Project

General

Profile

Integrating Spring Framework into CSSO

Some EDIT components like the Common Data Model(CDM) services, but also other projects meanwhile supporting CDM functionalities are implemented based on the Spring Framework":http://www.springsource.org/. As the CDM services are central points of the EDIT infrastructure, they must be capable of being integrable with the Community Single Sign-On (CSSO) security infrastructure as well. Therefore, this document will summarise means to integrate SAML based SSO security aspects into the "Spring Framework":http://www.springsource.org/ based on "Spring Security

Currently, there is only one way checked for integrating spring with CSSO

  • Spring Security SAML module

Spring Security SAML module

The Spring Security SAML module is a quite new development first published in February 2009. There is no more than source code":http://jira.springframework.org/secure/attachment/15147/SpringSecurity+SAML.zip and a brief "documentation available, but the example application works well with the CSSO infrastructure based on OpenSSO. Using that module, we can support Spring based web applications or services.

Since, the installation of the example application is a bit tricky, the installation procedure on a Debian Etch system will be described in the following section.

Installation the Spring Security SAML module on Debian Etch

For the run of the library a Java EE 5 application server supporting Java Servlets 2.4 is required. In our scenario, we will use Tomcat6.

Please follow the instructions for SUN JDK5 Installation on Debian Etch andTomcat6 Installation on Debian Etch.

Next, download the Spring Security SAML module and extract it wherever you like (here /root/SpringSecuritySAML.

wget http://jira.springframework.org/secure/attachment/15147/SpringSecurity+SAML.zip
mkdir SpringSecuritySAML
unzip SpringSecurity+SAML.zip -d SpringSecuritySAML

Spring Security SAML makes use of the OpenSAML libraries. Therefore, some XML parsing libraries used by tomcat must be compatible with OpenSAML. For more details refer to https://spaces.internet2.edu/display/OpenSAML/OSTwoUsrManJavaInstall.

Compatibility can be achieved by adding the following jar-files to the Tomcat6 endorsed libraries (/opt/tomcat6/endorsed)

  • serializer-2.9.1.jar

  • xalan-2.7.1.jar

  • xercesImpl-2.9.1.jar

  • xml-apis-2.9.1.jar

You can simply use the jar-files included with the Spring Security SAML module,or retrieve more current versions on the Web. If not present, create the /opt/tomcat6/endorsed directory first.

mkdir /opt/tomcat6/endorsed
cp SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib/serializer-2.9.1.jar /opt/tomcat6/endorsed/
cp SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib/xalan-2.7.1.jar /opt/tomcat6/endorsed/
cp SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib/xercesImpl-2.9.1.jar /opt/tomcat6/endorsed/
cp SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib/xml-apis-2.9.1.jar /opt/tomcat6/endorsed/

The sample web application of Spring Security SAML uses JSTL 1.2 library. These libraries must be added to the Tomcat6 installation as well. The most recent version of the JSTL 1.2 library is included into [SUN Glassfish](https://glassfish.dev.java.net/. So, we need to download and unpack the latest release of Glassfish binaries) in order to get JSTL libraries. For more detailed information, please refer to http://www.mularien.com/blog/2008/02/19/tutorial-how-to-set-up-tomcat-6-to-work-with-jstl-12/.

wget http://java.net/download/javaee5/v2.1_branch/promoted/Linux/glassfish-installer-v2.1-b60e-linux.jar
java -Xmx256m -jar glassfish-installer-v2.1-b60e-linux.jar
cd glassfish
chmod -R +x lib/ant/bin
lib/ant/bin/ant -f setup.xml 

Now, you can copy the glassfish/lib/javaee.jar to the Tomcat6 common libraries directory /opt/tomcat6/lib.

cp glassfish/lib/javaee.jar /opt/tomcat6/lib

Also, we'll need to copy glassfish/lib/appserver-jstl.jar to the directory of our web application (e.g. /opt/tomcat6/webapps/spring-security-saml2-webapp/WEB-INF/lib). Since, this is currently not deployed, remember this step for later, or copy it to SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib

cp glassfish/lib/appserver-jstl.jar SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib

After that, we describe the configuration of the webapplication, in order to get working with the EDIT-IdP running at https://idp.e-taxonomy.eu/opensso/.

