|
Replies:
26
-
Last Post:
Oct 17, 2008 12:27 PM
by: monzillo
|
|
|
|
|
|
|
OpenID for Web Apps?
Posted:
Jul 11, 2008 2:41 AM
|
|
|
Hi,
dose anybody know if there is an authentification provider available which allows to use OpenIDs in Glassfish easily? I want to authenticate users in a WebApplication hosted on Glassfish in the internet?
I found out that wso2.org supply a java library to be build into a web app.
http://wso2.org/project/solutions/identity/1.5/docs/index_docs.html
and also sxip.com:
http://code.sxip.com/openid4java/
Have anyone experience with this libraries or are there better solutions available?
Thanks for help
Ralph
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Jul 15, 2008 7:57 AM
in response to: rsoika
|
 |
Helpful |
|
|
we have developed a prototype openid 1.1 authentication module that integrates in Glassfish using the technique define in:
http://blogs.sun.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
we will be making the openid auth module available under the openSSO project, where it will be available for community contribution.
The auth module has minimal external dependencies, will be applicable to existing applications without reassembly or recompilation, and should be installable in any JSR 196 compatible Servlet container.
Ron
integration of the auth module in Glassfish allows the glassfish applicaton server to be a consumer of openids.
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Jul 16, 2008 1:06 PM
in response to: monzillo
|
|
|
Hi,
thanks for your responses! This sounds good.
We will try this out and also post our results later here.
Thanks
Ralph
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 8, 2008 2:58 PM
in response to: monzillo
|
|
|
Hi Ron,
I have checked out the sources of the "openID Extention for OpenSSO"
https://opensso.dev.java.net/public/extensions/openid/
Currently I assume that this is the module from which you are talking?
I have successfully build the war and deployed it into my glassfish server.
So now I can see a nice picture when i call the /service Servlet.
But after all I did not understand what to do with this module.
So I have two questions:
1.) Is the "openID Extention for OpenSSO" the auth module from which you are talking?
2.) Is there a example how I have to configure this module in my glassfish server so my existing EAR Application will use an OpenID provider to authenticate a user?
In the moment I am absolutely stranded and feel far far away from my goal to authenticate users with an OpenID
thanks for any additional help
ralph
|
|
|
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 9, 2008 7:31 AM
in response to: monzillo
|
|
|
hi Ron,
thanks for the clarification. This sources are much newer and match to the ServerAuthModule you explained in your blog.
I will try to build this and follow your tech tip now...
ralph
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 9, 2008 8:06 AM
in response to: rsoika
|
|
|
Ralph,
That sounds good. I have also asked the folks who are actively working on the SAM to watch this thread.
Ron
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 9, 2008 2:41 PM
in response to: monzillo
|
|
|
Hi Ron,
now I make one step forward 
I compiled the opensso jsr196 module and deployed the jar successfully on my glassfish server.
I followed your configuration tips:
http://blogs.sun.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
So I added the 'com.sun.security.sam.openid.OpenIDServerAuthModule' Class as my Message Security HttpServlet and named it 'OpenID'
Next I added the httpservlet-security-provider Attribute to my sun-web.xml
Now my sun-web.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="" httpservlet-security-provider="OpenID">
<context-root>/sywapp</context-root>
<security-role-mapping>
<role-name>org.imixs.ACCESSLEVEL.MANAGERACCESS</role-name>
<principal-name>org.imixs.ACCESSLEVEL.MANAGERACCESS</principal-name>
</security-role-mapping>
<class-loader delegate="true" />
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class java
code.</description>
</property>
</jsp-config>
</sun-web-app>
OK - Now when I open my application I see a Input Field where I can type in my openID Account url. This is great
I tried to login with my "MyOpenID.com" Account name which is like "http://myaccountname.myopenid.com"
But after I submit the form I receive an Error 500 and get a SAXParseException 
This Exception happens in the 'parseOpenIDPage' of class com.sun.security.sam.openid.OpenIDServerAuthModule.
I changed the code and debugged it to find out what the site "myopenid.com" answers. And yes the response page form myopenid.com is a simple html page which tells me something like:
"..This is an OpenID Identity page. This user has chosen not to display any information on this page..."
nothing else. I understand the the xml parser is not sold on this html code.
So I fear I have to ask my next stupid question : the URL which I give to the OpenIDServerAuthModule seems not to be my "MyOpenID Account Name" e.g. "http://myaccount.openid.com" ?
What I expected was that I become redirected to a Login page on myOpenID.com. But this did not happen.
Can you help me on this point? I feel to be very near to hit my target.
Ralph
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 9, 2008 8:19 PM
in response to: rsoika
|
|
|
Hello Ralph,
Even I hit the same problem and while debugging found that 'parseOpenIDPage' is the method at which we get the SAXParser exception. I talked to Kumar, who is helping me on this, and he came up with a solution of testing this code locally by storing the returned page.
