AW: IDP3/4 -> read (&write) custom session cookie for authentication

Käfer Thomas thomas.kaefer at fh-campuswien.ac.at
Thu Jul 2 12:19:29 UTC 2020 

Hi Scott,

>> And with this the injection should work without annotations, correct?
> Yes.
I tried that now, sadly that resulted in an error message instead of authentication:


org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.authn.Function.ResultLookupStrategy' defined in file [/opt/shibboleth-idp/system/flows/authn/../../../conf/authn/function-authn-config.xml]: Initialization of bean failed; nested exception is java.lang.reflect.MalformedParameterizedTypeException


> The V4 extension point for password handling is a CredentialValidator that just does the validation step and doesn't have anything to do with JAAS. Beyond that, I can't really help you, not on list.

The documentation I could find for the CredentialValidator sadly is not enough for me to put together an implementation to replace JAAS for our IDP4 instance:

https://wiki.shibboleth.net/confluence/display/IDP4/PasswordAuthnConfiguration

> New to V4 is a refactored design that includes a dedicated plugin API for developing custom "back-ends", the CredentialValidator<http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.CredentialValidator> interface and some associated base classes for assisting in developing new ones. The flow now also supports chaining of CredentialValidator<http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.CredentialValidator> plugins in arbitrary sequences instead of requiring the use of JAAS login modules for that feature.

So for now I guess we'll stick with Injection by Annotations and JAAS with the static access to HttpServletRequestResponseContext.getResponse(). They work for now, even if unsupported.

Kind regards
Thomas Käfer
________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Dienstag, 30. Juni 2020 16:20
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Hi there Scott,

> XML configuration is in the Spring documentation. Your function bean has to be declared somewhere, you just inject objects as required when declaring it.

I've configured Shibboleth to use my "AuthFunction" bean in the config file
/opt/shibboleth-idp/conf/authn/function-authn-config.xml
with this line:
<bean id="shibboleth.authn.Function.ResultLookupStrategy" class="at.ac.fhcampuswien.campusauth.AuthFunction" />

From what I could find on a quick google search it should suffice to replace the above line with this block:
<bean id="shibboleth.authn.Function.ResultLookupStrategy" class="at.ac.fhcampuswien.campusauth.AuthFunction">
    <property name="cm" ref="shibboleth.CookieManager" />
    <property name="rp" ref="shibboleth.HttpServletRequest" />
</bean>

And with this the injection should work without annotations, correct?

And about my other open issue: Injection doesn't seem to work with JAAS. So what could I use to provide my custom password-authentication code instead of JAAS that does support injecting shibboleth objects?

Kind regards,
Thomas Käfer

________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Montag, 29. Juni 2020 09:09
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Hello Scott!

> https://wiki.shibboleth.net/confluence/display/IDP4/PredefinedBeans
> Under "Other Beans"

Sorry, I didn't see that message before writing my last mail.

So the injectable bean I need is this one:
net.shibboleth.utilities.java.support.net.ThreadLocalHttpServletRequestProxy


The other thing, about not using Annotations for wiring but doing that in xml files somewhere:
Can you give me some pointers how / where to do that in the supported way?

Thank you!
Kind regards,
Thomas Käfer

________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Montag, 29. Juni 2020 09:01
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Hi there Scott!

Thank you for your continued support even though my organisation is not a member of the Consortium. You have been of great help to me already! 🙂

> There I found the HttpServletRequestResponseContext which I was able to use ..
>> Use the bean we provide to access that class. It's essentially the same but you're depending on things we may change.

How do I find that bean? I looked around in the packages net.shibboleth.utilities.java.support.* but I couldn't find anything that provides access to these properties of the Request or the Request instance itself:

String remoteAddress = HttpServletRequestResponseContext.getRequest().getRemoteAddr();
String userAgent = HttpServletRequestResponseContext.getRequest().getHeader("User-Agent");


And another problem: It seem Injection doesn't work in JAAS to gain access to the CookieManager. This remains null in my
Class implementing the javax.security.auth.spi.LoginModule interface:
@Autowired
@Qualifier("shibboleth.CookieManager")
CookieManager cm;

And I see no mention of it in in the logfiles.

So for now I used this to set our legacy (non-shibboleth) auth cookie after successful username+password authentication (which works 🙂):
HttpServletRequestResponseContext.getResponse().addCookie(cookie);

Could I maybe use a CredentialValidator (or something else) instead of JAAS which does support injection?
https://wiki.shibboleth.net/confluence/display/IDP4/PasswordAuthnConfiguration

Thanks a lot!
Kind regards,
Thomas Käfer

________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Donnerstag, 25. Juni 2020 18:57
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Hello Scott!

