You can attach an LDAP directory either for username/password validation or for retrieving the claims data or both.
1. Username and password authentication
WSS4j supports username/password authentication against a JAAS based backend since version 1.6.3.
The JDK provides a JAAS LoginModule for LDAP which can be configured as illustrated here in a sample jaas configuration (jaas.config):
myldap {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider=ldap://ldap.mycompany.org:389/OU=Users,DC=mycompany,DC=org"
authIdentity="cn={USERNAME},OU=Users,DC=mycompany,DC=org"
useSSL=false
debug=true;
};
You can get more information about this LoginModule here.
In this example, all the users are stored in the organization unit Users within mycompany.org. The configuration filename can be chosen, i.e. jaas.config. The filename must be configured as a JVM argument. I recommend to set JVM related configurations for Tomcat in the setenv.sh/bat file located in tomcat/bin directory. This script is called by catalina.bat/sh implicitly and might look like this for UNIX:
#!/bin/sh
JAVA_OPTS="-Djava.security.auth.login.config=/opt/tomcat/conf/jaas.config"
export JAVA_OPTSNow, the LDAP LoginModule is configured. Next we have to configure the JAASUsernameTokenValidator for the STS endpoint.
<bean
class="org.apache.ws.security.validate.JAASUsernameTokenValidator"
id="jaasUTValidator">
<property name="contextName" value="myldap"/>
</bean>
<jaxws:endpoint id="transportSTSUT"
endpointName="ns1:TransportUT_Port"
serviceName="ns1:SecurityTokenService"
xmlns:ns1=http://docs.oasis-open.org/ws-sx/ws-trust/200512/
wsdlLocation="/WEB-INF/wsdl/ws-trust-1.4-service.wsdl"
address="/STSServiceTransportUT"
implementor="#transportSTSProviderBean">
<jaxws:properties>
<entry key="ws-security.ut.validator"
value-ref="jaasUTValidator"/>
</jaxws:properties>
</jaxws:endpoint>
The property contextName must match with the context name defined in the JAAS configuration file which is "myldap" in this example.
<
2. Claims management
When a STS client requests a claim, the ClaimsManager in the STS checks every registered ClaimsHandler who can provide the data of the requested claim. The CXF STS provides a claims handler implementation which allows to add claims which are stored as user attributes in a LDAP directory. You can configure which claim URI maps to which LDAP user attribute. The implementation uses the spring ldap module (LdapTemplate).
<util:list id="claimHandlerList">
<ref bean="ldapClaimsHandler" />
</util:list>
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldap.mycompany.org:389" />
<property name="userDn"
value="CN=techUser,OU=Users,DC=mycompany,DC=org" />
<property name="password" value="mypassword" />
</bean>
<bean id="ldapTemplate"
class="org.springframework.ldap.core.LdapTemplate">
<constructor-arg ref="contextSource" />
</bean>
<util:map id="claimsToLdapAttributeMapping">
<entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
value="givenName" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
value="sn" />
<entry
key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
value="mail" />
<entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country"
value="c" />
</util:map>
<bean id="ldapClaimsHandler"
class="org.apache.cxf.sts.claims.LdapClaimsHandler">
<property name="ldapTemplate" ref="ldapTemplate" />
<property name="claimsLdapAttributeMapping"
ref="claimsToLdapAttributeMapping" />
<property name="userBaseDN"
value="OU=Users,DC=mycompany,DC=org" />
</bean>
The claim id's are configured according to chapter 7.5 in the specification Identity Metasystem Interoperability. You can add as many entries in the map claimsToLdapAttributeMapping as you want. Thus you can add any user attribute from your LDAP directory to the issued SAML token.
No comments:
Post a Comment