Just to test if this coded, we used the return html page from the OpenID provider and used it locally instead of hitting OpenID provider's server. Kumar tested this by changing the DTD declaration in line no 1 of this page to <http:// and tried again. It went one step ahead but it hits some other exception later.
Later he suggested that instead of working with XML parser, we should replace it with HTML Parser as it seems that the written Stream is in HTML format instead of XML format for most of the OpenID providers. I and Kumar are working on this and will get back to you as soon as possible.
- Raghuveer.
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 10, 2008 11:40 AM
in response to: raghuveerp
|
|
|
Hi,
yes I make some tests and I agree with you the the response of the OpenID providers is not XHTML (e.g. myopenid.com)
So i wrote a simple HTML Parser method to get out the expected values.
But this also did not work
I recognize that you expect two <link> Tags
rel=openid.server
rel=openid.delegate
but myopenid.com did not provide the second one. It provides
rel="openid.server" href="http://www.myopenid.com/server"
rel="openid2.provider" href="http://www.myopenid.com/server"
could this be the problem?
After changing the OpenIDServerAuthModule class to use my simple htmlParser method the login process now ends with the following last message:
[#|2008-10-10T20:26:20.031+0200|INFO|sun-appserver9.1|com.sun.security.sam.ServletAuthModule|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|keyjavax.security.jacc.PolicyContext value org.imixs.shareyourwork.ear-0.9.2/org.imixs.shareyourwork.sywapp-0.6.0_war|#]
[#|2008-10-10T20:26:20.033+0200|INFO|sun-appserver9.1|com.sun.security.sam.ServletAuthModule|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;|jmac.debug_is_set_to false|#]
[#|2008-10-10T20:26:20.541+0200|WARNING|sun-appserver9.1|com.sun.security.sam.ServletAuthModule|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8080-0;http://www.myopenid.com/server;_RequestID=82c45d07-1c3a-4b09-8db8-d004ed3f3f1e;|openid.associate_failed_to_idp|#]
there is now an RequestID and I can also see on my myopenid Site that there was a request. But it did not complete
Should I send you my changes? Its not a spectacular method I added....
Ralph
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 10, 2008 12:32 PM
in response to: rsoika
|
|
|
Hi Ralph,
of the two values, only the openid.server value needs to be found. The other is used for delegation, which is not supported by the SAM (at this time).
If you want to post your proposed changes, that would be great. Based on the log msg, there appears to have been a problem in setting up the associtaion to the idp.; which occurs in AssociationManager.getAssociationHandle.
If you want to try to debug this further, you might be able to get a bit more debugging info by intializing the provider with the "debug" and "debug.stages=association" options. You can configure these options via the admin console (as part of the message provider config).
Ron
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 10, 2008 1:35 PM
in response to: monzillo
|
|
|
hi,
this is the method I added to replace the XML Parser call in parseOpenIDPage
So I changed
SAXParser parser = factory.newSAXParser();
parser.parse(doc, new ParserHandler(queries));
with
parseHTMLPage(doc, queries);
I removed the incomplete source code and attached source file to this thread
Message was edited by: rsoika
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 12, 2008 4:08 AM
in response to: rsoika
|
|
|
Can you please tell me what are you trying to do here at
String sTag = "", iStartPos + 1);
if (iEndPos > -1) {
String sSingleTag = sHTML.substring(iStartPos, iEndPos);
iStartPos = iEndPos + 1;
what is iStartPos & iEndPos ? Have you defined them earlier?
Also, what is
String sTag = "", iStartPos + 1); ?
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 12, 2008 1:33 PM
in response to: raghuveerp
|
|
|
sorry for that bad posting. I will send you the sources per email now....
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 12, 2008 1:39 PM
in response to: rsoika
|
|
|
|
|
this is the complete source file of the OpenIDServerAuthModule with my changes
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 14, 2008 12:50 PM
in response to: rsoika
|
|
|
Hi Ralph,
I updated the sam src in the open sso repository such that the Base64Helper is self contained, and I improved the token processing code of the AssociationManager to deal with openid "extensions (presumably for info card, or perhaps for 2.0) that were added some time after the POC was developed.
The problem with the identity page parsing still exists, but I thought I leave that to Raghu, you and Kumar, to determine what the best strategy is for parsing the identity page. Maybe the "GET" of the page can establish the expected return content type.
In any event, with the checked in changes, I was able to successfully configure the SAM and use it to process the auth-constraints of a sample web application. To do this, I had to work around the identity page parsing problem; for which you have provided a solution for (in OpenIDServerAuthModule)...
so I think you should be able to take the 2 pieces I just checked in and use them in combination with your SAM (which can parse the identity page).
thanks, and please continue to let us know how the status of your work with this. Kumar and I are discussing procedure for enabling other committers, so please bear with us until we sort that out.
