Versions Compared

Old Version 5

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 6

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

JAAS has its own configuration format (see here). By default, the configuration used is called "ShibUserPassAuth". This can be changed using the shibboleth.authn.JAAS.LoginConfigNames, or turned into a list of more than one configuration, with each one tried in series until a success. This is equivalent to the JAAS keyword "sufficient". Using separate configurations allows errors to be isolated per-module instead of masked by generic JAAS exceptions.

Advanced JAAS Usage

As of V3.3, an advanced option exists, a Function bean called shibboleth.authn.JAAS.LoginConfigStrategy. This allows the set of JAAS configurations to be supplied at runtime. The signature of this function is fairly complex:

Code Block
languagejava
titleSignature of shibboleth.authn.JAAS.LoginConfigStrategy Function
Function<ProfileRequestContext, Collection<Pair<String,Collection<Principal>>>>

The result of the function is a collection of JAAS configuration names together with an optional collection of custom Principals to inject into the resulting Subject. This allows the result to be tailored based on which JAAS configuration actually succeeds, a common need when combining methods. Typically the function's job will be to test the acceptability of the various JAAS options against the incoming request to decide which ones should be tried.

When using this approach, the surrounding flow generally should carry all of the possible Principal types in its supportedPrincipals property and the automatic injection of all those Principals turned off by defining a bean like so:

Code Block
<util:constant id="shibboleth.authn.Password.addDefaultPrincipals" static-field="java.lang.Boolean.FALSE" />

Reference

Beans

The beans defined in authn/jaas-authn-config.xml follow:

Bean ID
Type
Default
Function
JAASConfigString%{idp.home}/conf/authn/jaas.configDefines a Spring Resource containing the JAAS config. Normally this just points to a file in the filesystem
shibboleth.authn.JAAS.JAASConfigURIjava.net.URIJAASConfig.URIDefines the URI object containing the JAAS configuration
shibboleth.authn.JAAS.LoginConfigNamesLoginConfigNames       java,util.List<String>[ "ShibUserPassAuth" ]List of JAAS application configuration names to use
shibboleth.authn.JAAS.LoginConfigStrategy3.3Function For advanced use, you can inject a function to supply at runtime the collection of JAAS application configuration names to use, together with a mapping to any custom Principals to add into the result.

V2 Compatibility

JAAS configuration is independent of the IdP and is therefore identical with the use of JAAS in the V2 UsernamePassword handler. By default this configuration is placed in authn/jaas.config and the legacy-matching "ShibUserPassAuth" login configuration name is used (though this can be changed).

...