Curious about the future of data-driven systems? Join our Data Engineering roundtable and learn how to build scalable data platforms.
Data Engineering: The industry has come a long way from organizing unstructured data to adopting today's modern data pipelines. See how.
Senior Software Engineer at Appway AG
"Still developing, one day I'll be grown up" I'm a Software Engineer with a passion for technology and problem solving. If someone gives me a challenging problem I always want to see it resolved and preferably with an elegant solution. My specialisation are: Data/text mining; Data extraction and manipulation of PDF Documents; Data persistence (Relational Databases, Hibernate, NOSQL, XML-based, RSS); Lexing and parsing (interpreters and translators); Spidering and web scraping inc. Web2; Integration SOAP and REST in server side applications as both client and host; Security SSL, SPNego/Kerberos, Encryption and Digital Signatures; BPMN Web applications using 100% Java. Principal Programming Languages: Java, Python, JavaScript
Stats
| Reputation: | 7120 |
| Pageviews: | 335.8K |
| Articles: | 5 |
| Comments: | 10 |
Comments
Dec 28, 2017 · Brett Crawley
Hi Amar
I was using Tomcat 7 and JDK 8.
The keycloak adapter does have a slightly difference config, I haven't yet tried it myself but I will do over the next week and let you know how it works. Could you post how you tried to configure this.
Regards,
Brett
Dec 28, 2017 · Brett Crawley
Hi Amar
In step 7 did you check the box "do not require kerberos preauthentication"? This ca sometimes cause the connection to be severed immediately because the endpoint requires preauthentication. If this is not the issue and your company policy allows it you could use a packet sniffer on the server, you should be able to open the packet trace in wireshark and filter for kerberos and ldap. There you will see the conversation with the LDAP server and you should see a clear indication of what the problem may be.
If it is not the pre-authentication, it could be an issue with the dns resolution and that your Service Principal doesn't have an SPN for the address that is being resolved. Sometimes reverse DNS gives you a different hostname to the one you are expecting. Try using nslookup with the ip to verify the name that comes back is the expected name.
You would see this in the packet trace as an sname not found kerberos error. If this is the case simply add the missing SPN to your Service Principal with the setspn command from step 4
Regards,
Brett
Dec 27, 2017 · Brett Crawley
Hi Chetouane
Seems that picketlink is no longer being developed and the project has been merged with Keycloak. Seems like a pretty similar procedure to setup, you can see the online docs for it here: http://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2
On the downloads page there is an adapter that supports Tomcat 8.
Regards,
Brett
Dec 03, 2017 · Brett Crawley
Hi Manjit
Below are the changes I made to the server.xml, web.xml and picketlink.xml
==========================================================================================================================================
web.xml
==========================================================================================================================================
In the web.xml file I had to remove the following section:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/zaloguj</form-login-page>
<form-error-page>/zaloguj</form-error-page>
</form-login-config>
</login-config>
That was present in the WAR file you sent me.
I also added the a /* to the end of the URL pattern <url-pattern>/konto-ctwiedza/*</url-pattern>
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>www.ctwiedza.pl</display-name>
<welcome-file-list>
<welcome-file>witaj</welcome-file>
</welcome-file-list>
<security-role>
<role-name>uzytkownik</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>konto</web-resource-name>
<url-pattern>/modyfikacja-baz-danych</url-pattern>
<url-pattern>/konto-ctwiedza/*</url-pattern>
<url-pattern>/zmien-email</url-pattern>
<url-pattern>/odzyskaj-haslo</url-pattern>
<url-pattern>/tworzenie-bazy-danych</url-pattern>
<url-pattern>/zrob-test</url-pattern>
<url-pattern>/pre-modyfikacja-baz-danych</url-pattern>
<url-pattern>/pre-test-wiedzy</url-pattern>
<url-pattern>/test-wiedzy</url-pattern>
<url-pattern>/darmowy-programy-baz</url-pattern>
<url-pattern>/twoje-bazy-slowek</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>uzytkownik</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
==========================================================================================================================================
server.xml
==========================================================================================================================================
Here I commented a couple of sections that weren't needed for testing. The parts I changed here affecting the working
of the SAML auth were the addition of the context path being referenced in the picketlink.xml file to be this
path="/Web-Application-master".
