Enabling SAML-based SSO with Remote EJB through Picketlink

综合编程 2018-01-03 阅读原文

Lets suppose that you have a remote Enterprise JavaBeans (EJB) application where the EJB client is a service pack (SP) application in a Security Assertion Markup Language (SAML) architecture. You would like your remote EJB to be authenticated using same assertion which was used for SP.

Before proceeding with this tutorial, you should have a basic understanding of EJB and Picketlink .

I have developed a POC based on Picketlink. Below are the things I have done to achieve it.

  • Set Picketlink to sign response and assertion in identity provider (IDP) application.

    Configure:

    `SAML2SignatureGenerationHandler` like the following in picketlink.xml of IDP application.

    
         
     
  • Set picketlink to store SAML assertion in http-session in SP application.

    Configure:

    `SAML2AuthenticationHandler` like the following in picketlink.xml of SP application.

    
         
     
  • Configure the sp security-domain something like below setting flag “sufficient” for both the login module and for the IDP application. You can configure your customized login module or you can use any login module available in picketbox.
      
         
            
            
                 
                 
                 
            
          
       
  • In your servlet (EJB client/SP application) you need to get the signed assertion and send it along with the EJB invocation for verification like below. Here, I have used ejb-remote application which is available in quickstart [1].
//Getting Signed SAML Assertion
public String getSignedAssertion(HttpServletRequest httpRequest) throws Exception {
         HttpSession session = httpRequest.getSession();
         String cachedSignedAssertion = (String) session.getAttribute("org.picketlink.sp.assertion.signed");
         if (cachedSignedAssertion == null) {
             Document assertion = (Document) session.getAttribute("org.picketlink.sp.assertion");
             String stringSignedAssertion = DocumentUtil.asString(assertion);
             System.out.println(stringSignedAssertion);
             return stringSignedAssertion;
         } else {
             System.out.println("...cached assertion...");
             return cachedSignedAssertion;
         }
     }
 
//EJB invocation
public void getInitialContext(String assertion, String username) throws Exception, NamingException {
 
         Properties props = new Properties();
         props.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
         props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
         props.put("remote.connections", "default");
         props.put("remote.connection.default.port", "4447");
         props.put("remote.connection.default.host", "10.10.10.10");
         System.out.println("Connecting...");
         props.put("remote.connection.default.username", username);
         props.put("remote.connection.default.password", assertion);
         props.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT","false");
         props.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS","false");
         Context context = new InitialContext(props);
         RemoteCounter aa = (RemoteCounter) context.lookup("ejb:/jboss-ejb-remote-server-side//CounterBean!org.jboss.as.quickstarts.ejb.remote.stateful.RemoteCounter?stateful");
         System.out.println(aa.getCount());
         aa.increment();
         System.out.println(aa.getCount());
         System.out.println("EJB Executed... using SAML assertion");
     }

You can get the IDP and SP sample of Picketlink at [2] below:

  1. https://github.com/jboss-developer/jboss-eap-quickstarts/tree/6.4.x/ejb-remote
  2. https://github.com/jboss-developer/jboss-picketlink-quickstarts

That’s it for today!

Take advantage of your Red Hat Developers membership and download RHEL today at no cost.

Red Hat Developer Blog

责编内容by:Red Hat Developer Blog阅读原文】。感谢您的支持!

您可能感兴趣的

CDI and EJB, security problems&quest... I am reviewing my code from since I picked up on JSF. One of the most complex issues has come up once again. The deci...
25th Airhacks Q&A: EJB future, Java EE 8, Asyn... 2 years of airhacks.tv . This Monday, 15.4, at 6 pm CET I will discuss the following topics : Ask questio...
How do I access EJB implementing a remote interfac... I am using Netbeans 6.8 and Glassfish v3.0. I created an ejb module and created entity classes from database and then ...
重构系列(一) 一、背景 来公司四五个月了,一直接手会员的相关项目,其实我们知道,会员属于公共模块,由于公司项目都很老了,大部分都是ejb,但是ejb现在已经不可维护,之前的代码做了各种封装,着实沉重,基本属于没办法修改的状态,所以几年前就开始慢...
How the transaction concept is implemented in EJB I wan to know how the transaction is internally implemented in EJB. I want to know the logic they use to create a transa...