Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 7.1.1.CR1, 7.1.1.GA
Affects Version/s: None
Component/s: Security
Labels:
- downstream_dependency

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1429570
Target Release:

7.1.z.GA
Git Pull Request:
https://github.com/jbossas/redhat-picketlink-bindings/pull/30

Sprint:
EAP 7.1.1

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

It is not possible to configure the SAML2STSLoginModule by using module options instead of configFile:

<security-domain name="sts" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule"
flag="required" module="org.picketlink">
<module-option name="serviceName" value="PicketLinkSTS"/>
<module-option name="portName" value="PicketLinkSTSPort"/>
<module-option name="endpointAddress" value="http://localhost:8080/picketlink-sts/PicketLinkSTS"/>
<module-option name="username" value="admin"/>
<module-option name="password" value="admin"/>

The issue appears to be caused by the following check:

diff --git picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
index bdadc40..deeef62 100644
— picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
+++ picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
@@ -346,10 +346,6 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest
} else {
logger.trace("Local Validation is disabled. Verifying with STS");

// sts config file has to be present to call STS (using sts client)
if (this.stsConfigurationFile == null)
throw logger.authSTSConfigFileNotFound();
-
// send the assertion to the STS for validation.
STSClient client = this.getSTSClient();
try { @@ -555,4 +551,4 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest protected abstract TimeCacheExpiry getCacheExpiry() throws Exception; -}
\ No newline at end of file
+}

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure JBoss EAP 6.4.12 as described here: https://docs.jboss.org/author/display/PLINK/Protecting+EJB+Endpoints
2. Configure the SAML2STSLoginModule the module-option approach shown above (not the 'configFile' approach)
3. Deploy an ejb that is protected by the "ejb-remoting-sts" security-domain
4. Hit the ejb

Actual results:

Authentication fails

Expected results:

Authentication is successful

Additional info:

Attachments

Issue Links

clones

PLINK-771 SAML2STSLoginModule cannot be configured with module options instead of configFile

Open

is cloned by

JBEAP-11579 [GSS](7.0.z) SAML2STSLoginModule cannot be configured with module options instead of configFile

Closed

is incorporated by

JBEAP-13896 [GSS](7.1.z) Upgrade picketlink from 2.5.5.SP8 to 2.5.5.SP9

Verified

Activity

People

Assignee:: Jiri Ondrusek

Reporter:: Jiri Ondrusek

Tester:: Radim Hatlapatka (Inactive)

QA Contact:: Radim Hatlapatka (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017/11/28 2:54 AM

Updated:: 2018/04/17 4:21 AM

Resolved:: 2018/01/30 10:18 AM