Ravi Nori has uploaded a new change for review. Change subject: userportal, webadmin: Congigure to use idp to manage login ......................................................................
userportal, webadmin: Congigure to use idp to manage login Add config to webadmin and user portal to manage login using idp Change-Id: Ib31060ae25a1bc687b054a41dd7a339c8b9e5ef3 Bug-Url: https://bugzilla.redhat.com/1092744 Signed-off-by: Ravi Nori <rn...@redhat.com> --- M frontend/webadmin/modules/userportal-gwtp/pom.xml A frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/jboss-web.xml A frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/picketlink-handlers.xml A frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/picketlink-idfed.xml M frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml M frontend/webadmin/modules/webadmin/pom.xml A frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/jboss-web.xml A frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/picketlink-handlers.xml A frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/picketlink-idfed.xml M frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml 10 files changed, 99 insertions(+), 0 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/95/34195/1 diff --git a/frontend/webadmin/modules/userportal-gwtp/pom.xml b/frontend/webadmin/modules/userportal-gwtp/pom.xml index 8dfef94..5856256 100644 --- a/frontend/webadmin/modules/userportal-gwtp/pom.xml +++ b/frontend/webadmin/modules/userportal-gwtp/pom.xml @@ -136,6 +136,11 @@ <type>test-jar</type> <scope>test</scope> </dependency> + <dependency> + <groupId>${engine.core.groupId}</groupId> + <artifactId>idpfilters</artifactId> + <version>${engine.version}</version> + </dependency> </dependencies> <build> <outputDirectory>${project.build.directory}/${project.build.finalName}/WEB-INF/classes diff --git a/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/jboss-web.xml b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/jboss-web.xml new file mode 100644 index 0000000..1b0201a --- /dev/null +++ b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/jboss-web.xml @@ -0,0 +1,13 @@ +<?xml version="1.0" encoding="UTF-8"?> +<jboss-web> + <!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user + authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously + issued by the Identity Provider. --> + <security-domain>sp</security-domain> + + <!-- You must configure one of the PicketLink Authenticators to get enable SAML-based SSO. Identity Providers and Service Providers + have different authenticators. In this case we're configuring an Service Provider, so we authenticator above is required. --> + <valve> + <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name> + </valve> +</jboss-web> diff --git a/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/picketlink-handlers.xml b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/picketlink-handlers.xml new file mode 100644 index 0000000..233aa9f --- /dev/null +++ b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/picketlink-handlers.xml @@ -0,0 +1,8 @@ +<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler" > + <Option Key="ATTRIBUTE_ KEYS" Value="picketlink.roles"/> + </Handler> +</Handlers> diff --git a/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/picketlink-idfed.xml b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/picketlink-idfed.xml new file mode 100644 index 0000000..820937c --- /dev/null +++ b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/picketlink-idfed.xml @@ -0,0 +1,5 @@ +<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" + ServerEnvironment="tomcat" BindingType="POST"> + <IdentityURL>${idp.url::/ovirt-engine/idp/}</IdentityURL> + <ServiceURL>${userportal.url::/ovirt-engine/userportal/?locale=en_US}</ServiceURL> +</PicketLinkSP> diff --git a/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml index b5c067d..dd3947a 100644 --- a/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml +++ b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml @@ -30,6 +30,15 @@ </filter-mapping> <filter> + <filter-name>EngineIDPLoginFilter</filter-name> + <filter-class>org.ovirt.engine.core.idp.filters.EngineIDPLoginFilter</filter-class> + </filter> + <filter-mapping> + <filter-name>EngineIDPLoginFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + + <filter> <filter-name>BasicAuthenticationFilter</filter-name> <filter-class>org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter</filter-class> <init-param> @@ -157,8 +166,18 @@ <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> + <auth-constraint> + <role-name>user</role-name> + </auth-constraint> </security-constraint> + <!-- Security roles referenced by this web application --> + <security-role> + <description>The role that is required to log in to the Manager Application</description> + <role-name>user</role-name> + </security-role> + + <session-config> <cookie-config> <http-only>true</http-only> diff --git a/frontend/webadmin/modules/webadmin/pom.xml b/frontend/webadmin/modules/webadmin/pom.xml index 71c708c..2c71ab8 100644 --- a/frontend/webadmin/modules/webadmin/pom.xml +++ b/frontend/webadmin/modules/webadmin/pom.xml @@ -136,6 +136,11 @@ <type>test-jar</type> <scope>test</scope> </dependency> + <dependency> + <groupId>${engine.core.groupId}</groupId> + <artifactId>idpfilters</artifactId> + <version>${engine.version}</version> + </dependency> </dependencies> <build> <outputDirectory>${project.build.directory}/${project.build.finalName}/WEB-INF/classes diff --git a/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/jboss-web.xml b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/jboss-web.xml new file mode 100644 index 0000000..1b0201a --- /dev/null +++ b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/jboss-web.xml @@ -0,0 +1,13 @@ +<?xml version="1.0" encoding="UTF-8"?> +<jboss-web> + <!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user + authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously + issued by the Identity Provider. --> + <security-domain>sp</security-domain> + + <!-- You must configure one of the PicketLink Authenticators to get enable SAML-based SSO. Identity Providers and Service Providers + have different authenticators. In this case we're configuring an Service Provider, so we authenticator above is required. --> + <valve> + <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name> + </valve> +</jboss-web> diff --git a/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/picketlink-handlers.xml b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/picketlink-handlers.xml new file mode 100644 index 0000000..233aa9f --- /dev/null +++ b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/picketlink-handlers.xml @@ -0,0 +1,8 @@ +<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> + <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler" > + <Option Key="ATTRIBUTE_ KEYS" Value="picketlink.roles"/> + </Handler> +</Handlers> diff --git a/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/picketlink-idfed.xml b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/picketlink-idfed.xml new file mode 100644 index 0000000..de22e5e --- /dev/null +++ b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/picketlink-idfed.xml @@ -0,0 +1,5 @@ +<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" + ServerEnvironment="tomcat" BindingType="POST"> + <IdentityURL>${idp.url::/ovirt-engine/idp/}</IdentityURL> + <ServiceURL>${webadmin.url::/ovirt-engine/webadmin/?locale=en_US}</ServiceURL> +</PicketLinkSP> diff --git a/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml index 93836f9..d7162b3 100644 --- a/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml +++ b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml @@ -21,6 +21,15 @@ <param-value>..</param-value> </context-param> <filter> + <filter-name>EngineIDPLoginFilter</filter-name> + <filter-class>org.ovirt.engine.core.idp.filters.EngineIDPLoginFilter</filter-class> + </filter> + <filter-mapping> + <filter-name>EngineIDPLoginFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + + <filter> <filter-name>SessionValidationFilter</filter-name> <filter-class>org.ovirt.engine.core.aaa.filters.SessionValidationFilter</filter-class> </filter> @@ -164,8 +173,17 @@ <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> + <auth-constraint> + <role-name>user</role-name> + </auth-constraint> </security-constraint> + <!-- Security roles referenced by this web application --> + <security-role> + <description>The role that is required to log in to the Manager Application</description> + <role-name>admin</role-name> + </security-role> + <session-config> <cookie-config> <http-only>true</http-only> -- To view, visit http://gerrit.ovirt.org/34195 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib31060ae25a1bc687b054a41dd7a339c8b9e5ef3 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <rn...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
