Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 10. SAML-Based Security for OData

10.1. SAML-Based Security for OData
复制链接

By default, the OData access to a Virtual Database (VDB) in Red Hat JBoss EAP uses the HTTP Basic authentication method.
However, you can also configure OData to utilize Single-Sign-On (SSO)-based security using SAML2. This is how you do so with PicketLink.

Prerequisites

  • An identity provider configued and working with the security domain of your choice such as LDAP or Kerberos. (In this example it is an OData WAR file.)
  • You must have the certificate for authentication that is used by IDP to sign the SAML messages.
  • The PicketLink subsystem must be installed in your EAP instance.
  • The DNS names for the machines on which Red Hat JBoss EAP is installed.

    Note

    Do not try to use IP address or localhost except for in testing scenarios. Configure proper DNS names for both the IDP and the security provider servers and make sure both can access each other using the URLs you have configured.
  • The SSO POST-based URL for your IDP, that your security provider can use to redirect for authentication call.
  1. Add an extension to the PicketLink subsystem: 
     
		<extensions>
  <extension module="org.picketlink.as.extension" />
<extensions>
    Copy to Clipboard Toggle word wrap
  2. Configure the PicketLink subsystem: 
     
	<subsystem xmlns="urn:jboss:domain:picketlink:1.0">
  <federation alias="odata">
    <saml token-timeout="4000" clock-skew="0"/>
    <key-store url="/\{CERTIFICATE-FILE-NAME\}" passwd="\{PASSWD\}" sign-key-alias="\{CERTIFICATE-ALIAS\}" sign-key-passwd="\{PASSWD\}"/>
    <identity-provider url="\{SSO-IDP-POST-URL\}" alias="idp.war" security-domain="idp" supportsSignatures="true" strict-post-binding="true">
 
      <trust>
        <trust-domain name="localhost" cert-alias="\{CERTIFICATE-ALIAS\}"/>
        <trust-domain name="127.0.0.1" cert-alias="\{CERTIFICATE-ALIAS\}"/>
        <trust-domain name="{IDP-DNS-NAME}" cert-alias="\{CERTIFICATE-ALIAS\}"/>
      </trust>
    </identity-provider>
    <service-providers>
    <service-provider alias="odata.war" security-domain="sp" url="http://\{SP-DNS-NAME\}:8080/odata/" post-binding="true" supportsSignatures="true"/>
    </service-providers>
  </federation>
</subsystem>
    Copy to Clipboard Toggle word wrap

    Note

    Normally, the certificate alias is the domain name, such as "idp.jboss.org"
  3. Configure the security domains to be used by the security provider: 
     
	<subsystem xmlns="urn:jboss:domain:security:1.2">
    <security-domains>
        <security-domain name="sp" cache-type="default">
            <authentication>
                <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
                <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
            </authentication>
        </security-domain>
    </security-domains>
</subsystem>
    Copy to Clipboard Toggle word wrap
  4. Change the OData transport in the Teiid subsystem: 
     
	 <transport name="odata">
     <authentication security-domain="sp"/>
   </transport>
    Copy to Clipboard Toggle word wrap
  5. Move the teiid-odata-xxxx.war file from dataVirtualization/vdb/teiid-odata-xxx.war to a temporary location.
  6. Edit the jboss-web.xml file: 
     
	<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <context-root>odata</context-root>
</jboss-web>
    Copy to Clipboard Toggle word wrap
  7. Edit the web.xml file: 
     
	<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
    <display-name>odata</display-name>
    <context-param>
        <param-name>javax.ws.rs.Application</param-name>
        <param-value>org.teiid.odata.TeiidODataApplication</param-value>
    </context-param>  
    <context-param>
        <param-name>batch-size</param-name>
        <param-value>256</param-value>
    </context-param> 
    <context-param>
        <param-name>skiptoken-cache-time</param-name>
        <param-value>300000</param-value>
    </context-param>  
    <context-param>
        <param-name>local-transport-name</param-name>
        <param-value>odata</param-value>
    </context-param>     
    <listener>
        <listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class>
    </listener>   
    <servlet>
        <servlet-name>Resteasy</servlet-name>
        <servlet-class>org.teiid.odata.ODataServlet</servlet-class>
    </servlet>    
     
    <servlet-mapping>
        <servlet-name>Resteasy</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
          
    <security-constraint>
        <display-name>require valid user</display-name>
        <web-resource-collection>
            <web-resource-name>Teiid Rest Application</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>
 
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>sp</realm-name>
        <form-login-config>
            <form-login-page>/jsp/login.jsp</form-login-page>
            <form-error-page>/jsp/loginerror.jsp</form-error-page>
        </form-login-config>
    </login-config>
          
     <security-role>
        <description>security role</description>
        <role-name>*</role-name>
    </security-role>
      
</web-app>
    Copy to Clipboard Toggle word wrap
  8. Add the certificate received from IDP vendor to the WEB-INF/classes directory.

    Note

    This must be same name as {CERTIFICATE-FILE-NAME} used in when you configured the PicketLink subsystem.
  9. Recreate the WAR file based on the modified contents of the other files by running this command: jar -cvf teiid-odata-xxxx.war /temp/*
  10. Copy the newly-created WAR file into the /modules/system/base/org/jboss/teiid/main/deployments directory.
  11. Start the Data Virtualization server, and access the OData URL, You will be redirected to the SSO-based authentication.
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat