Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Relying Party Enablement Servlet Implementation"
(→Configuration) |
(→Configuration) |
||
Line 18: | Line 18: | ||
1. Additions to the web application deployment file (WebContent/WEB-INF/web.xml) | 1. Additions to the web application deployment file (WebContent/WEB-INF/web.xml) | ||
− | In the servlet implementation, authentication is performed through a servlet filter. | + | In the servlet implementation, authentication is performed through a servlet filter and logout is performed by a servlet. Information about the authentication filter and the logout servlet needs to be added to the application's deployment file. The following lines should be added to the web.xml file inside the <web-app> element: |
<pre> | <pre> | ||
<web-app ......> | <web-app ......> | ||
Line 27: | Line 27: | ||
<filter-mapping> | <filter-mapping> | ||
<filter-name>AuthenticationFilter</filter-name> | <filter-name>AuthenticationFilter</filter-name> | ||
− | <url-pattern>/protected/ | + | <url-pattern>/protected/*</url-pattern> |
</filter-mapping> | </filter-mapping> | ||
<servlet> | <servlet> | ||
Line 43: | Line 43: | ||
</web-app> | </web-app> | ||
</pre> | </pre> | ||
+ | The value of the <bold>url-pattern</bold> in the filter-mapping element should be the name of the resource(s) you want protected by the authentication filter. In the example above all resources in the "protected" directory of the application's context root will require authentication using the authentication filter. | ||
The following servlet context parmaters are configured to define the types of tokens supported, the authentication protocol handlers to configure and the properties file to use for the authentication protocol handlers. | The following servlet context parmaters are configured to define the types of tokens supported, the authentication protocol handlers to configure and the properties file to use for the authentication protocol handlers. | ||
Line 79: | Line 80: | ||
</web-app> | </web-app> | ||
</pre> | </pre> | ||
+ | The values for <bold>TokenTypes</bold>, <bold>RootCertUrl</bold>, <bold>RequiredClaims</bold>, <bold>OptionalClaims</bold> should be changed to reflect the values that pertain to relying party site and application being written. See [[Extensible authentication protocol RP Website Solution#Configuration]] for details about setting these values. | ||
== Links == | == Links == | ||
* [http://eclipse.org/higgins Higgins Home] | * [http://eclipse.org/higgins Higgins Home] |
Revision as of 22:31, 22 January 2008
This is a servlet container implementation of the Relying Party Interface
Details
- Language: Java
- Packaging: JAR
Plans
- The returned attributes are current stored in the session. The plan is to store the information as part of a JAAS Subject.
Service
- Authentication filter for protected resource. Initializes the authentication protocol handler specified in web.xml.
API
Configuration
Configuration of a web application to use the relying party enablement servlet requires some changes to the web deployment file (web.xml), configuration parameters for the authentication protocol handler configured in the deployment file and creation of a login page to be displayed to the user of the application.
1. Additions to the web application deployment file (WebContent/WEB-INF/web.xml)
In the servlet implementation, authentication is performed through a servlet filter and logout is performed by a servlet. Information about the authentication filter and the logout servlet needs to be added to the application's deployment file. The following lines should be added to the web.xml file inside the <web-app> element:
<web-app ......> <filter> <filter-name>AuthenticationFilter</filter-name> <filter-class>org.eclipse.higgins.rp.servlet.server.AuthNFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthenticationFilter</filter-name> <url-pattern>/protected/*</url-pattern> </filter-mapping> <servlet> <description>Logout servlet for filter</description> <display-name>Logout</display-name> <servlet-name>Logout</servlet-name> <servlet-class> org.eclipse.higgins.rp.servlet.server.Logout</servlet-class> </servlet> <servlet-mapping> <servlet-name>Logout</servlet-name> <url-pattern>/Logout</url-pattern> </servlet-mapping> ... </web-app>
The value of the <bold>url-pattern</bold> in the filter-mapping element should be the name of the resource(s) you want protected by the authentication filter. In the example above all resources in the "protected" directory of the application's context root will require authentication using the authentication filter.
The following servlet context parmaters are configured to define the types of tokens supported, the authentication protocol handlers to configure and the properties file to use for the authentication protocol handlers.
<web-app ......> ... <context-param> <param-name>TokenTypes</param-name> <param-value>urn:oasis:names:tc:SAML:1.0:assertion</param-value> </context-param> <context-param> <param-name>RootCertUrl</param-name> <param-value>TestRoot.cer</param-value> </context-param> <context-param> <param-name>RequiredClaims</param-name> <param-value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier</param-value> </context-param> <context-param> <param-name>OptionalClaims</param-name> <param-value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender http://schemas.xmlsoap.org/ws/2005/05/identity/claims/website http://burtongroup.com/interop/2007/05/identity/cameratype http://burtongroup.com/interop/2007/05/identity/group http://burtongroup.com/interop/2007/05/identity/groupRole http://sts.labs.live.com/2006/06/claims/nickname http://www.bandit-project.org/identity/claims/groupmembership http://www.ibmidentitydemo.com/claims/assurancelevel</param-value> </context-param> <context-param> <param-name>PrivacyUrl</param-name> <param-value>https://localhost/RelyingPartyDemoApp2/Privacy.txt</param-value> </context-param> <context-param> <param-name>AuthProtocolHandlers</param-name> <param-value>org.eclipse.higgins.rp.icard.ICardProtocolHandler</param-value> </context-param> <context-param> <param-name>urn:oasis:names:tc:SAML:1.0:assertionProperties</param-name> <param-value>/icard.properties</param-value> </context-param> ... </web-app>
The values for <bold>TokenTypes</bold>, <bold>RootCertUrl</bold>, <bold>RequiredClaims</bold>, <bold>OptionalClaims</bold> should be changed to reflect the values that pertain to relying party site and application being written. See Extensible authentication protocol RP Website Solution#Configuration for details about setting these values.