Versions Compared

Old Version 2

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 3

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Legacy Current File(s): conf/handlerauthn/jaas-authn-config.xml, conf/loginauthn/jaas.config, login.jsp
Current

Format: Native Spring, JAAS

Legacy V2 File(s): conf/authn/jaas-authn-confighandler.xml, conf/authn/jaaslogin.config

Format: Native Spring

...

Overview

The JAAS (Java Authentication and Authorization Service) is a desktop authentication mechanism in Java that has been commonly misappropriated as a server-side technology. A variety of "login module" plugins exist for different password-based technologies. Support is provided for using JAAS as a back-end for the password authentication login flow.

General Configuration

Configuring JAAS as a back-end requires that the right import is active in conf/authn/password-authn-config.xml:

Code Block
languagexml
titleImport in authn/password-authn-config.xml
<import resource="jaas-authn-config.xml" />

All others should The other imports must be commented or removed.

Contents

General Configuration

Use conf/A few beans are defined in authn/jaas-authn-config.xml to configure this back-end . Bean definitions are as follows:

...

by identifying the JAAS configuration file and JAAS application name(s) to use.

JAAS Configuration

JAAS has its own configuration format (see here). By default, the configuration used is called "ShibUserPassAuth". This can be changed using theĀ shibboleth.authn.JAAS.LoginConfigNames, or turned into a list of more than one configuration, with each one tried in series until a success. This is equivalent to the JAAS keyword "sufficient". Using separate configurations allows errors to be isolated per-module instead of masked by generic JAAS exceptions.

Reference

Beans

The beans defined in authn/jaas-authn-config.xml follow:

Bean ID
Type
Default
Function
JAASConfigString%{idp.home}/conf/authn/jaas.configDefines a Spring Resource containing the JAAS config. Normally this just points to a file in the filesystem

...

shibboleth.authn.JAAS.JAASConfigURI

...

JAAS Configuration

...

java.net.URIJAASConfig.URIDefines the URI object containing the JAAS configuration
shibboleth.authn.JAAS.LoginConfigNames

...

java,util.List<String>[ "ShibUserPassAuth" ]List of JAAS application configuration names to use

V2 Compatibility

JAAS configuration is independent of the IdP and is therefore identical with the use of JAAS in the V2 UsernamePassword handler. By default this configuration is placed in authn/jaas.config and the legacy-matching "ShibUserPassAuth" login configuration name is used (though this can be changed).

Unlike V2, the JAAS configuration is not placed into a global system property that would apply to the container as a whole; it is private to the IdP application.

Notes

TBD