Re: fediz jaas config

[Matthew Broadhead]

actually i will probably move to ldap as i was already halfway to 
migrating to apache ds. but thought it might be a good step to first get 
a jaas loginmodule working first.  however i messed around with the 
claims stuff and it is not trivial so it is probably easier to migrate 
to ldap instead.

On 25/09/2017 18:11, Colm O hEigeartaigh wrote:
The ClaimsManager is defined in the default STS configuration here:
https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/fediz-sts.xml#L106

Where the default ClaimsHandlers read in some claims from a file:

https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/data/userClaims.xml

For LDAP, we have a LDAPClaimsHandler in CXF, the Fediz configuration for
that is here:

https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/webapp/WEB-INF/endpoints/ldap.xml

If you only require the role claims for your login scenario, I think you
can get away with writing a custom ClaimsHandler implementation, and get
the roles from the authenticated principal.

Colm.

On Mon, Sep 25, 2017 at 4:56 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:

hi,

i already have a working jaas.config setup with a custom LoginModule
MyLoginModule {
uk.me.kissy.jaas.MyLoginModule required debug=false dbPort="3306"
dbName="directory" dbUsername="directoryUser" dbPassword="<password>";
};

MyLoginModule is based off this tutorial http://docs.oracle.com/javase/
7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html and
is basically one step up from a DataSourceRealm using 2 tables:
1. user
- username
- password
2. userrole
- username
- rolename

in fediz-1.4.2/services/sts/src/main/webapp/WEB-INF/endpoints i create a
file jaas.xml and created an endpoint
<beans ...>
<jaxws:endpoint id="transportSTS1" implementor="#transportSTSProviderBean"
         address="/REALMA/STSServiceTransportUT"
wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
         serviceName="ns1:SecurityTokenService"
endpointName="ns1:TransportUT_Port">
         <jaxws:properties>
             <entry key="ws-security.ut.validator">
                 <bean class="org.apache.wss4j.dom.va
lidate.JAASUsernameTokenValidator">
                     <property name="contextName" value="MyLoginModule" />
                 </bean>
             </entry>
         </jaxws:properties>
     </jaxws:endpoint>
</beans>

now the stacktrace says it needs a claimHandlerList and claimsManager.
could someone point me to an example of how to do that?