IBM Websphere Plugin
Apache CXF Fediz ships a plugin to secure an IBM Websphere 7/8 Application Server using WS-Federation.
This page describes how to enable Federation for a IBM Websphere Application Server (WAS) instance hosting Relying Party (RP) applications. This configuration is not for a Websphere instance hosting the Fediz IDP and IDP STS WARs but for applications that use SAML assertions for authentication. After this configuration is done, the Websphere-RP instance will validate the incoming SignInResponse created by the IDP server.
Prior to doing this configuration, make sure you've first deployed the Fediz IDP and STS on the separate Servlet Container instance as discussed here, and can view the STS WSDL at the URL given on that page. That page also provides some tips for running multiple Tomcat instances on your machine.
...
A Trust Authentication Interceptor (TAI) is a pluggable security component that is installed and configured at the IBM WebSphere Application Cell level. As such, any managed server on the Cell will have this component installed in and activated once defined in the WAS Security configuration.
A TAI implements the WAS specific interface com.ibm.wsspi.security.tai.TrustAssociationInterceptor
. The WAS specific API for security layer customization is explained in details at the following:
The Fediz Plugin for Websphere provides a TAI implementation which leverages the Fediz Core.
...
You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries.
- Checkout Build the Websphere sources packaged within the downloadable distribution archive or checkout the Fediz sources
see here
- Add the library
runtime.jar
of IBM Rational Application Developer to your Maven repository
mvn install:install-file -Dfile=<path-to-file> -DgroupId=com.ibm.ws -DartifactId=runtime -Dversion=7 -Dpackaging=jar
- run the maven command
mvn clean install -PwasPwebsphere
The Maven profilewas
websphere
enforces building the moduleplugins/websphere
.
- You'll find the required libraries in
plugins/websphere/target/...zip-with-dependencies.zip
...
- Open the Administative Console with Administrator privileges and navigate to Security / Global security
- Ensure Application security is enabled
- Navigate to Security / Global security / Web and SIP security and select Trust association
- Check the Enable trust association check box
- Select Interceptors
- Click on New and specify the Interceptor class name as
org.apache.cxf.fediz.was.tai.FedizInterceptor
Property | Value |
---|---|
config.file.location | Specify the path to the fediz-config.xml file |
role.group.mapper | Specify the class of the Role to Group Mapper |
groups.mapping.file | Specify the path to the Role - Group mapping file |
groups.mapping.refresh.timeout | Specify the refresh time (in sec) to reload the Group mapping file |
The file defined in groups.mapping.file
must have the following structure:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8"?>
<mapping>
<samlToJ2EE>
<claim>User</claim>
<groups>
<j2eeGroup>Authenticated</j2eeGroup>
<j2eeGroup>Users</j2eeGroup>
</groups>
</samlToJ2EE>
<samlToJ2EE>
<claim>Manager</claim>
<groups>
<j2eeGroup>Manager</j2eeGroup>
<j2eeGroup>Authenticated</j2eeGroup>
</groups>
</samlToJ2EE>
<samlToJ2EE>
<claim>Admin</claim>
<groups>
<j2eeGroup>Admin</j2eeGroup>
<j2eeGroup>Authenticated</j2eeGroup>
</groups>
</samlToJ2EE>
</mapping>
|
A role value defined in element claim
is mapped to a list of the Websphere JEE groups defined in j2eeGroup
. Finally, these Websphere groups must be mapped to JEE roles. This indirection is required within Websphere.
Fediz configuration
The Fediz related configuration is done in a Servlet Container independent configuration file which is described here.
...