Logo of 52°North

WAS Configuration

Before the WAS is ready to work, you have to perform the following steps

  1. General configuration (asConfig.xml)
  2. User repository configuration

General Configuration

The WAS is configured by the entries of the WEB-INF/classes/as/asConfig.xml file of the web application.

Below you see the asConfig.xml file as delivered.

<?xml version="1.0" encoding="UTF-8"?>
<AuthenticationServiceConfig xmlns="http://www.52north.org/authenticationservice" xmlns:auth="http://www.52north.org/authentication" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.52north.org/authenticationservice http://incubator.52north.org/maven/schemas/asConfig/1.0/asConfig.xsd">
        <auth:AuthenticationMethodList>
                <auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.SessionLoginModule" id="SessionModule">
                        <auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:session</auth:URI>
                        <auth:ParameterList>
                                <auth:Parameter name="session.timeout">6000</auth:Parameter>
                        </auth:ParameterList>
                </auth:AuthenticationMethod>
                <auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.FileLoginModule" id="DefaultFileModule">
                        <auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:password</auth:URI>
                        <auth:ParameterList>
                                <auth:Parameter name="users.file.path"/>
                                <auth:Parameter name="users.cache">false</auth:Parameter>
                                <auth:Parameter name="credential.isBase64Encoded">true</auth:Parameter>
                        </auth:ParameterList>
                </auth:AuthenticationMethod>
        </auth:AuthenticationMethodList>
    <SAML>
        <Certificate>
            <Store type="JKS">
                <Location/>
                <Password/>
                <Alias/>
            </Store>
        </Certificate>
        <PrivateKey>
            <Store type="JKS">
                <Location/>
                <Password/>
                <Alias/>
            </Store>
            <Password/>
        </PrivateKey>
        <TicketTimeout>1800</TicketTimeout>
        <IssuerName>52NorthDefault</IssuerName>
    </SAML>
    
    <Binding>
                <ParameterList>
                        <Parameter name="was.url">${config.was.url.base}/${config.was.url.context}/${config.was.url.servletname}</Parameter>
                </ParameterList>
        </Binding>
</AuthenticationServiceConfig>

The configuration is devided into the sections AuthenticationMethodList, SAML, and Binding

AuthenticationMethodList

This element contains the description of authentication methods supported by this WAS instance. Every AuthenticationMethod element represents a combination of a LoginModule implementation that has access to some kind of user repository and an authentication method identifier that specifies the authentication method (password, signature, ...) that is used by the LoginModule. Every entry in the AuthenticationMethodList will be converted into an entry of the SupportedAuthenticationMethodList of the WAS capabilities as soon as the WAS is started.

Node Description
class specifies a subclass of javax.security.auth.LoginModule which performs the authentication
id unique identifier (for internal usage)
URI URN of the authentication method to be used
ParameterList List of parameters that is passed to the LoginModule implementation; values are dependending on the actual LoginModule implementation

A WAS instance should always provide the method designated by urn:opengeospatial:authNMethod:OWS:1.0:session to allow clients using a session identifier to avoid repeated transmission of user credentials. So you should never need to remove the according AuthenticationMethod element. To allow useres actually login and retrieve a SAML Ticket a WAS must at least support one other authentication method. Besides session authentication, the WAS specifications defines URNs for two further authentication methods which are

  • urn:opengeospatial:authNMethod:OWS:1.0:password
  • urn:opengeospatial:authNMethod:OWS:1.0:wauthns

SAML

This elements defines the information needed to create a SAML ticket for authenticated subjects.

Node Description
Certificate Information about the certificate for the private key defined below. The certificate is inserted into the SAML ticket
PrivateKey Private key that is used to sign the SAML ticket
TicketTimeout Time in seconds a ticket will be valid after it was created
IssuerName The name of the issuer that will be inserted in the SAML ticket
Store

As part of the Certificate and PrivateKey elements the Store element contains all information necessary to access the keys. At the moment only Java(TM) Keystores (see Java documentation about KeyStores) are supported as store for private and public (certificate) keys. In the near future we will also support ### files to store the keys.

Node Description Default value
type Type of the store; only JKS is supported at the moment
Location URL for the keystore file file:///WAS_INSTALL_DIR/WEB-INF/classes/conf/as/.keystore
Password Password -- if necessary -- to access the store 52nwas
Alias Alias -- if necessary -- to identify the public/private key in the store was
Using the sample keystore
The WAS web application is delivered with a sample keystore containing a private key to sign issued SAML tickets and a corresponding certificate that are used by default. This sample keystore has to be replaced by your own keystore or private key and certificate. Otherwise issued tickets are not safe from being manipulated by another party who can access the sample private key like anybody else (like you). To create your own private key / certificate pair you can use the keytool command that is installed with the JDK. Just enter keytool -genkey -alias tomcat -keypass changeit -storepass changeit -validity 3600 -dname "CN=www.52north.org, OU=52n security community, O=52n, L=Muenster, ST=NRW, C=de" -keystore .keystore -keyalg RSA. Before executing the command, replace any 52°North specific entry with an entry that matches your organization. This will create a keystore file .keystore in the current directory.
Password

This element contains the password -- if needed -- to access the key.

Default value is 52nwas

Binding

The Binding element in general contains information by means of a ParameterList that is passed to the WAS servlet. The parameter with name was.url is needed for the capabilities document the WAS provides. As clients may rely on the URL informaitonen inside the capabilities it is necessary to enter the URL of WAS as seen by clients.

User repository configuration

The user repository is the data source for the LoginModules when credentials provided by the user are checked (i.e. authenticated). The actual configuration of the user repository is depending on the LoginModule implementation. Check the list of all available LoginModules provided by 52°North