Last active
August 29, 2015 13:56
-
-
Save anilsaldhana/9224132 to your computer and use it in GitHub Desktop.
PicketLink Reload Configuration of IDP and SP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
**JIRA**: https://issues.jboss.org/browse/PLINK-356 | |
**Prepared Two War Files** | |
*idp-sig.war* | |
*META-INF/jboss-deployment-structure.xml* | |
<jboss-deployment-structure> | |
<deployment> | |
<!-- Add picketlink module dependency --> | |
<dependencies> | |
<module name="org.picketlink" /> | |
</dependencies> | |
</deployment> | |
</jboss-deployment-structure> | |
*WEB-INF/jboss-web.xml* | |
<jboss-web> | |
<security-domain>idp</security-domain> | |
<context-root>idp-sig</context-root> | |
<valve> | |
<class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name> | |
<param> | |
<param-name>timerInterval</param-name> | |
<param-value>5000</param-value> | |
</param> | |
<param> | |
<param-name>configFile</param-name> | |
<param-value>/home/anil/keystore/picketlink-idp-sig.xml</param-value> | |
</param> | |
</valve> | |
</jboss-web> | |
Note that I have configured the config file to be under the /home/anil/keystore directory | |
*/home/anil/keystore/picketlink-idp-sig.xml* | |
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> | |
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true"> | |
<IdentityURL>${idp-sig.url::http://localhost:8080/idp-sig/}</IdentityURL> | |
<Trust> | |
<Domains>localhost,jboss.com,jboss.org,redhat.com,amazonaws.com</Domains> | |
</Trust> | |
<KeyProvider | |
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> | |
<Auth Key="KeyStoreURL" Value="/home/anil/keystore/jbid_test_keystore.jks" /> | |
<!-- <Auth Key="KeyStorePass" Value="store123" /> --> | |
<Auth Key="KeyStorePass" Value="MASK-O1P+U1Domeec8lCaoIkTGg==" /> | |
<!-- <Auth Key="SigningKeyPass" Value="test123" /> --> | |
<Auth Key="SigningKeyPass" Value="MASK-AJbh4WmHwy8=" /> | |
<Auth Key="SigningKeyAlias" Value="servercert" /> | |
<Auth Key="salt" Value="18273645" /> | |
<Auth Key="iterationCount" Value="11" /> | |
<ValidatingAlias Key="localhost" Value="servercert" /> | |
<ValidatingAlias Key="127.0.0.1" Value="servercert" /> | |
</KeyProvider> | |
</PicketLinkIDP> | |
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" /> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" /> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> | |
</Handlers> | |
</PicketLink> | |
Note: I have configured the keystore to be at /home/anil/keystore/jbid_test_keystore.jks This is outside the idp war. | |
**Keystore Creation in /home/anil/keystore** | |
$> keytool -genkey -alias servercert -keyalg RSA -keysize 1024 -dname "CN=jbossidentity.jboss.org,OU=RD,O=JBOSS,L=Chicago,S=Illinois,C=US" -keypass test123 -keystore jbid_test_keystore.jks -storepass store123 -validity 200000 | |
(The above is in one line) | |
This should give us idp-sig.war | |
**Creation of a Service Provider sales-post-sig.war** | |
Use one of the PicketLink quickstarts. | |
Copy the jbid_test_keystore.jks from /home/anil/keystore/ directory to sales-post-sig.war/WEB-INF/classes directory | |
META-INF/jboss-deployment-structure.xml | |
<jboss-deployment-structure> | |
<deployment> | |
<!-- Add picketlink module dependency --> | |
<dependencies> | |
<module name="org.picketlink" /> | |
</dependencies> | |
</deployment> | |
</jboss-deployment-structure> | |
WEB-INF/jboss-web.xml | |
<?xml version="1.0" encoding="UTF-8"?> | |
<jboss-web> | |
<security-domain>sp</security-domain> | |
<context-root>sales-post-sig</context-root> | |
<valve> | |
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name> | |
</valve> | |
</jboss-web> | |
WEB-INF/picketlink.xml | |
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> | |
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" | |
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true"> | |
<IdentityURL>${idp.url::http://localhost:8080/idp-sig/}</IdentityURL> | |
<ServiceURL>${sales-post.url::http://localhost:8080/sales-post-sig/}</ServiceURL> | |
<KeyProvider | |
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> | |
<Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" /> | |
<Auth Key="KeyStorePass" Value="store123" /> | |
<Auth Key="SigningKeyPass" Value="test123" /> | |
<Auth Key="SigningKeyAlias" Value="servercert" /> | |
<ValidatingAlias Key="localhost" Value="servercert" /> | |
<ValidatingAlias Key="127.0.0.1" Value="servercert" /> | |
</KeyProvider> | |
</PicketLinkSP> | |
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" /> | |
<Handler | |
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> | |
</Handlers> | |
</PicketLink> | |
Now that you have the things set up on EAP 6.2+, you can test as follows: | |
http://localhost:8080/sales-post-sig/ | |
You will be redirected to idp-sig where you can login using tomcat/tomcat | |
You should be able to see the sales-post-sig application now with a pie chart. | |
Close the browser. | |
Let us see that the reloading of IDP configuration actually happens. | |
Now open /home/anil/keystore/picketlink-idp-sig.xml (or wherever the external file is) | |
Comment out the following sections: | |
<ValidatingAlias Key="localhost" Value="servercert" /> | |
<ValidatingAlias Key="127.0.0.1" Value="servercert" /> | |
Now basically we do not have aliases for signature verification. | |
Wait for about 10-15 seconds. | |
Now open the browser, go to http://localhost:8080/sales-post-sig/ | |
You can log in with tomcat/tomcat at idp-sig | |
You will see an error that signature validation failed due to domain alias missing. | |
This confirms that the configuration was dynamically loaded. | |
Now go to the picketlink-idp-sig.xml file again and uncomment the lines. | |
Close the browser. | |
Wait for 10-15 seconds. | |
When you try to access http://localhost:8080/sales-post-sig/, it works fine now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment