Bug 1429570 - [GSS] (6.4.z) SAML2STSLoginModule cannot be configured with module options instead of configFile
Summary: [GSS] (6.4.z) SAML2STSLoginModule cannot be configured with module options in...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink
Version: 6.4.12
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.19
Assignee: Jiri Ondrusek
QA Contact: Jiri Truhlar
URL:
Whiteboard:
Depends On:
Blocks: eap6419-payload 1509801
TreeView+ depends on / blocked
 
Reported: 2017-03-06 15:51 UTC by dhorton
Modified: 2021-03-11 15:01 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-16 11:03:56 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-11579 0 Critical Pull Request Sent [GSS](7.0.z) SAML2STSLoginModule cannot be configured with module options instead of configFile 2018-09-28 05:37:41 UTC
Red Hat Issue Tracker JBEAP-11583 0 Critical Resolved [GSS](7.2.0) SAML2STSLoginModule cannot be configured with module options instead of configFile 2018-09-28 05:37:41 UTC
Red Hat Issue Tracker JBEAP-13855 0 Critical Verified [GSS](7.1.z) SAML2STSLoginModule cannot be configured with module options instead of configFile 2018-09-28 05:37:41 UTC
Red Hat Issue Tracker PLINK-771 0 Major Open SAML2STSLoginModule cannot be configured with module options instead of configFile 2018-09-28 05:37:41 UTC

Description dhorton 2017-03-06 15:51:15 UTC
Description of problem:

It is not possible to configure the SAML2STSLoginModule  by using module options instead of configFile:

              <security-domain name="sts" cache-type="default">
                     <authentication>
                         <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule"
                                       flag="required" module="org.picketlink">
                          <module-option name="serviceName" value="PicketLinkSTS"/>
                          <module-option name="portName" value="PicketLinkSTSPort"/>
                          <module-option name="endpointAddress" value="http://localhost:8080/picketlink-sts/PicketLinkSTS"/>
                          <module-option name="username" value="admin"/>
                          <module-option name="password" value="admin"/>


The issue appears to be caused by the following check:

diff --git picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
index bdadc40..deeef62 100644
--- picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
+++ picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java
@@ -346,10 +346,6 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest
         } else {
             logger.trace("Local Validation is disabled. Verifying with STS");
 
-            // sts config file has to be present to call STS (using sts client)
-            if (this.stsConfigurationFile == null)
-                throw logger.authSTSConfigFileNotFound();
-
             // send the assertion to the STS for validation.
             STSClient client = this.getSTSClient();
             try {
@@ -555,4 +551,4 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest
 
     protected abstract TimeCacheExpiry getCacheExpiry() throws Exception;
 
-}
\ No newline at end of file
+}


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Configure JBoss EAP 6.4.12 as described here:  https://docs.jboss.org/author/display/PLINK/Protecting+EJB+Endpoints
2.  Configure the SAML2STSLoginModule the module-option approach shown above (not the 'configFile' approach)
3.  Deploy an ejb that is protected by the "ejb-remoting-sts" security-domain
4.  Hit the ejb

Actual results:

Authentication fails


Expected results:

Authentication is successful

Additional info:

Comment 5 Radim Hatlapatka 2018-01-15 16:44:30 UTC
Thank you for the fix, verified with EAP 6.4.19.CP.CR2


Note You need to log in before you can comment on or make changes to this bug.