There is only one configuration file of the sample web application located at saml2-webapp/src/main/resources/security/securityContext.xml.

First, you will require a private key and include it within a JKS keystore. I would recommend the IBM KeyMan":http://www.alphaworks.ibm.com/tech/keyman to manage your keystores, particularly if you already have a certificateand key for you server. You may also follow this "description Do not forget to give your key a name (alias) ! (e.g. spdemo2.e-taxonomy.eu).

Second, you have to configure the webapps security-context.xml with you private keystore. Therefore, you have to provide the beans keyStore*, *keyResolver and webSSOprofile with your keystore file (e.g. classpath:security/spdemo2.e-taxonomy.eu.jks*) and password (e.g. *secret_pw or the key alias within your key store (e.g. spdemo2.e-taxonomy.eu). The classpath::security thing reflect the WEB-INF/classes/security directory in your web application.

    <!-- Key manager, set the JKS path and password to open the datastore -->
    <bean id="keyStore" class="org.springframework.security.saml.key.JKSKeyManager">
        <constructor-arg index="0" value="classpath:security/spdemo2.e-taxonomy.eu.jks" />
        <constructor-arg index="1" value="secret_pw" />
    </bean>

    <!-- Set keys which should be available to the system in the map, one of these keys must be also 
         specified in the webSSOProfile later -->
    <bean id="keyResolver" class="org.opensaml.xml.security.credential.KeyStoreCredentialResolver">
        <constructor-arg index="0">
            <bean factory-bean="keyStore" factory-method="getKeyStore" />
        </constructor-arg>
        <constructor-arg index="1">
            <map>
                <entry key="spdemo2.e-taxonomy.eu" value="secret_pw" />
            </map>
        </constructor-arg>
    </bean>

    <!-- Entry point to initialize authentication -->    
    <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfile" depends-on="bootstrap">
        <constructor-arg index="0" ref="metadata" />
        <constructor-arg index="1" ref="keyResolver" />
        <!-- The name of key to use for encryption/signing purposes must be set here -->
        <constructor-arg index="2" value="spdemo2.e-taxonomy.eu" />
        <property name="protocolCache" ref="protocolCache" />
        <property name="parser" ref="parserPool" />
    </bean>

The next step concerns the metadata configuration. The EDIT-IdP provides a URL, where clients can get the metadata of the federation( https://idp.e-taxonomy.eu/opensso/saml2/jsp/exportmetadata.jsp?entityid=https://idp.e-taxonomy.eu:443/opensso). So, you do not need to grab and store the metadata using the bean class FilesystemMetadataProvider and must comment this bean. The bean class HTTPMetadataProvider will do anything you need, so just enter the metadata-URL of the EDIT-IdP into constructor arg 0. Since, we have only one EDIT-IdP currently, you should state its URL as defaultIDP (https://idp.e-taxonomy.eu:443/opensso).

    <!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
    <!-- Do no forget to call iniitalize method on providers -->
    <bean id="metadata" class="org.springframework.security.saml.metadata.MetadataManager" depends-on="bootstrap">
        <constructor-arg index="0">
            <list>
                <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider" init-method="initialize">
                    <!-- URL containing the metadata -->
                    <constructor-arg index="0">
                        <value type="java.lang.String">https://idp.e-taxonomy.eu/opensso/saml2/jsp/exportmetadata.jsp?entityid=https://idp.e-taxonomy.eu:443/opensso</value>
                    </constructor-arg>
                    <!-- Timeout for metadata loading in ms -->
                    <constructor-arg index="1">
                        <value type="int">5000</value>
                    </constructor-arg>
                    <property name="parserPool" ref="parserPool"/>
                </bean>
            </list>
        </constructor-arg>
        <!-- OPTIONAL property: can tell the system which IDP should be used for authenticating user by default. -->
        <property name="defaultIDP" value="https://idp.e-taxonomy.eu:443/opensso"/>
    </bean>

