Logo of 52°North
Home Communities Security WAS Configuration

WAS Configuration

The WAS is ready to work out of the box. Configuration is only needed e.g. in the following situations:

  • You don't want to use the provided default public/private keys to sign SAML Assertions
  • You want to enable/disable certain login modules
  • You want to tweak some default ticket values like expiration time, issuer name or URL
  • You want to define another user account than guest/guest as the anonymous user's account

General Configuration

The WAS is configured by the entries of the WEB-INF/classes/security-config.xml file of the web application.

Below you see the secrity-config.xml file as delivered.

<?xml version="1.0" encoding="utf-8"?>
<SecurityConfig xmlns="http://www.52north.org/security/config/1.1">
    <PrivatePublicKeys>
        <Provider id="jksProvider"
                  factoryClass="org.n52.security.common.crypto.KeystoreKeyPairProviderBeanFactory"
                  factoryMethod="create">
            <Property name="keystoreType" value="JKS"/>
            <Property name="fileName" value=".keystore"/>
            <Property name="password" value="52nwas"/>
        </Provider>
        <PPKPair id="defaultKeyPair" alias="was" passwd="52nwas" providerRef="jksProvider"/>
    </PrivatePublicKeys>
    <Services>
        <Service id="WAS" class="org.n52.security.service.was.AuthenticationServiceImpl">
            <Property name="signingKeyPair" idRef="defaultKeyPair"/>
            <Property name="sessionService">
                <Object class="org.n52.security.service.session.DefaultSessionService">
                    <Property name="sessionTimeOut" value="3600"/>
                    <Property name="issuerName" value="www.52North.org"/>
                    <Property name="issuerURL" value="www.52North.org"/>
                </Object>
            </Property>
            <Property name="capabilitiesFileName" value="WASv1_1Capabilities.xml"/>
            <Property name="anonymousUserName" value="guest"/>
            <Property name="anonymousPassword" value="guest"/>
            <Property name="SAMLIssuerName" value="www.52North.org"/>
            <Property name="SAMLAssertionTimeOut" value="3600"/>
            <Property name="SAMLRoleAttributeName" value="urn:n52:authentication:subject:principal:role"/>
            <AuthenticationMethods>
                <!-- Comment this in if you'd like to see the session URN in the capabilities,
                     but this is not necessary because the GetSession and CloseSession methods are
                     part of the service interface.
                <AuthenticationMethod class="org.n52.security.authentication.SessionAuthenticationMethod"/>-->
                <!-- Says that username/password combinations are accepted
                     You have to define a login module wich are able to validate this.
                -->
                <AuthenticationMethod class="org.n52.security.authentication.PasswordAuthenticationMethod"/>
                <!-- Says that saml responses (tickets issued by this service) are accepted.
                     You have to define a login module wich are able to validate this.
                     <AuthenticationMethod class="org.n52.security.authentication.SAMLResponseAuthenticationMethod"/>
                -->
            </AuthenticationMethods>
            <LoginModules>
            <!-- Use this one for testing purposes. The SingleUserLoginModule can process authentication requests
                using the "PasswordAuthenticationMethod". The one and only valid username/password combination is specified below.
                <LoginModule class="org.n52.security.authentication.loginmodule.SingleUserLoginModule"
                             controlFlag="SUFFICIENT">
                    <Property name="allowedUsername" value="test"/>
                    <Property name="allowedPassword" value="testpw"/>
                    <Property name="pwdEncAlg" value="plain"/>
                    <Property name="userRoles" value="Alice"/>
                </LoginModule>
            -->
                <LoginModule class="org.n52.security.authentication.loginmodule.FileLoginModule"
                             controlFlag="SUFFICIENT">
                </LoginModule>
            </LoginModules>
        </Service>
    </Services>
</SecurityConfig>

Keystore Specification: <PrivatePublicKeys>

The WAS uses public/private keys to sign an issued SAML Assertion. Keys are retrieved using an instance implementing org.n52.security.common.crypto.KeyPairProvider. The Provider elements specifies an instance of org.n52.security.common.crypto.KeyPairProvider that is either created directly if the implemeting type is specified within a class attribute or returned by the factory class specified within a factoryClass and its respctive factory method specified within a factoryMethod attribute.

Known implementations (see their JavaDoc pages for parameter details):

The PPKKeyPair element is used to assign one public/private key pair to a unique id that can be referenced inside this configuration document, e.g. to specify which key should be used to sign the SAML Assertion issued by the WAS. The alias attribute specifies the key's name inside the keystore configured here and referenced by the providerRef attribute. The password element specifies the passwort that might be necessary to access the private key.

WAS Configuration: <Service>

The <Service> section defines the central parameters for a WAS.

signingKeyPair
Specifies the key pair to be used (must be defined in the PrivatePublicKeys section)
SessionService
Specifies the session interface. The sessionTimeout property defines the duration of sessions with this WAS in seconds.
capabilitiesFileName
Name of the WAS capabilities file; must be located in the classpath
anonymousUserName
Name of the username to be used if the WAS is requested for the anonyous user's ticket
anonymousPassword
Name of the password to be used if the WAS is requested for the anonyous user's ticket
SAMLIssuerName
Issuer name to be used in a SAML Assertion
SAMLAssertionTimeOut
Time in seconds a SAML ticket is supposed to be valid
SAMLRoleAttributeName
Specifies the ID of the AttributeAssertion used to declare the rolel information
AuthenticationMethods
Declare imlpementation classes of the supported authentication methods. Classes must implement org.n52.security.authentication.AuthenticationMethod.
LoginModules
Define the JAAS compliant login modules that are available for authentication. A LoginModule element may contain a set of Property elements whose values are passed to the LoginModules initialize() method as a Map of properties. The controlFlag attribute is equivalent to the JAAS' control flag property as described here.

For a list of login modules provided by 52°North and their properties, please please go here.