Ron
ps: please be aware that this SAM is still in an experimental state, and should most certainly NOT be presumed to be safe for anything except proof-of-concept.
Message was edited by: monzillo
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 15, 2008 10:09 AM
in response to: monzillo
|
|
|
Hi Ron,
thanks for your response.
I have good news - it seems now to work also in my case!
In the last days I build different SAMs with other libraries and so I learned to better understand the SAM.
I hope hat my test scenario did not kid me in the moment. But the AssociationManager seems to work perfect now.
Next I will continue work in the OpenIDServerAuthModule class. I now better understand your code and I think I found a way to improve the respondWithLoginForm method a little bit. I want to add the following: if the configuration supports a loginform_url the method did not response with a default form but with a user defined form/page. This allows me to implement a OpenID LoginForm in my application (which is a RichFaces Web App with a lot of design squiggles).
I tested this in another SampleSAM and I am confident that I am able to include this additional feature. For this I need to make some changes in the validateRequest Method.
So the next days I will work on that and I will post my code with comments after this.
For the moment I am optimistic again to hit my goals.... - thanks again.
best regards
ralph
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 15, 2008 10:21 AM
in response to: rsoika
|
|
|
another thing I forgot to post:
I have changed the method initSavedRequest in the SavedHttpServletRequest.
For me it seems that the following is incorrect - ?
parameters = new Hashtable();
Enumeration pNames = request.getParameterNames();
while (pNames.hasMoreElements()) {
String name = (String) aNames.nextElement();
parameters.put(name, request.getParameterValues(name));
}
This throws a exception in my tests. I changed "aNames" in "pNames" in the while block
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 16, 2008 11:38 PM
in response to: monzillo
|
|
|
Hi Ron, Raghu and Kumar,
what did you think about a move into the kenai project site? http://kenai.com/
I think this could be a good place for us to exchange our ideas and current development around the JSR196 / OpenID. We can use a separate issueTracker and discussion forum. And maybe it would be possible that I am allowed to check in my changes into a separate branch?
This would be for me much easier as in the moment where I use an Imixs Subversion Repository.
I would also be disposed to write some wikis as I think a lot of people are interested in this concept of binding a glassfish application to an openid provider. But such a project must not be bounded to openID authentification.
What did you think about this? We form imixs are also driving an opensource project and we are interested in sharing knowledge and work.
ralph
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 17, 2008 12:27 PM
in response to: rsoika
|
|
|
Hi Ralph,
We would very much welcome your contributions to the project where it currently is. There is an issuer tracker facility in place, and I have asked that a separate category be created for 196-extensions. The OpenSSO project wiki is at http://wiki.opensso.org, and we will create a sub-page for 196-extensions, and could provide you with developer access. Also, the entire OpenSSO project is in the process of migrating form CVS to mercurial or perhaps subversion; the ultimate choice will be based on the wishes of the community.
To become a contributor, one has to sign the Contributor Agreement at:
https://opensso.dev.java.net/public/about/governance/sca.html.
Once the above is in place, we would follow approximately the following commit procedure:
1. make sure there is a corresponding issue in the issue tracker
2. get a code review by an authorized project member
3. put the diffs in the issue
4. commit
we would keep in sync via email of course,
Ron
PS: fwiw, If the project were to move to another repository, kumar and I would not be able to contribute to it without first getting approval via our internal Open Source Contributor process; which is not a trivial process.
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 10, 2008 1:43 PM
in response to: monzillo
|
|
|
Hi Ron,
I added the debug values and receife the following informations:
[#|2008-10-10T22:39:39.688+0200|INFO|sun-appserver9.1|com.sun.security.sam.ServletAuthModule|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;|keydebug.stages value association|#]
[#|2008-10-10T22:39:39.688+0200|INFO|sun-appserver9.1|com.sun.security.sam.ServletAuthModule|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;|keyjavax.security.jacc.PolicyContext value org.imixs.shareyourwork.ear-0.9.2/org.imixs.shareyourwork.sywapp-0.6.0_war|#]
[#|2008-10-10T22:39:39.689+0200|INFO|sun-appserver9.1|com.sun.security.sam.ServletAuthModule|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;|keydebug value true|#]
[#|2008-10-10T22:39:39.689+0200|INFO|sun-appserver9.1|com.sun.security.sam.ServletAuthModule|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;|jmac.debug_is_set_to true|#]
[#|2008-10-10T22:39:39.689+0200|INFO|sun-appserver9.1|com.sun.security.sam.ServletAuthModule|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;
Request: http://localhost:8080/sywapp/openid_login
UserPrincipal: null
AuthType: null
Headers:
host localhost:8080
user-agent Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3
accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
accept-encoding gzip,deflate
accept-charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive 300
connection keep-alive
referer http://localhost:8080/sywapp/
cookie JSESSIONID=87c151e1e49516ef16beddbe5fe0; JSESSIONID=87a116a5be16804e6f1aa405ccbd; form:tree-hi=form:tree:configuration:security:messageSecurity:comsunappservtypemessage-security-confignameHttpServletconfigserver-configcategoryconfig
;|jmac.servlet_request|#]
[#|2008-10-10T22:39:40.216+0200|WARNING|sun-appserver9.1|com.sun.security.sam.ServletAuthModule|_ThreadID=15;_ThreadName=httpSSLWorkerThread-8080-0;http://www.myopenid.com/server;_RequestID=d074751d-6ad1-4463-8d26-c30af1c38a42;|openid.associate_failed_to_idp|#]
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 10, 2008 2:14 PM
in response to: rsoika
|
|
|
ok the problem seems to occur in the Base64Helper.
