Bug 1429570

Summary: [GSS] (6.4.z) SAML2STSLoginModule cannot be configured with module options instead of configFile
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: PicketLinkAssignee: Jiri Ondrusek <jondruse>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Truhlar <jtruhlar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.12CC: anmiller, bdawidow, bmaxwell, dosoudil, jbilek, jondruse, psilva, pskopek, rnetuka, rstancel
Target Milestone: CR1   
Target Release: EAP 6.4.19   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-16 11:03:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1498153, 1509801    

Description dhorton 2017-03-06 15:51:15 UTC 
Description of problem:

It is not possible to configure the SAML2STSLoginModule  by using module options instead of configFile:

              <security-domain name="sts" cache-type="default">
                     <authentication>
                         <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule"
                                       flag="required" module="org.picketlink">
                          <module-option name="serviceName" value="PicketLinkSTS"/>
                          <module-option name="portName" value="PicketLinkSTSPort"/>
                          <module-option name="endpointAddress" value="http://localhost:8080/picketlink-sts/PicketLinkSTS"/>
                          <module-option name="username" value="admin"/>
                          <module-option name="password" value="admin"/>


The issue appears to be caused by the following check:

diff --git picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
index bdadc40..deeef62 100644
--- picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
+++ picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
@@ -346,10 +346,6 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest
         } else {
             logger.trace("Local Validation is disabled. Verifying with STS");
 
-            // sts config file has to be present to call STS (using sts client)
-            if (this.stsConfigurationFile == null)
-                throw logger.authSTSConfigFileNotFound();
-
             // send the assertion to the STS for validation.
             STSClient client = this.getSTSClient();
             try {
@@ -555,4 +551,4 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest
 
     protected abstract TimeCacheExpiry getCacheExpiry() throws Exception;
 
-}
\ No newline at end of file
+}


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Configure JBoss EAP 6.4.12 as described here:  https://docs.jboss.org/author/display/PLINK/Protecting+EJB+Endpoints
2.  Configure the SAML2STSLoginModule the module-option approach shown above (not the 'configFile' approach)
3.  Deploy an ejb that is protected by the "ejb-remoting-sts" security-domain
4.  Hit the ejb

Actual results:

Authentication fails


Expected results:

Authentication is successful

Additional info:
Comment 5 Radim Hatlapatka 2018-01-15 16:44:30 UTC 
Thank you for the fix, verified with EAP 6.4.19.CP.CR2