红帽全球峰会此内容没有您所选择的语言版本。
Chapter 10. SAML-Based Security for OData
10.1. SAML-Based Security for OData
复制链接链接已复制到粘贴板!
By default, the OData access to a Virtual Database (VDB) in Red Hat JBoss EAP uses the HTTP Basic authentication method.
However, you can also configure OData to utilize Single-Sign-On (SSO)-based security using SAML2. This is how you do so with PicketLink.
Prerequisites
- An identity provider configued and working with the security domain of your choice such as LDAP or Kerberos. (In this example it is an OData WAR file.)
- You must have the certificate for authentication that is used by IDP to sign the SAML messages.
- The PicketLink subsystem must be installed in your EAP instance.
- The DNS names for the machines on which Red Hat JBoss EAP is installed.
Note
Do not try to use IP address or localhost except for in testing scenarios. Configure proper DNS names for both the IDP and the security provider servers and make sure both can access each other using the URLs you have configured. - The SSO POST-based URL for your IDP, that your security provider can use to redirect for authentication call.
- Add an extension to the PicketLink subsystem:
<extensions> <extension module="org.picketlink.as.extension" /> <extensions> - Configure the PicketLink subsystem:
<subsystem xmlns="urn:jboss:domain:picketlink:1.0"> <federation alias="odata"> <saml token-timeout="4000" clock-skew="0"/> <key-store url="/\{CERTIFICATE-FILE-NAME\}" passwd="\{PASSWD\}" sign-key-alias="\{CERTIFICATE-ALIAS\}" sign-key-passwd="\{PASSWD\}"/> <identity-provider url="\{SSO-IDP-POST-URL\}" alias="idp.war" security-domain="idp" supportsSignatures="true" strict-post-binding="true"> <trust> <trust-domain name="localhost" cert-alias="\{CERTIFICATE-ALIAS\}"/> <trust-domain name="127.0.0.1" cert-alias="\{CERTIFICATE-ALIAS\}"/> <trust-domain name="{IDP-DNS-NAME}" cert-alias="\{CERTIFICATE-ALIAS\}"/> </trust> </identity-provider> <service-providers> <service-provider alias="odata.war" security-domain="sp" url="http://\{SP-DNS-NAME\}:8080/odata/" post-binding="true" supportsSignatures="true"/> </service-providers> </federation> </subsystem>Note
Normally, the certificate alias is the domain name, such as "idp.jboss.org" - Configure the security domains to be used by the security provider:
<subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="sp" cache-type="default"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/> <login-module code="org.jboss.security.ClientLoginModule" flag="required"/> </authentication> </security-domain> </security-domains> </subsystem> - Change the OData transport in the Teiid subsystem:
<transport name="odata"> <authentication security-domain="sp"/> </transport> - Move the
teiid-odata-xxxx.warfile fromdataVirtualization/vdb/teiid-odata-xxx.warto a temporary location. - Edit the
jboss-web.xmlfile:<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <context-root>odata</context-root> </jboss-web> - Edit the
web.xmlfile:<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <display-name>odata</display-name> <context-param> <param-name>javax.ws.rs.Application</param-name> <param-value>org.teiid.odata.TeiidODataApplication</param-value> </context-param> <context-param> <param-name>batch-size</param-name> <param-value>256</param-value> </context-param> <context-param> <param-name>skiptoken-cache-time</param-name> <param-value>300000</param-value> </context-param> <context-param> <param-name>local-transport-name</param-name> <param-value>odata</param-value> </context-param> <listener> <listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class> </listener> <servlet> <servlet-name>Resteasy</servlet-name> <servlet-class>org.teiid.odata.ODataServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>Resteasy</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <security-constraint> <display-name>require valid user</display-name> <web-resource-collection> <web-resource-name>Teiid Rest Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>sp</realm-name> <form-login-config> <form-login-page>/jsp/login.jsp</form-login-page> <form-error-page>/jsp/loginerror.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>security role</description> <role-name>*</role-name> </security-role> </web-app> - Add the certificate received from IDP vendor to the
WEB-INF/classesdirectory.Note
This must be same name as {CERTIFICATE-FILE-NAME} used in when you configured the PicketLink subsystem. - Recreate the WAR file based on the modified contents of the other files by running this command:
jar -cvf teiid-odata-xxxx.war /temp/* - Copy the newly-created WAR file into the
/modules/system/base/org/jboss/teiid/main/deploymentsdirectory. - Start the Data Virtualization server, and access the OData URL, You will be redirected to the SSO-based authentication.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}