://localhost:8080/test/
-
You should see a HTTP 403 message.
-
If you look inside the log, log/server.log, you will see the following exception trace:
-
2011-04-20 11:02:01,714 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jmx-console] (http-127.0.0.1-8080-1) Login failure javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252) at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552) at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486) at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160) at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384) at org.picketlink.identity.federation.bindings.tomcat.PicketLinkAuthenticator.authenticate(PicketLinkAuthenticator.java:104) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:662)As you can see from the stack trace, PicketLinkAuthenticator method has been kicked in.