After this, you must provide the EDIT CA certificates to your Java installation. These are needed due to the SSL-verification of the connection. The EDIT WP 5.7 Certificate Authority provides a ready to use attachment:EDIT-WP5.7-Truststore.jks". You can provide these certificates by simply overwriting the default jre/lib/security/cacerts file of you java installation with the attachment:"EDIT-WP5.7-Truststore.jks". Or, you can use the Java keytool application or "IBM KeyMan to modify or create your own Java truststore. The EDIT WP 5.7 Certificate Authority published all issued certificates on its page.

Next, you should contact the EDIT-IdP manager (me), that you want get part of the EDIT federation, and submit your certificate to him. He will have to add you to the federation on the IdP, or manage a test account for your application.

Now, we can proceed compiling and deploying the sample web application. This step requires Apache Maven So, please refer to Apache Maven 2 Installation on Debian Etch.

Step into the directory where you unpacked SpringSecuritySAML, run Maven and cp the resulting war file to Tomcat's web application directory.

cd SpringSecuritySAML
mvn package
cp saml2-webapp/target/spring-security-saml2-webapp.war /opt/tomcat6/webapps/

Start tomcat, and check the Tomcat6 log files (/opt/tomcat6/logs) if the sample application deploys well.

Before being capable to test the SSO functionality, you need to make the application SSL-capable. I am not an expert in Tomcat6, so I recommend using Apache2 to do this. Therefore, install Apache and enable the following modules.

apt-get install apache2
a2enmod ssl
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_ajp

Create a file /etc/apache2/sites-available/spdemo2.e-taxonomy.eu and adopt it to your needs. Have a particular look at anything which contains spdemo2.e-taxonomy.eu. This will probably need to be adopted.

Listen 443

#
# Please replace 'spdemo2.e-taxonomy.eu' with your host name !
#
<VirtualHost spdemo2.e-taxonomy.eu:443>
  ServerName              spdemo2.e-taxonomy.eu
  SSLEngine               on
  SSLCertificateFile      /etc/ssl/certs/spdemo2.e-taxonomy.eu-cert.pem
  SSLCertificateKeyFile   /etc/ssl/private/spdemo2.e-taxonomy.eu-key.pem

  <Location /spring-security-saml2-webapp>
        Allow from all
        ProxyPass ajp://localhost:8009/spring-security-saml2-webapp
        ProxyPassReverse ajp://localhost:8009/spring-security-saml2-webapp
        ProxyPassReverseCookiePath  ajp://localhost:8009/spring-security-saml2-webapp /spring-security-saml2-webapp
        ProxyPassReverseCookieDomain  ajp://localhost:8009/spring-security-saml2-webapp spdemo2.e-taxonomy.eu
  </Location>

</VirtualHost>

Check your Tomcat /opt/tomcat6/conf/server.xml configuration file. It should contain the following lines configuring the AJP connector used by the Apache proxy module.

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
                enableLookups="false" redirectPort="8443" protocol="AJP/1.3"
                request.tomcatAuthentication="false" address="127.0.0.1" />

Uff.

If everything is fine, restart tomcat and apache, and try to access the sample web application (e.g. https://spdemo2.e-taxonomy.eu/spring-security-saml2-webapp)

/etc/init.d/tomcat6 restart
/etc/init.d/apache2 restart

You should be redirected to the EDIT-IdP and login there (Of course, you'll need to be registered there). After succesfully being logged in, you should see a page with your EDIT-IdP attributes.

Add picture from clipboard (Maximum size: 40 MB)