I found a solution for this one myself, by looking around in the package of that CookieManager you gave me (net.shibboleth.utilities.java.support.net)

There I found the HttpServletRequestResponseContext which I was able to use like this:
HttpServletRequestResponseContext.getRequest().getRemoteAddr();
HttpServletRequestResponseContext.getRequest().getHeader("User-Agent");

Now I can successfully authenticate users who have this legacy auth cookie set on our domain.

My next task is to set this cookie for users who don't have it yet but can supply a valid username + password combination.
The place where I verify those at the moment is a JAAS implementation, but there I don't have access to "HttpServletRequestResponseContext" (or do I?)

Is there a way to ask Shibboleth to get the user to enter a username+password set for verification out of such a AuthFunction?

Thank you a lot!
Kind regards
Thomas Käfer
________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Donnerstag, 25. Juni 2020 18:20
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Hello Scott!

> I added a mention of the proper way to handle cookies into the documentation, and that does not rely on doing it by hand.

Thank you! That helped me a lot!

So I now got this:
@Autowired
@Qualifier("shibboleth.CookieManager")
CookieManager cm;

which allowed me to read the cookie, but I also need the User-Agent and the RemoteAddress (to allow the legacy Auth Service to verify that the Cookie hasn't been transfered).
I could have gotten that from the HttpServletRequest, but I can't get from this CookieManager.

Can you give me some pointers how to get that too?

Thank you heaps!
Kind regards
Thomas Käfer

________________________________
Von: Käfer Thomas <thomas.kaefer at fh-campuswien.ac.at>
Gesendet: Donnerstag, 25. Juni 2020 14:30
An: Shib Users <users at shibboleth.net>
Betreff: AW: IDP3/4 -> read (&write) custom session cookie for authentication

Dear Scott,

sorry for the long pause.

I've now written a Class like this:

public class AuthFunction implements Function<ProfileRequestContext<AuthnRequest, String>, Object> {
@Override
public Object apply(ProfileRequestContext<AuthnRequest, String> arg0) {...}
}

And made my Shibboleth IDP4 use it by having this line in the config file:
<bean id="shibboleth.authn.Function.ResultLookupStrategy" class="at.ac.fhcampuswien.campusauth.AuthFunction" />
in the file /opt/shibboleth-idp/conf/authn/function-authn-config.xml

And the line
idp.authn.flows= Function
in the file /opt/shibboleth-idp/conf/idp.properties

By returning a hard coded username in that "apply" method, I managed to get successful authentication.

The problem I have not yet solved is accessing the HttpRequest for getting & HttpResponse for setting my custom authentication cookie (for Single-Sign-On compatibility with some legacy applications that don't use shibboleth for authentification)

You said in a previous mail that I need to use injection for that. I tried:
@Autowired
org.opensaml.messaging.context.httpclient.HttpClientRequestContext h;

Which gives me this exception:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.opensaml.messaging.context.httpclient.HttpClientRequestContext' available

I also tried
@Autowired
javax.servlet.http.HttpServletRequest h;

Which gives the similar exception:
org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'javax.servlet.http.HttpServletRequest' available

Could you please give some more details on how to inject the HttpRequest so I can access the cookie I need?

Thank you
kind regards
Thomas Käfer

________________________________
Von: users <users-bounces at shibboleth.net> im Auftrag von Cantor, Scott <cantor.2 at osu.edu>
Gesendet: Dienstag, 28. April 2020 16:49
An: Shib Users <users at shibboleth.net>
Betreff: Re: IDP3/4 -> read (&write) custom session cookie for authentication

On 4/28/20, 9:21 AM, "users on behalf of Käfer Thomas" <users-bounces at shibboleth.net on behalf of thomas.kaefer at fh-campuswien.ac.at> wrote:

> Do you maybe have a pre-existing example of any (similar) login flow usage that I could infer how to do this from (I'd
> prefer Java to Javascript-let)..

That's just too broad a question for me to answer, all there is the source code and the documentation on writing a custom login flow [1] combined with the little bit of higher level documentation. But a function to do this is far different then a real flow. There's nothing you're intended to rely on in the IdP for the most part other than some low level objects like the servlet API, it's just supposed to do its work and return the result.

The rest is a matter of Java and Spring and whatever you're actually trying to build it to do. If you're doing REST, then you should use the HttpClient work we have, and we have documentation on wiring that up.

> Also even if I understand the concept of bean injection, I sadly have no idea of how to do this in the Shibboleth context,
> and again I couldn't find any examples using Google.

Shibboleth has nothing to do with that part, this is a Spring-based implementation, it's the Spring documentation you have to read to understand how to relate objects together. We supply or standardize the objects, it's Spring configuration that puts them together. We have documentation on that and pointers to the parts of the Spring documentation that are required reading.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/IDP4/Authentication


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

Informationen zum Datenschutz: www.fh-campuswien.ac.at/datenschutzerklaerung
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200702/0832a0fe/attachment.htm>

More information about the users mailing list