Integrating Spring Framework into CSSO¶
Some EDIT components like the Common Data Model(CDM) services, but also other projects meanwhile supporting CDM functionalities are implemented based on the Spring Framework":http://www.springsource.org/. As the CDM services are central points of the EDIT infrastructure, they must be capable of being integrable with the Community Single Sign-On (CSSO) security infrastructure as well. Therefore, this document will summarise means to integrate SAML based SSO security aspects into the "Spring Framework":http://www.springsource.org/ based on "Spring Security
Currently, there is only one way checked for integrating spring with CSSO
- Spring Security SAML module
Spring Security SAML module¶
The Spring Security SAML module is a quite new development first published in February 2009. There is no more than source code":http://jira.springframework.org/secure/attachment/15147/SpringSecurity+SAML.zip and a brief "documentation available, but the example application works well with the CSSO infrastructure based on OpenSSO. Using that module, we can support Spring based web applications or services.
Since, the installation of the example application is a bit tricky, the installation procedure on a Debian Etch system will be described in the following section.
Installation the Spring Security SAML module on Debian Etch¶
For the run of the library a Java EE 5 application server supporting Java Servlets 2.4 is required. In our scenario, we will use Tomcat6.
Next, download the Spring Security SAML module and extract it wherever you like (here /root/SpringSecuritySAML.
wget http://jira.springframework.org/secure/attachment/15147/SpringSecurity+SAML.zip mkdir SpringSecuritySAML unzip SpringSecurity+SAML.zip -d SpringSecuritySAML
Spring Security SAML makes use of the OpenSAML libraries. Therefore, some XML parsing libraries used by tomcat must be compatible with OpenSAML. For more details refer to https://spaces.internet2.edu/display/OpenSAML/OSTwoUsrManJavaInstall.
Compatibility can be achieved by adding the following jar-files to the Tomcat6 endorsed libraries (/opt/tomcat6/endorsed)
You can simply use the jar-files included with the Spring Security SAML module,or retrieve more current versions on the Web. If not present, create the /opt/tomcat6/endorsed directory first.
mkdir /opt/tomcat6/endorsed cp SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib/serializer-2.9.1.jar /opt/tomcat6/endorsed/ cp SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib/xalan-2.7.1.jar /opt/tomcat6/endorsed/ cp SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib/xercesImpl-2.9.1.jar /opt/tomcat6/endorsed/ cp SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib/xml-apis-2.9.1.jar /opt/tomcat6/endorsed/
The sample web application of Spring Security SAML uses JSTL 1.2 library. These libraries must be added to the Tomcat6 installation as well. The most recent version of the JSTL 1.2 library is included into [SUN Glassfish](https://glassfish.dev.java.net/. So, we need to download and unpack the latest release of Glassfish binaries) in order to get JSTL libraries. For more detailed information, please refer to http://www.mularien.com/blog/2008/02/19/tutorial-how-to-set-up-tomcat-6-to-work-with-jstl-12/.
wget http://java.net/download/javaee5/v2.1_branch/promoted/Linux/glassfish-installer-v2.1-b60e-linux.jar java -Xmx256m -jar glassfish-installer-v2.1-b60e-linux.jar cd glassfish chmod -R +x lib/ant/bin lib/ant/bin/ant -f setup.xml
Now, you can copy the glassfish/lib/javaee.jar to the Tomcat6 common libraries directory /opt/tomcat6/lib.
cp glassfish/lib/javaee.jar /opt/tomcat6/lib
Also, we'll need to copy glassfish/lib/appserver-jstl.jar to the directory of our web application (e.g. /opt/tomcat6/webapps/spring-security-saml2-webapp/WEB-INF/lib). Since, this is currently not deployed, remember this step for later, or copy it to SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib
cp glassfish/lib/appserver-jstl.jar SpringSecuritySAML/saml2-webapp/target/spring-security-saml2-webapp/WEB-INF/lib
After that, we describe the configuration of the webapplication, in order to get working with the EDIT-IdP running at https://idp.e-taxonomy.eu/opensso/.
There is only one configuration file of the sample web application located at saml2-webapp/src/main/resources/security/securityContext.xml.
First, you will require a private key and include it within a JKS keystore. I would recommend the IBM KeyMan":http://www.alphaworks.ibm.com/tech/keyman to manage your keystores, particularly if you already have a certificateand key for you server. You may also follow this "description Do not forget to give your key a name (alias) ! (e.g. spdemo2.e-taxonomy.eu).
Second, you have to configure the webapps security-context.xml with you private keystore. Therefore, you have to provide the beans keyStore*, *keyResolver and webSSOprofile with your keystore file (e.g. classpath:security/spdemo2.e-taxonomy.eu.jks*) and password (e.g. *secret_pw or the key alias within your key store (e.g. spdemo2.e-taxonomy.eu). The classpath::security thing reflect the WEB-INF/classes/security directory in your web application.
