SAML MELLON POC

Introduction

the Poc consist on VM installed used Vagrant.Git with the scripts and the configuration. Apache httpd , mellon and Tomcat with small application.

Vagrant

The installation has been done by vagrant in Centos7

you can do it without vagrant but it is needed to has NAT ports forward enables 8888 and 8180.

Port 80 is not recomended because Windows use ti internally.

Once the vagrant is done go to git and clone the

repository.

Install begin

execute ./installbegin.sh. This install basic softwarebase along sets up the heroes.org in the hosts file.

It also disable SELinux and reboot.

Install Mellon and Apahce httpd

execute ./installmellon.sh

it will copy the heroes.org.conf virtual host apache and create mellon section and it crate the XML SP metadata.

Listen 8888
<VirtualHost *:8888>
    ServerName heroes.org
    ServerAlias heroes.org
    DocumentRoot /var/www/heroes.org/public_html

<Location / >
    AuthType Mellon
    MellonEnable auth
    Require valid-user
    MellonEndpointPath /mellon/
    MellonSPMetadataFile /etc/httpd/saml2/http_heroes.org_8888.xml
    MellonSPPrivateKeyFile /etc/httpd/saml2/http_heroes.org_8888.key
    MellonSPCertFile /etc/httpd/saml2/http_heroes.org_8888.cert
    MellonIdPMetadataFile /etc/httpd/saml2/meta_idp.xml

    MellonUser "NAME_ID"
    MellonSetEnv "display_name" "displayName"
    MellonSamlResponseDump On
    ProxyPassInterpolateEnv On
 RequestHeader set X-WEBAUTH-USER "%{MELLON_NAME_ID}e"
 #RequestHeader set X-WEBAUTH-DUMP "%{MELLON_SAML_RESPONSE}e"


</Location>

   #Pass most connections to backend app, once it has been secured.
    ProxyPass / http://localhost:8080/mellon
    ProxyPassReverse / http://localhost:8080/mellon

</VirtualHost>

Install keyclaock

execute ./installkeycloack the web administration console is there.

http://localhost:8180/auth

you later must to create a realm called heroes, create a client impoting the SP.xml file configuration create by mellon http_heroes.org_8888.xml

you can log into http://heroes.org:8180/auth/ with user admin and pwd admin

Once imported go to the heroes client configuration is useful to disable encryption fo the saml assertion and pass the username as user Id.

• Encrypt Assertions Off

• Name ID Format username

the realm is exported as realm-export.json althought it has not been tested the import

Create a user and its pwd in the Users section.

Once the client and user is done you must to install metadata in mellon

ssh into the guest and execute

curl http://localhost:8180/auth/realms/heroes/protocol/saml/descriptor > meta-idp.xml

sudo cp meta_idp.xml /etc/httpd/saml2

Install Tomcat and small end point appliation

execute install_app_tomcat.sh thies goes to saml2/mellon and execute

mvn package

This install mvn tomcat and build a deploy small application into locally in the guest.

curl http://heroes.org:8080/mellon

TEST

execute

http://heroes.org

it willl forward to keycloack IDP put user jordi and pwd jordi and you will see a output like this

Hola Mundo (1)
host=localhost:8080
user-agent=Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language=es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding=gzip, deflate
referer=http://heroes.org:8180/
cookie=mellon-cookie=6e83894907480c27921539d940ba6f74
dnt=1
upgrade-insecure-requests=1
x-webauth-user=jordi (2)

1	Servlet System.out
2	User Id.

the User Id comes in the SAML assertion in the subcject element of the XML. if you want a code like jordi is when you must to change Idp Client configuration .

Below de default Id, to change it go to keycloack and change the Name Id format.

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">G-e535ce9b-5b55-4896-92a6-0e7777f9aa5c</saml:NameID>

TroubleShooting

SELinux enable or disable.

SELinux /etc/selinus/config to enable or disable SElinux

Apache

The logs are in /etc/httpd/logs Check status $httpd -d Check config $httpd -t

Dump SAML assertion in header

Tomcat Logs $journalctl -u tomcat

increase headers in /etc/tomcat/server.xml

In heroes.org.conf enable the dump to header #RequestHeader set X-WEBAUTH-DUMP "%{MELLON_SAML_RESPONSE}e"

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
maxHttpHeaderSize="65536"
redirectPort="8443" />

Others

Install Spring sample

Follow

https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-quick-start.html

jordi@LAPTOP-ELFAQNCG MINGW64 /c/Program Files/Java/jdk1.8.0_181/bin
$ jrunscript.exe -e 'print (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256);'
true