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<!--
<GlobalNamingResources>
<Resource auth="Container" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources>
-->
<Service name="Catalina">
<Connector connectionTimeout="20000" port="8020" protocol="HTTP/1.1" redirectPort="8443"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
threadPriority="5"
scheme="https"
secure="true"
server="Login Application Server"
clientAuth="false"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxHttpHeaderSize="32768"
connectionTimeout="20000"
maxParameterCount="30000"
disableUploadTimeout="true"
keystoreFile="./conf/.keystore"
URIEncoding="UTF-8"/>
<Engine defaultHost="localhost" name="Catalina">
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
<Context docBase="Web-Application-master.war" path="/Web-Application-master">
<Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/>
</Context>
<!--<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t %r %s %b" prefix="localhost_access_log" suffix=".txt"/>-->
</Host>
</Engine>
</Service>
</Server>
==========================================================================================================================================
picketlink.xml
==========================================================================================================================================
Here it was necessary to change the ServiceURL so that the name matched that of the contextpath in the URL.
${Web-Application-master.url::https://192.168.0.107:8443/Web-Application-master/konto-ctwiedza/}
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" BindingType="POST">
<IdentityURL>${idp.url::https://dev-451813.oktapreview.com/home/bmcdev451813_bnasso_1/0oad2bpi5wP8DrPNO0h7/alnd2bqxyh1W3f2Dd0h7/}</IdentityURL>
<ServiceURL>${Web-Application-master.url::https://192.168.0.107:8443/Web-Application-master/konto-ctwiedza/}</ServiceURL>
<Trust>
<Domains>localhost,192.168.0.107</Domains>
</Trust>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>
==========================================================================================================================================
WAR File Structure
==========================================================================================================================================
This is how I structured the WAR file for testing the setup. I removed everything else and kept it as simple as possible.
|------/META-INF
| |-------MANIFEST.MF
|
|------/WEB-INF
| |-------picketlink.xml
| |-------web.xml
| |-------/classes
|
|------/konto--ctwiedza
| |-------test.txt
===============================================================================================================================================================================
Picketlink and JBoss Libs added to the tomcat libs folder
===============================================================================================================================================================================
These are the libraries I had to add to the tomcat libs folder, they are all available from Maven Central
jboss-logging-3.0.0.GA.jar
jboss-security-spi-3.0.0.Final.jar
picketlink-common-2.7.1.Final.jar
picketlink-config-2.7.1.Final.jar
picketlink-federation-2.7.1.Final.jar
picketlink-tomcat-common-2.7.1.Final.jar
picketlink-tomcat7-single-2.7.1.Final.jar
===============================================================================================================================================================================
Test carried out
===============================================================================================================================================================================
Accessing the following path "/Web-Application-master/konto-ctwiedza/test.txt" I saw in SAML Tracer an authn request go out to the IdentityURL
Regards,
Brett
Dec 01, 2017 · Brett Crawley
Hi Manjit
Two things I noted from your picketlink.xml file:
1. myapp.url should probably be ROOT.url because your webapp has the path="/" attribute in the server.xml
2. the URL cannot be localhost because the IdP needs to be able to redirect back to you server, so will need a URL that it can address.
<ServiceURL>${myapp.url::https://localhost:8443/Web-Application-master/konto-ctwiedza/}</ServiceURL>
Regards
Brett
Dec 01, 2017 · Brett Crawley
Hi Manjit
Sorry I don't have an example app, have you tried installing SAML tracer on firefox to see what happens. What you should see happen is that your server sends a redirect to your browser containing a SAML authn request. If you open the SAML tracer before trying to authenticate you should see if this redirect comes back to the browser.
If it is not a security issue for you, you could share your picketlink.xml, server.xml and web.xml with me and I could take a look.
Best regards,
Brett
Nov 30, 2017 · Brett Crawley
Hi Ramesh
Sorry for the very late response, saw a notification this morning for one of the comments below and then spotted your comment. I guess you sorted it out but just in case, you should be able to find them in the Maven central repository. If they have Final in the name that's good too.
Regards
Brett
Nov 30, 2017 · Brett Crawley
Hi Manjit
There are a couple of possibilities:
Have you removed this section from your web.xml?
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login?error=true</form-error-page>
</form-login-config>
</login-config>
The identity URL and the Service URL must include a trailing slash because this is mandatory.
In your server.xml, Valve must be written with an uppercase V.
The identity URL and the Service URL must also be over HTTPS.
The picketlink.xml file has to be in the WEB-INF folder with the web.xml
If you are still having problems let me know.
Best Regards,
Brett
Nov 30, 2017 · Brett Crawley
Sorry David I just saw your comment, I hope you managed to sort this out.
Dec 29, 2015 · Brett Crawley
Hi Terence
The content being parsed is the json section in the article. I was using YourKit Java profiler and measuring CPU time for each invocation of the parser and taking the average result. The test was carried out using a junit repeat rule to repeat the invocations, so the JVM was not restarted.
I was quite surprised by the results too. I was trying to be comletely impartial because I have used both parsers on a number of occassions in the past and think they are both great. I will try a longer sample and see if this has an impact on the results.