Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Relying Party Enablement Servlet Implementation"
(→Configuration) |
(→Configuration) |
||
| Line 19: | Line 19: | ||
In the servlet implementation, authentication is performed through a servlet filter and logout is performed by a servlet. Information about the authentication filter and the logout servlet needs to be added to the application's deployment file. The following lines should be added to the web.xml file inside the <web-app> element: | In the servlet implementation, authentication is performed through a servlet filter and logout is performed by a servlet. Information about the authentication filter and the logout servlet needs to be added to the application's deployment file. The following lines should be added to the web.xml file inside the <web-app> element: | ||
| − | <pre> | + | <code><pre> |
<web-app ......> | <web-app ......> | ||
<filter> | <filter> | ||
| Line 42: | Line 42: | ||
... | ... | ||
</web-app> | </web-app> | ||
| − | </pre> | + | </pre></code> |
The value of the <bold>url-pattern</bold> in the filter-mapping element should be the name of the resource(s) you want protected by the authentication filter. In the example above all resources in the "protected" directory of the application's context root will require authentication using the authentication filter. | The value of the <bold>url-pattern</bold> in the filter-mapping element should be the name of the resource(s) you want protected by the authentication filter. In the example above all resources in the "protected" directory of the application's context root will require authentication using the authentication filter. | ||
| Line 80: | Line 80: | ||
</web-app> | </web-app> | ||
</pre> | </pre> | ||
| − | The values for | + | The values for '''TokenTypes''', '''RootCertUrl''', '''RequiredClaims''', '''OptionalClaims''', '''PrivacyUrl''' and '''AuthProtocolHandlers''' should be changed to reflect the values that pertain to relying party site and application being written. The last parameter name is derived from the name of the token type concatenated with the string "Properties". The only token type currently supported is urn:oasis:names:tc:SAML:1.0:assertion so the parameter name becomes urn:oasis:names:tc:SAML:1.0:assertionProperties. The value is the name of a file that contains configuration parameters for the authentication protocol handler that supports that token type. See [[Extensible authentication protocol RP Website Solution#Configuration]] for details about setting these values. |
== Links == | == Links == | ||
* [http://eclipse.org/higgins Higgins Home] | * [http://eclipse.org/higgins Higgins Home] | ||
Revision as of 22:46, 22 January 2008
This is a servlet container implementation of the Relying Party Interface
Details
- Language: Java
- Packaging: JAR
Plans
- The returned attributes are current stored in the session. The plan is to store the information as part of a JAAS Subject.
Service
- Authentication filter for protected resource. Initializes the authentication protocol handler specified in web.xml.
API
Configuration
Configuration of a web application to use the relying party enablement servlet requires some changes to the web deployment file (web.xml), configuration parameters for the authentication protocol handler configured in the deployment file and creation of a login page to be displayed to the user of the application.
1. Additions to the web application deployment file (WebContent/WEB-INF/web.xml)
In the servlet implementation, authentication is performed through a servlet filter and logout is performed by a servlet. Information about the authentication filter and the logout servlet needs to be added to the application's deployment file. The following lines should be added to the web.xml file inside the <web-app> element:
<web-app ......>
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>org.eclipse.higgins.rp.servlet.server.AuthNFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<servlet>
<description>Logout servlet for filter</description>
<display-name>Logout</display-name>
<servlet-name>Logout</servlet-name>
<servlet-class>
org.eclipse.higgins.rp.servlet.server.Logout</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Logout</servlet-name>
<url-pattern>/Logout</url-pattern>
</servlet-mapping>
...
</web-app>
The value of the <bold>url-pattern</bold> in the filter-mapping element should be the name of the resource(s) you want protected by the authentication filter. In the example above all resources in the "protected" directory of the application's context root will require authentication using the authentication filter.
The following servlet context parmaters are configured to define the types of tokens supported, the authentication protocol handlers to configure and the properties file to use for the authentication protocol handlers.
<web-app ......> ... <context-param> <param-name>TokenTypes</param-name> <param-value>urn:oasis:names:tc:SAML:1.0:assertion</param-value> </context-param> <context-param> <param-name>RootCertUrl</param-name> <param-value>TestRoot.cer</param-value> </context-param> <context-param> <param-name>RequiredClaims</param-name> <param-value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier</param-value> </context-param> <context-param> <param-name>OptionalClaims</param-name> <param-value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender http://schemas.xmlsoap.org/ws/2005/05/identity/claims/website http://burtongroup.com/interop/2007/05/identity/cameratype http://burtongroup.com/interop/2007/05/identity/group http://burtongroup.com/interop/2007/05/identity/groupRole http://sts.labs.live.com/2006/06/claims/nickname http://www.bandit-project.org/identity/claims/groupmembership http://www.ibmidentitydemo.com/claims/assurancelevel</param-value> </context-param> <context-param> <param-name>PrivacyUrl</param-name> <param-value>https://localhost/RelyingPartyDemoApp2/Privacy.txt</param-value> </context-param> <context-param> <param-name>AuthProtocolHandlers</param-name> <param-value>org.eclipse.higgins.rp.icard.ICardProtocolHandler</param-value> </context-param> <context-param> <param-name>urn:oasis:names:tc:SAML:1.0:assertionProperties</param-name> <param-value>/icard.properties</param-value> </context-param> ... </web-app>
The values for TokenTypes, RootCertUrl, RequiredClaims, OptionalClaims, PrivacyUrl and AuthProtocolHandlers should be changed to reflect the values that pertain to relying party site and application being written. The last parameter name is derived from the name of the token type concatenated with the string "Properties". The only token type currently supported is urn:oasis:names:tc:SAML:1.0:assertion so the parameter name becomes urn:oasis:names:tc:SAML:1.0:assertionProperties. The value is the name of a file that contains configuration parameters for the authentication protocol handler that supports that token type. See Extensible authentication protocol RP Website Solution#Configuration for details about setting these values.