Current File(s): conf/authn/password-authn-config.xml, conf/authn/jaas-authn-config.xml (V4.0), conf/authn/authn.properties (V4.1+), conf/authn/jaas.config
Format: Native Spring, Properties, JAAS
| Table of Contents |
|---|
Overview
The JAAS (Java Authentication and Authorization Service) is a desktop authentication mechanism in Java that has been commonly misappropriated as a server-side technology. A variety of "login module" plugins exist for different password-based technologies. Support is provided for using JAAS as a CredentialValidator for the password authentication login flow.
...
General Configuration
| Localtabgroup | |||||
|---|---|---|---|---|---|
Configuring JAAS as a back-end in the simplest fashion relies on beans defined via an import in authn/password-authn-config.xml: Code Block | | ||||
| language | xml | title |
| Code Block | ||
|---|---|---|
| ||
<import resource="jaas-authn-config.xml" /> |
A few beans are defined in this file to globally configure this back-end by setting some JAAS-related options. With V4, these beans are chiefly used for backward compatibility, and as default settings that can be overridden on specific instances of beans inheriting from shibboleth.JAASValidator defined in authn/password-authn-config.xml in the shibboleth.authn.Password.Validators bean.
In the simple case of JAAS used alone:
Defining use of JAAS in password-authn-config.xml
| Code Block | ||
|---|---|---|
| ||
<util:list id="shibboleth.authn.Password.Validators">
<!-- Default bean uses the settings defined in jaas-authn-config.xml -->
<ref bean="shibboleth.JAASValidator" />
</util:list> |
| Localtab live | ||||
|---|---|---|---|---|
|
Configuring JAAS as a back-end relies on beans internally that are configured using authn/authn.properties. Generally the defaults are sufficient to rely on a single JAAS configuration named "ShibUserPassAuth".
Older releases included an authn/jaas-authn-config.xml file; this remains supported but is no longer required or provided.
Adding additional beans may be needed in very advanced cases where a higher degree of control is required, and you are welcome to place them within authn/password-authn-config.xml.
In the simple case of JAAS used alone:
Defining use of JAAS in password-authn-config.xml
| Code Block | ||
|---|---|---|
| ||
<util:list id="shibboleth.authn.Password.Validators">
<!-- Default bean uses the settings defined in authn/authn.properties -->
<ref bean="shibboleth.JAASValidator" />
</util:list> |
If desired, it's possible to directly configure the various settings within the validator bean instead of or in addition to relying on the defaults. Refer to the JAASCredentialValidator javadoc for a complete summary.
...
Using separate configurations allows errors to be isolated per-module instead of masked by generic JAAS exceptions, but again, this is now a feature natively supported by the IdP independently of JAAS.
Advanced JAAS Usage
More advanced options exist to:
supply the JAAS configuration name(s) dynamically using a function
associate particular JAAS configuration(s) with a set of custom Principal objects to attach to the authentication result
For the former, a Function bean named shibboleth.authn.JAAS.LoginConfigStrategy is reserved. This allows the set of JAAS configurations to be supplied at runtime. The signature of this function is fairly complex:
...
Signature of shibboleth.authn.JAAS.LoginConfigStrategy Function
| Code Block | ||
|---|---|---|
| ||
Function<ProfileRequestContext, Collection<Pair<String,Subject>>> |
The result of the function is a collection of JAAS configuration names together with an optional collection of custom Principal objects (wrapped in a Java Subject) to inject into the Subject produced by the login flow. This allows the result to be tailored based on which JAAS configuration actually succeeds, a common need when combining methods.
If the information the function would return is static, a bean named shibboleth.authn.JAAS.LoginConfigurations can be defined.
| Localtabgroup | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
When using either a static or dynamic approach involving custom Principals, the overall login flow generally should advertise all of the possible Principal types in its
When using either a static or dynamic approach involving custom Principals, the overall login flow generally should advertise all of the possible Principal types in its idp.authn.Password.supportedPrincipals property and the automatic injection of all those Principals is turned off via the idp.authn.Password.addDefaultPrincipals property. |
Reference
| Localtabgroup | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
The beans defined in authn/jaas-authn-config.xml follow. These are defaults that can be overridden per-validator in whole or in part.
The following are placeholders that may be defined in authn/password-authn-config.xml for advanced control over JAAS configuration use. These are alternatives to the typical cases addressed by simple properties.
The following properties are usable in authn/authn.properties to control simple JAAS use:
|