...
java.lang.ArrayIndexOutOfBoundsException: -3
at org.apache.tomcat.util.buf.Base64.encode(Base64.java:159)
I will try to debug this further...
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 10, 2008 2:45 PM
in response to: rsoika
|
|
|
hi Ron,
yes I succeeded now!
After I added a Base64 Class which one I used for years everything seems now to work !
I become redirected to the "myOpenID.com" site and can confirm the authentication process.
I can't post the code of my class, because of the source code encoding in this editor....?
If you like I can send you this per email?
The class will also break the org.apache.tomcat.util.buf.Base64 dependency?
Ralph
Message was edited by: rsoika
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 11, 2008 4:45 AM
in response to: rsoika
|
|
|
Hi Ron,
after a long period of debugging if come to the end that it did not work
I find out that in the method verifyToken(Map token) of the AssociationManager the comparison of the two signatures failed every time.
All the data I received from my openid server looks really good. But I did not understand the method call:
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(a.getMacKey());
String signature = new String(Base64Helper.encode(mac.doFinal(bytes)));
The result signature is not equal the string in my token map
String msgSignature = (String) token.get("openid.sig");
I am not able to understand the method so I can not help me further more.
For example my token object look like this:
openid.signed=assoc_handle,identity,mode,op_endpoint,response_nonce,return_to,signed, openid.sig=7ezVn1jnG3eJKbOwN/W/OKmbyGU=,
openid.identity=http://rsoika.myopenid.com/,
openid.mode=id_res,
openid.assoc_handle={HMAC-SHA1}{48f0840d}{6l8sWw==},
openid.return_to=http://localhost:8080/sywapp/}
and the token_contents StringBuffer from which you generate the signature looks like this
assoc_handle:{HMAC-SHA1}{48f0840d}{6l8sWw==}
identity:http://rsoika.myopenid.com/
mode:id_res
op_endpoint:null
response_nonce:null
return_to:http://localhost:8080/sywapp/
signed:assoc_handle,identity,mode,op_endpoint,response_nonce,return_to,signed
can you help me here to find out what the problem could be?
Thanks
ralph
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Oct 9, 2008 8:57 PM
in response to: rsoika
|
|
|
Hello Ralph,
Even I hit the same problem and while debugging found that 'parseOpenIDPage' is the method at which we get the SAXParser exception. I talked to Kumar, who is helping me on this, and he came up with a solution of testing this code locally by storing the returned page.
Just to test if this coded, we used the return html page from the OpenID provider and used it locally instead of hitting OpenID provider's server. Kumar tested this by changing the DTD declaration in line no 1 of this page to <http:// and tried again. It went one step ahead but it hits some other exception later.
Later he suggested that instead of working with XML parser, we should replace it with HTML Parser as it seems that the written Stream is in HTML format instead of XML format for most of the OpenID providers. I and Kumar are working on this and will get back to you as soon as possible.
- Raghuveer.
|
|
|
|
|
|
|
|
|
|
|
|
Re: OpenID for Web Apps?
Posted:
Jul 18, 2008 7:17 AM
in response to: prabathsiriward...
|
|
|
Prabath,
Are you familiar with JSR 196?
Have you considered encapsulating your openid consumer code in a JSR 196 Server Auth Module (i.e, SAM)?
When a SAM is integrated in the Glassfish servlet container, it is applied by the container's constraint processing machinery on behalf of applications for which it is configured, and without requiring recompilation or redeployment of the applications.
At present the 196 SPI is supported by Glassfish, and there is work going on to provide support for the SPI in other containers including JBOSS, Tomcat, and Geronimo. The SPI is expected to be a required component of EE 6.
Ron
|
|
|
|
|
java.net RSS