<!-- Key manager, set the JKS path and password to open the datastore --> <bean id="keyStore" class="org.springframework.security.saml.key.JKSKeyManager"> <constructor-arg index="0" value="classpath:security/spdemo2.e-taxonomy.eu.jks" /> <constructor-arg index="1" value="secret_pw" /> </bean> <!-- Set keys which should be available to the system in the map, one of these keys must be also specified in the webSSOProfile later --> <bean id="keyResolver" class="org.opensaml.xml.security.credential.KeyStoreCredentialResolver"> <constructor-arg index="0"> <bean factory-bean="keyStore" factory-method="getKeyStore" /> </constructor-arg> <constructor-arg index="1"> <map> <entry key="spdemo2.e-taxonomy.eu" value="secret_pw" /> </map> </constructor-arg> </bean> <!-- Entry point to initialize authentication --> <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfile" depends-on="bootstrap"> <constructor-arg index="0" ref="metadata" /> <constructor-arg index="1" ref="keyResolver" /> <!-- The name of key to use for encryption/signing purposes must be set here --> <constructor-arg index="2" value="spdemo2.e-taxonomy.eu" /> <property name="protocolCache" ref="protocolCache" /> <property name="parser" ref="parserPool" /> </bean>
The next step concerns the metadata configuration. The EDIT-IdP provides a URL, where clients can get the metadata of the federation( https://idp.e-taxonomy.eu/opensso/saml2/jsp/exportmetadata.jsp?entityid=https://idp.e-taxonomy.eu:443/opensso). So, you do not need to grab and store the metadata using the bean class FilesystemMetadataProvider and must comment this bean. The bean class HTTPMetadataProvider will do anything you need, so just enter the metadata-URL of the EDIT-IdP into constructor arg 0. Since, we have only one EDIT-IdP currently, you should state its URL as defaultIDP (https://idp.e-taxonomy.eu:443/opensso).
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here --> <!-- Do no forget to call iniitalize method on providers --> <bean id="metadata" class="org.springframework.security.saml.metadata.MetadataManager" depends-on="bootstrap"> <constructor-arg index="0"> <list> <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider" init-method="initialize"> <!-- URL containing the metadata --> <constructor-arg index="0"> <value type="java.lang.String">https://idp.e-taxonomy.eu/opensso/saml2/jsp/exportmetadata.jsp?entityid=https://idp.e-taxonomy.eu:443/opensso</value> </constructor-arg> <!-- Timeout for metadata loading in ms --> <constructor-arg index="1"> <value type="int">5000</value> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> </list> </constructor-arg> <!-- OPTIONAL property: can tell the system which IDP should be used for authenticating user by default. --> <property name="defaultIDP" value="https://idp.e-taxonomy.eu:443/opensso"/> </bean>
After this, you must provide the EDIT CA certificates to your Java installation. These are needed due to the SSL-verification of the connection. The EDIT WP 5.7 Certificate Authority provides a ready to use attachment:EDIT-WP5.7-Truststore.jks". You can provide these certificates by simply overwriting the default jre/lib/security/cacerts file of you java installation with the attachment:"EDIT-WP5.7-Truststore.jks". Or, you can use the Java keytool application or "IBM KeyMan to modify or create your own Java truststore. The EDIT WP 5.7 Certificate Authority published all issued certificates on its page.
Next, you should contact the EDIT-IdP manager (me), that you want get part of the EDIT federation, and submit your certificate to him. He will have to add you to the federation on the IdP, or manage a test account for your application.
Step into the directory where you unpacked SpringSecuritySAML, run Maven and cp the resulting war file to Tomcat's web application directory.
cd SpringSecuritySAML mvn package cp saml2-webapp/target/spring-security-saml2-webapp.war /opt/tomcat6/webapps/
Start tomcat, and check the Tomcat6 log files (/opt/tomcat6/logs) if the sample application deploys well.
Before being capable to test the SSO functionality, you need to make the application SSL-capable. I am not an expert in Tomcat6, so I recommend using Apache2 to do this. Therefore, install Apache and enable the following modules.
apt-get install apache2 a2enmod ssl a2enmod proxy a2enmod proxy_http a2enmod proxy_ajp
Create a file /etc/apache2/sites-available/spdemo2.e-taxonomy.eu and adopt it to your needs. Have a particular look at anything which contains spdemo2.e-taxonomy.eu. This will probably need to be adopted.
Listen 443 # # Please replace 'spdemo2.e-taxonomy.eu' with your host name ! # <VirtualHost spdemo2.e-taxonomy.eu:443> ServerName spdemo2.e-taxonomy.eu SSLEngine on SSLCertificateFile /etc/ssl/certs/spdemo2.e-taxonomy.eu-cert.pem SSLCertificateKeyFile /etc/ssl/private/spdemo2.e-taxonomy.eu-key.pem <Location /spring-security-saml2-webapp> Allow from all ProxyPass ajp://localhost:8009/spring-security-saml2-webapp ProxyPassReverse ajp://localhost:8009/spring-security-saml2-webapp ProxyPassReverseCookiePath ajp://localhost:8009/spring-security-saml2-webapp /spring-security-saml2-webapp ProxyPassReverseCookieDomain ajp://localhost:8009/spring-security-saml2-webapp spdemo2.e-taxonomy.eu </Location> </VirtualHost>
Check your Tomcat /opt/tomcat6/conf/server.xml configuration file. It should contain the following lines configuring the AJP connector used by the Apache proxy module.
<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" request.tomcatAuthentication="false" address="127.0.0.1" />
If everything is fine, restart tomcat and apache, and try to access the sample web application (e.g. https://spdemo2.e-taxonomy.eu/spring-security-saml2-webapp)
/etc/init.d/tomcat6 restart /etc/init.d/apache2 restart
You should be redirected to the EDIT-IdP and login there (Of course, you'll need to be registered there). After succesfully being logged in, you should see a page with your EDIT-IdP attributes.