Bug 1084601 - [GSS] (6.3.0) Backport PLINK-405
Summary: [GSS] (6.3.0) Backport PLINK-405
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink
Version: 6.2.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ER2
: EAP 6.3.0
Assignee: Anil Saldhana
QA Contact: Josef Cacek
Nichola Moore
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1084593 1084597 1091177 1095230
TreeView+ depends on / blocked
 
Reported: 2014-04-04 19:26 UTC by Derek Horton
Modified: 2014-08-12 02:08 UTC (History)
3 users (show)

(edit)
A new feature has been incorporated into the PicketLink component of this version of JBoss EAP 6. In this release the the principal that gets sent to the AttributeManager has been made configurable.

When using PicketLink with JBoss Negotiation, the principal that is sent to the AttributeManager is a hashed string and not the username. This can result failed lookups if the mapping provider uses the principal to look up any attributes.

The ability to configure the principle ameliorates this issue.
Clone Of: 1084596
: 1085534 (view as bug list)
(edit)
Last Closed: 2014-06-28 15:44:35 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker PLINK-405 Major Resolved Make the principal that gets sent to the AttributeManager configurable 2015-11-25 09:18 UTC

Description Derek Horton 2014-04-04 19:26:06 UTC
Backport PLINK-405

Comment 1 Derek Horton 2014-04-04 19:27:50 UTC
Functionality can be enabled as shown here:

  <valve>                                                                                                                                                              
     <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>                                                             
     <param>                                                                                                                                                           
       <param-name>passUserPrincipalToAttributeManager</param-name>                                                                                                    
       <param-value>true</param-value>                                                                                                                                 
     </param>                                                                                                                                                          
   </valve>

Comment 2 Derek Horton 2014-04-07 19:55:48 UTC
Reproducer notes for hashed user principal PL issue:

idp.war/WEB-INF/picketlink.xml (set the AttributeManager):

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
                 AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"
                 StrictPostBinding="true">


idp.war/WEB-INF/jboss-web.xml:

  <valve>
     <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
     <param>
       <param-name>passUserPrincipalToAttributeManager</param-name>
       <param-value>true</param-value>
     </param>
   </valve>


standalone.xml:

    <mapping>
      <mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
="java.naming.provider.url" value="ldaps://imatestldapserver.redhat.com"/>
        <module-option name="bindDN" value="uid=imauser,dc=test,dc=redhat,dc=com"/>
        <module-option name="bindCredential" value="imapassword"/>
        <module-option name="baseCtxDN" value="ou=users,dc=test,dc=redhat,dc=com"/>
        <module-option name="baseFilter" value="(uid={0})"/>
        <module-option name="attributeList" value="mail,cn,sn,UserType"/>
        <module-option name="searchTimeLimit" value="10000"/>
      </mapping-module>
    </mapping>

Comment 3 Josef Cacek 2014-05-05 08:28:51 UTC
Verified in 6.3.0.ER2


Note You need to log in before you can comment on or make changes to this bug.