WAS Configuration
The WAS is ready to work out of the box. Configuration is only needed e.g. in the following situations:
- You don't want to use the provided default public/private keys to sign SAML Assertions
- You want to enable/disable certain login modules
- You want to tweak some default ticket values like expiration time, issuer name or URL
- You want to define another user account than guest/guest as the anonymous user's account
General Configuration
The WAS is configured by the entries of the WEB-INF/classes/security-config.xml file of the web application.
Below you see the secrity-config.xml file as delivered.
<?xml version="1.0" encoding="utf-8"?>
<SecurityConfig xmlns="http://www.52north.org/security/config/1.1">
<PrivatePublicKeys>
<Provider id="jksProvider"
factoryClass="org.n52.security.common.crypto.KeystoreKeyPairProviderBeanFactory"
factoryMethod="create">
<Property name="keystoreType" value="JKS"/>
<Property name="fileName" value=".keystore"/>
<Property name="password" value="52nwas"/>
</Provider>
<PPKPair id="defaultKeyPair" alias="was" passwd="52nwas" providerRef="jksProvider"/>
</PrivatePublicKeys>
<Services>
<Service id="WAS" class="org.n52.security.service.was.AuthenticationServiceImpl">
<Property name="signingKeyPair" idRef="defaultKeyPair"/>
<Property name="sessionService">
<Object class="org.n52.security.service.session.DefaultSessionService">
<Property name="sessionTimeOut" value="3600"/>
<Property name="issuerName" value="www.52North.org"/>
<Property name="issuerURL" value="www.52North.org"/>
</Object>
</Property>
<Property name="capabilitiesFileName" value="WASv1_1Capabilities.xml"/>
<Property name="anonymousUserName" value="guest"/>
<Property name="anonymousPassword" value="guest"/>
<Property name="SAMLIssuerName" value="www.52North.org"/>
<Property name="SAMLAssertionTimeOut" value="3600"/>
<Property name="SAMLRoleAttributeName" value="urn:n52:authentication:subject:principal:role"/>
<AuthenticationMethods>
<!-- Comment this in if you'd like to see the session URN in the capabilities,
but this is not necessary because the GetSession and CloseSession methods are
part of the service interface.
<AuthenticationMethod class="org.n52.security.authentication.SessionAuthenticationMethod"/>-->
<!-- Says that username/password combinations are accepted
You have to define a login module wich are able to validate this.
-->
<AuthenticationMethod class="org.n52.security.authentication.PasswordAuthenticationMethod"/>
<!-- Says that saml responses (tickets issued by this service) are accepted.
You have to define a login module wich are able to validate this.
<AuthenticationMethod class="org.n52.security.authentication.SAMLResponseAuthenticationMethod"/>
-->
</AuthenticationMethods>
<LoginModules>
<!-- Use this one for testing purposes. The SingleUserLoginModule can process authentication requests
using the "PasswordAuthenticationMethod". The one and only valid username/password combination is specified below.
<LoginModule class="org.n52.security.authentication.loginmodule.SingleUserLoginModule"
controlFlag="SUFFICIENT">
<Property name="allowedUsername" value="test"/>
<Property name="allowedPassword" value="testpw"/>
<Property name="pwdEncAlg" value="plain"/>
<Property name="userRoles" value="Alice"/>
</LoginModule>
-->
<LoginModule class="org.n52.security.authentication.loginmodule.FileLoginModule"
controlFlag="SUFFICIENT">
</LoginModule>
</LoginModules>
</Service>
</Services>
</SecurityConfig>
Keystore Specification: <PrivatePublicKeys>
The WAS uses public/private keys to sign an issued SAML Assertion. Keys are retrieved using an instance implementing org.n52.security.common.crypto.KeyPairProvider. The Provider elements specifies an instance of org.n52.security.common.crypto.KeyPairProvider that is either created directly if the implemeting type is specified within a class attribute or returned by the factory class specified within a factoryClass and its respctive factory method specified within a factoryMethod attribute.
Known implementations (see their JavaDoc pages for parameter details):
- org.n52.security.common.crypto.KeystoreKeyPairProviderBeanFactory (see link to JavaDoc of class)
The PPKKeyPair element is used to assign one public/private key pair to a unique id that can be referenced inside this configuration document, e.g. to specify which key should be used to sign the SAML Assertion issued by the WAS. The alias attribute specifies the key's name inside the keystore configured here and referenced by the providerRef attribute. The password element specifies the passwort that might be necessary to access the private key.
WAS Configuration: <Service>
The <Service> section defines the central parameters for a WAS.
- signingKeyPair
- Specifies the key pair to be used (must be defined in the PrivatePublicKeys section)
- SessionService
- Specifies the session interface. The sessionTimeout property defines the duration of sessions with this WAS in seconds.
- capabilitiesFileName
- Name of the WAS capabilities file; must be located in the classpath
- anonymousUserName
- Name of the username to be used if the WAS is requested for the anonyous user's ticket
- anonymousPassword
- Name of the password to be used if the WAS is requested for the anonyous user's ticket
- SAMLIssuerName
- Issuer name to be used in a SAML Assertion
- SAMLAssertionTimeOut
- Time in seconds a SAML ticket is supposed to be valid
- SAMLRoleAttributeName
- Specifies the ID of the AttributeAssertion used to declare the rolel information
- AuthenticationMethods
- Declare imlpementation classes of the supported authentication methods. Classes must implement org.n52.security.authentication.AuthenticationMethod.
- LoginModules
- Define the JAAS compliant login modules that are available for authentication. A LoginModule element may contain a set of Property elements whose values are passed to the LoginModules initialize() method as a Map of properties. The controlFlag attribute is equivalent to the JAAS' control flag property as described here.
For a list of login modules provided by 52North and their properties, please please go here.
