Bug 1084597 - [GSS] (6.2.x) Backport PLINK-405
Summary: [GSS] (6.2.x) Backport PLINK-405
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink
Version: 6.2.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR2
: EAP 6.2.3
Assignee: Peter Skopek
QA Contact: Josef Cacek
Nichola Moore
URL:
Whiteboard:
Depends On: 1084601
Blocks: eap62-cp03-blockers 1084584
TreeView+ depends on / blocked
 
Reported: 2014-04-04 19:22 UTC by Derek Horton
Modified: 2018-12-05 18:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
A new feature has been incorporated into the PicketLink component of this version of JBoss EAP 6. In this release the the principal that gets sent to the AttributeManager has been made configurable. When using PicketLink with JBoss Negotiation, the principal that is sent to the AttributeManager is a hashed string and not the username. This can result failed lookups if the mapping provider uses the principal to look up any attributes. The ability to configure the principle ameliorates this issue.
Clone Of: 1084595
Environment:
Last Closed: 2014-06-09 12:48:43 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker PLINK-405 0 Major Resolved Make the principal that gets sent to the AttributeManager configurable 2015-11-25 09:18:27 UTC

Description Derek Horton 2014-04-04 19:22:29 UTC
+++ This bug was initially created as a clone of Bug #1084595 +++

Backport PLINK-405

Comment 1 Derek Horton 2014-04-07 19:57:06 UTC
Reproducer notes for hashed user principal PL issue:

idp.war/WEB-INF/picketlink.xml (set the AttributeManager):

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
                 AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"
                 StrictPostBinding="true">


idp.war/WEB-INF/jboss-web.xml:

  <valve>
     <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
     <param>
       <param-name>passUserPrincipalToAttributeManager</param-name>
       <param-value>true</param-value>
     </param>
   </valve>


standalone.xml:

    <mapping>
      <mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
="java.naming.provider.url" value="ldaps://imatestldapserver.redhat.com"/>
        <module-option name="bindDN" value="uid=imauser,dc=test,dc=redhat,dc=com"/>
        <module-option name="bindCredential" value="imapassword"/>
        <module-option name="baseCtxDN" value="ou=users,dc=test,dc=redhat,dc=com"/>
        <module-option name="baseFilter" value="(uid={0})"/>
        <module-option name="attributeList" value="mail,cn,sn,UserType"/>
        <module-option name="searchTimeLimit" value="10000"/>
      </mapping-module>
    </mapping>

Comment 2 baranowb 2014-04-11 06:45:46 UTC
Assigning to pskopek since he pleaded to PL issues for EAP6

Comment 3 Derek Horton 2014-04-16 18:13:41 UTC
Committed to the prod-eap6.2.3 branch

Comment 4 Josef Cacek 2014-05-07 13:35:44 UTC
Verified in 623CR2.


Note You need to log in before you can comment on or make changes to this bug.