Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Relying Party Enablement Servlet Implementation
This is a servlet container implementation of the Relying Party Interface
Details
- Language: Java
- Packaging: JAR
Plans
- The returned attributes are current stored in the session. The plan is to store the information as part of a JAAS Subject.
Service
- Authentication filter for protected resource. Initializes the authentication protocol handler specified in web.xml.
API
Configuration
Configuration of a web application to use the relying party enablement servlet requires some changes to the web deployment file (web.xml), configuration parameters for the authentication protocol handler configured in the deployment file and creation of a login page to be displayed to the user of the application.
1. Additions to the web application deployment file (WebContent/WEB-INF/web.xml)
In the servlet implementation, authentication is performed through a servlet filter and logout is performed by a servlet. Information about the authentication filter and the logout servlet needs to be added to the application's deployment file. The following lines should be added to the web.xml file inside the <web-app> element:
<web-app ......>
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>org.eclipse.higgins.rp.servlet.server.AuthNFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<servlet>
<description>Logout servlet for filter</description>
<display-name>Logout</display-name>
<servlet-name>Logout</servlet-name>
<servlet-class>
org.eclipse.higgins.rp.servlet.server.Logout</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Logout</servlet-name>
<url-pattern>/Logout</url-pattern>
</servlet-mapping>
...
</web-app>
The value of the <bold>url-pattern</bold> in the filter-mapping element should be the name of the resource(s) you want protected by the authentication filter. In the example above all resources in the "protected" directory of the application's context root will require authentication using the authentication filter.
The following servlet context parmaters are configured to define the types of tokens supported, the authentication protocol handlers to configure and the properties file to use for the authentication protocol handlers.
<web-app ......> ... <context-param> <param-name>TokenTypes</param-name> <param-value>urn:oasis:names:tc:SAML:1.0:assertion</param-value> </context-param> <context-param> <param-name>RootCertUrl</param-name> <param-value>TestRoot.cer</param-value> </context-param> <context-param> <param-name>RequiredClaims</param-name> <param-value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier</param-value> </context-param> <context-param> <param-name>OptionalClaims</param-name> <param-value>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone</param-value> </context-param> <context-param> <param-name>PrivacyUrl</param-name> <param-value>https://localhost/RelyingPartyDemoApp2/Privacy.txt</param-value> </context-param> <context-param> <param-name>AuthProtocolHandlers</param-name> <param-value>org.eclipse.higgins.rp.icard.ICardProtocolHandler</param-value> </context-param> <context-param> <param-name>urn:oasis:names:tc:SAML:1.0:assertionProperties</param-name> <param-value>/icard.properties</param-value> </context-param> ... </web-app>
The values for TokenTypes, RootCertUrl, RequiredClaims, OptionalClaims, PrivacyUrl and AuthProtocolHandlers should be changed to reflect the values that pertain to relying party site and application being written. The last parameter name is derived from the name of the token type concatenated with the string "Properties". The only token type currently supported is urn:oasis:names:tc:SAML:1.0:assertion so the parameter name becomes urn:oasis:names:tc:SAML:1.0:assertionProperties. The value is the name of a file that contains configuration parameters for the authentication protocol handler that supports that token type. See Extensible authentication protocol RP Website Solution#Configuration for details about setting these values.
2. Create a properties file to configuration each authentication protocol handler
The name of the properties file defining configuration parameters for each authentication protocol handler is specified in the web.xml file. The Information Card authentication protocol handler has the following name value pairs in its properties file:
icardLoginPage=../MultiLogin.jsp
icardErrorPage=NoXmlToken.jsp
keystorename=localhost.jks
keystorepw=changeit
keystoretype=JKS
keystorekeyalias=leaf
xmlsecconfig=resource/config.xml
The values of each keyword need to be configured for application. See Extensible authentication protocol RP Website Solution#Configuration for details about setting these values.
3. Create a login page
The name of the login page is specified in the properties file for each authentication protocol handler. There can be one login page for the application or login pages for each configured authentication protocol handler. That is up to the application to decide. TBD - required code for login pages