Well, I deployed saml2idp in Tomcat 6 without all those problems (only the ones regarding to dependencies that are always a trouble).
Maybe the difference between my config and yours is that I have my java runtime modified with JCE unlimited strength and that modifies also the global policies. --- David Campos On Tue, Mar 2, 2010 at 10:53, Gasser Marcel HSLU T&A <[email protected]>wrote: > Hello, > > I've been trying to deploy the saml2idp.server and saml2idp.test projects > following the instrucitons on the higgins wiki: > - http://wiki.eclipse.org/SAML2_IdP_Overview_1.0 > - http://wiki.eclipse.org/SAML2_IdP_Deployment_1.0 > - http://wiki.eclipse.org/SAML2_IdP_Development_1.0 > > I think there could be made some improvements to the documentation for the > unexperienced user. Although the documentations is quite extensive, there is > an essential part missing: > How does the system hosting the IdP have to be setup in order to be abel to > install/deploy the WAR files?!? > - Tomcat configuration (especially Java Security Permissions) > - Logging configuration > > Up to now I've spent quite some time figuring out the missing parts of the > installation process (still a work in progress). > My goal was to get the saml2idp.server up and running on a dedicated Ubuntu > 9.10 Server system using Tomcat 6. I'll not go into details about the Ubuntu > Server, Tomcat and OpenLDAP installation here. In order to get the sam2idp > server and test projects to run correctly I had to fix a few things. > > First of all I deployed the saml2idp.server and saml2idp.test WAR files > (Stable B-1-1M7) from: > - > http://www.eclipse.org/higgins/downloads_parser.php?loc=/downloads/saml2idp.server > - > http://www.eclipse.org/higgins/downloads_parser.php?loc=/downloads/saml2idp.test > > Taking a look at the tomcat logs showed a ClassNotFoundException for > org.apache.commons.logging.LogFactory. > > In order to reduce the problem domain I undeployed the saml2idp.server app. > As it turns out the saml2idp.test app doesn't contain the > commons-logging.jar. In fact there are no jars in the WEB-INF/lib folder > except the higgins-util-saml_1.0.700.jar. > > So I figured I would take a look at the project dependencies... Installing > Eclipse, etc. on another machine and checking out the projects from > Subversion manually was a hurdle on it's own since the docs of the required > projects are outdated ( > http://wiki.eclipse.org/SAML2_IdP_Development_1.0#Check_out_sources_manually > ). > > By examining the build files for the saml2idp.test projects I found that > they are incomplete. > > Index: build.xml > =================================================================== > --- build.xml (revision 23458) > +++ build.xml (working copy) > @@ -278,6 +278,7 @@ > <fileset > dir="${org.eclipse.higgins.dependencies.redistributable.location}"> > <include name="commons-codec-1.3/commons-codec-1.3.jar"/> > <include > name="commons-logging-1.0.4/commons-logging-1.0.4.jar"/> > + <include name="log4j-1.2.13/log4j-1.2.13.jar"/> > <include name="xmlsec-1.4.0/xmlsec-1.4.0.jar"/> > <include name="xercesImpl/xercesImpl.jar"/> > <include name="xalan-2.6.0/xalan-2.6.0.jar"/> > > > Index: buildwar.xml > =================================================================== > --- buildwar.xml (revision 23458) > +++ buildwar.xml (working copy) > @@ -16,6 +16,9 @@ > <antcall target="-copy.dep.jars"> > <param name="toDir" value="${build.dir}/warlibs"/> > </antcall> > + <antcall target="copy.libs"> > + <param name="toDir" value="${build.dir}/warlibs"/> > + </antcall> > </target> > > > Rebuilding the WAR file for the saml2idp.test project, includes now all the > dependencies (jars). Redeploying the app and checking the logs again show an > AccessControlException "access denied (java.util.PropertyPermission > jsr105Provider read)". > > To resolve this probleme temporarily I added the following to > /etc/tomcat6/policy.d/50local.policy: > > grant codeBase "file:${catalina.base}/webapps/saml2idp.server.test/-" { > permission java.security.AllPermission; > }; > > grant codeBase "file:${catalina.base}/webapps/saml2idp.server/-" { > permission java.security.AllPermission; > }; > > Restarting tomcat and the exceptions in the log are gone... > > But there is one more thing to do, the saml2idp apps should be writing some > log files! They have their log4j.properties files in the right place but > they are not configured to log to a file. I modified them to look like the > following: > > log4j.rootLogger=INFO, A > log4j.logger.org.eclipse.higgins.saml2idp=ALL > log4j.appender.A=org.apache.log4j.DailyRollingFileAppender > log4j.appender.A.File=${catalina.home}/logs/saml2idp.log > log4j.appender.A.DatePattern='.'yyyy-MM-dd > log4j.appender.A.Append=true > log4j.appender.A.Threshold=ALL > log4j.appender.A.layout=org.apache.log4j.PatternLayout > log4j.appender.A.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n > > But there was still no logfile created. After some google-ing it appeared > that commons-logging needs a configuration file on its own, so I placed a > file called commons-logging.properties in the same folder as the > log4j.properties file that looks like this: > > org.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger > log4j.configuration=log4j.properties > > Restarting tomcat and there we have the saml2idp.log file! > > Assuming the saml2idp.server and test apps are configured according to the > docs the test RP should be working now (and it was in my case). > > > What I would like to do now is figure out the required Java Security > Permissions to get rid of the AllPermission since this thing should be > secured!!! > Does anybody have a policy file for tomcat6 around? > > I hope my remarks can help somebody getting up and running the saml2idp > with less trouble. > > Regards, > Marcel > > - > Hochschule Luzern > Technik & Architektur > > Technikumstrasse 21, CH-6048 Horw > www.hslu.ch/technik-architektur > > CC Distributed Secure Software Systems > Marcel Gasser > > _______________________________________________ > higgins-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/higgins-dev >
_______________________________________________ higgins-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/higgins-dev
