Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11579

[GSS](7.0.z) SAML2STSLoginModule cannot be configured with module options instead of configFile

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Critical Critical
    • 7.0.10.GA
    • 7.0.6.GA
    • None

      Description of problem:

      It is not possible to configure the SAML2STSLoginModule by using module options instead of configFile:

      <security-domain name="sts" cache-type="default">
      <authentication>
      <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule"
      flag="required" module="org.picketlink">
      <module-option name="serviceName" value="PicketLinkSTS"/>
      <module-option name="portName" value="PicketLinkSTSPort"/>
      <module-option name="endpointAddress" value="http://localhost:8080/picketlink-sts/PicketLinkSTS"/>
      <module-option name="username" value="admin"/>
      <module-option name="password" value="admin"/>

      The issue appears to be caused by the following check:

      diff --git picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
      index bdadc40..deeef62 100644
      — picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
      +++ picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
      @@ -346,10 +346,6 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest
      } else {
      logger.trace("Local Validation is disabled. Verifying with STS");

      • // sts config file has to be present to call STS (using sts client)
      • if (this.stsConfigurationFile == null)
      • throw logger.authSTSConfigFileNotFound();
        -
        // send the assertion to the STS for validation.
        STSClient client = this.getSTSClient();
        try { @@ -555,4 +551,4 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest protected abstract TimeCacheExpiry getCacheExpiry() throws Exception; -}

        \ No newline at end of file
        +}

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:
      1. Configure JBoss EAP 6.4.12 as described here: https://docs.jboss.org/author/display/PLINK/Protecting+EJB+Endpoints
      2. Configure the SAML2STSLoginModule the module-option approach shown above (not the 'configFile' approach)
      3. Deploy an ejb that is protected by the "ejb-remoting-sts" security-domain
      4. Hit the ejb

      Actual results:

      Authentication fails

      Expected results:

      Authentication is successful

      Additional info:

              rhn-cservice-bbaranow Bartosz Baranowski
              jondruse@redhat.com Jiri Ondrusek
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: