Current File(s): conf/authn/password-authn-config.xml, conf/authn/jaas-authn-config.xml (V4.0), conf/authn/authn.properties (V4.1+), conf/authn/jaas.config
Format: Native Spring, Properties, JAAS
...
The JAAS (Java Authentication and Authorization Service) is a desktop authentication mechanism in Java that has been commonly misappropriated as a server-side technology. A variety of "login module" plugins exist for different password-based technologies. Support is provided for using JAAS as a CredentialValidator for the password authentication login flow.
In V3, JAAS was the primary mechanism for supporting chains of back-end systems in combination with each other. V4 now supports this directly, though in some cases JAAS may still be simpler to configure and certainly remains supported.
A particular advantage of the V4 alternative approach is that the native Kerberos feature is more secure than the Java-supplied JAAS alternative, so deployments combining the JAAS Kerberos module with other back-ends should seriously consider migrating away from that approach.
General Configuration
...
Most uses of JAAS are historical at this point since the IdP now natively supports mechanisms to chain validators in ways that go beyond what JAAS can do. In particular, Kerberos authentication is best handled using the custom support we provide rather than the JAAS module for it, as the module lacks service ticket validation support and so is less secure.
General Configuration
Configuring JAAS as a back-end
...
relies
...
Import in authn/password-authn-config.xml
| Code Block | ||
|---|---|---|
| ||
<import resource="jaas-authn-config.xml" /> |
...
on
...
beans
...
In the simple case of JAAS used alone:
Defining use of JAAS in password-authn-config.xml
| Code Block | ||
|---|---|---|
| ||
<util:list id="shibboleth.authn.Password.Validators">
<!-- Default bean uses the settings defined in jaas-authn-config.xml -->
<ref bean="shibboleth.JAASValidator" />
</util:list> |
...
| title | V4.1+ |
|---|
...
internally that are configured using authn/authn.properties. Generally the defaults are sufficient to rely on a single JAAS configuration named "ShibUserPassAuth".
Older releases included an authn/jaas-authn-config.xml file; this remains supported but is no longer required or provided.
Adding additional beans may be needed in very advanced cases where a higher degree of control is required, and you are welcome to place them within authn/password-authn-config.xml.
In the simple case of JAAS used alone:
Defining use of JAAS in password-authn-config.xml
| Code Block | ||
|---|---|---|
| ||
<util:list id="shibboleth.authn.Password.Validators">
<!-- Default bean uses the settings defined in authn/authn.properties -->
<ref bean="shibboleth.JAASValidator" />
</util:list> |
If desired, it's possible to directly configure the various settings within the validator bean instead of or in addition to relying on the defaults. Refer to the JAASCredentialValidator javadoc for a complete summary.
JAAS Configuration
Simple JAAS Usage
...
If the information the function would return is static, a bean named shibboleth.authn.JAAS.LoginConfigurations can be defined.
...
| title | V4.0 |
|---|
When using either a static or dynamic approach involving custom Principals, the overall login flow generally should advertise all of the possible Principal types in its supportedPrincipals bean property (in general-authn.xml) and the automatic injection of all those Principals is turned off by defining a bean like so:
...
.
...
...
When using either a static or dynamic approach involving custom Principals, the overall login flow generally should advertise all of the possible Principal types in its idp.authn.Password.supportedPrincipals property and the automatic injection of all those Principals is turned off via the idp.authn.Password.addDefaultPrincipals property.
Reference
| Expand | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| |||||||||
The beans defined in authn/jaas-authn-config.xml follow. These are defaults that can be overridden per-validator in whole or in part. | |||||||||
Bean ID / Type | Default | Description | |||||||
JAASConfig | %{idp.home}/conf/authn/jaas.config | Defines a Spring Resource containing the JAAS config. Normally this just points to a file in the filesystem | |||||||
shibboleth.authn.JAAS.JAASConfigURI | JAASConfig.URI | Defines the URI object containing the JAAS configuration | |||||||
shibboleth.authn.JAAS.LoginConfigNames | ["ShibUserPassAuth"] | Simple list of JAAS application configuration names to use | shibboleth.authn.JAAS.LoginConfigurations | Static list of JAAS application configuration names along with mappings to custom Principal objects | shibboleth.authn.JAAS.LoginConfigStrategy | For advanced use, you can inject a function to supply at runtime the information that the previous bean would supply statically | |||
| Expand | |||||||||
| |||||||||
The following are placeholders that may be defined in authn/password-authn-config.xml for advanced control over JAAS configuration use. These are alternatives to the typical cases addressed by simple properties.
|
| Expand | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| |||||||||
The following properties are usable in authn/authn.properties to control simple JAAS use:
|
...