Saml with OpenSAML v2

http://www.capcourse.com/Library/OpenSAML/index.html

https://github.com/rasmusson/webprofile-ref-project

source code https://github.com/danpal/OpenSAML/blob/master/pom.xml

spring old iwth saml https://github.com/alleveenstra/spring-security-opensaml

https://github.com/zeigeist/opensaml

SAML certificates vorkflow

• Create a new key pair for signing and/or encryption together with the respective X.509 certificate

• Configure your SP to support the new key pair

• Add a new KeyDescriptor to your SAML metadata

• Support decrypting SAML messages using your new key

• Send your metadata (or just the X.509 certificate) to the IdP(s). They must:

• Switch the encryption certificate to the new one

• Trust in your new signing certificate, without stop trusting in the old one

• Wait for the IdP(s) to update its configurations

• Do not start to use the new key for signing your messages until the IdP(s) confirm they are supporting your new certificate

• Configure your SP to start using the new key for signing messages

• The old keys may be completely removed

• The IdP(s) can now untrust your old signing certificat

Repository Spring

The use of @JPARepository or @CrudRepository is very handy, developers can do basic operations with no SQL operations. However it also hide the transaccion managemetn. By default every method has a transacciton scope. I have seen so many developers forget the use of @Transactional scope in their services. Hibernate and JPA force to you to create a Transaccion but with the use of frameworks it is deep hide and frecuantly ommited, skipped or simplely unknown by mediocre developers

Behaviour without Transaction management

the service produces different output depending of use of Transaccional scope

    @Transactional
    public void getGetOlder(int age, int plus) {

        List<User> listUsers = repoUser.findByAgeGreaterThan(age);
        for (User user : listUsers) {
            user.setAge(user.getAge() + plus);
            repoUser.save(user);
        }
    }

This give you a log with only one transaccion

2019-08-06 11:42:19,731 DEBUG [main] o.h.e.t.i.TransactionImpl [TransactionImpl.java:101] committing
2019-08-06 11:42:19,731 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:141] Processing flush-time cascades
2019-08-06 11:42:19,731 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:193] Dirty checking collections
2019-08-06 11:42:19,733 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:115] Flushed: 0 insertions, 2 updates, 0 deletions to 2 objects
2019-08-06 11:42:19,733 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:122] Flushed: 0 (re)creations, 0 updates, 0 removals to 0 collections
2019-08-06 11:42:19,734 DEBUG [main] o.h.i.u.EntityPrinter [EntityPrinter.java:110] Listing entities:
2019-08-06 11:42:19,734 DEBUG [main] o.h.i.u.EntityPrinter [EntityPrinter.java:117] org.jordi.h2db.springboot.models.User{firstName=Joana, lastName=Fernandez, id=2, age=11}
2019-08-06 11:42:19,734 DEBUG [main] o.h.i.u.EntityPrinter [EntityPrinter.java:117] org.jordi.h2db.springboot.models.User{firstName=Rachel, lastName=Fernandez, id=1, age=11}
2019-08-06 11:42:19,735 DEBUG [main] o.h.SQL [SqlStatementLogger.java:94] update users set age=?, first_name=?, last_name=? where id=?
2019-08-06 11:42:19,739 DEBUG [main] o.h.SQL [SqlStatementLogger.java:94] update users set age=?, first_name=?, last_name=? where id=?
2019-08-06 11:42:19,759 DEBUG [Thread-3] o.h.i.SessionFactoryImpl [SessionFactoryImpl.java:792] HHH000031: Closing

whereras if you ommit the transaccion you will the below where you can see two commits instead of one.:

2019-08-06 12:00:19,763 DEBUG [main] o.h.e.t.i.TransactionImpl [TransactionImpl.java:101] committing
2019-08-06 12:00:19,764 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:141] Processing flush-time cascades
2019-08-06 12:00:19,765 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:193] Dirty checking collections
2019-08-06 12:00:19,766 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:115] Flushed: 0 insertions, 1 updates, 0 deletions to 1 objects
2019-08-06 12:00:19,767 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:122] Flushed: 0 (re)creations, 0 updates, 0 removals to 0 collections
2019-08-06 12:00:19,767 DEBUG [main] o.h.i.u.EntityPrinter [EntityPrinter.java:110] Listing entities:
2019-08-06 12:00:19,768 DEBUG [main] o.h.i.u.EntityPrinter [EntityPrinter.java:117] org.jordi.h2db.springboot.models.User{firstName=Rachel, lastName=Fernandez, id=1, age=11}
2019-08-06 12:00:19,769 DEBUG [main] o.h.SQL [SqlStatementLogger.java:94] update users set age=?, first_name=?, last_name=? where id=?
2019-08-06 12:00:19,774 DEBUG [main] o.h.e.t.i.TransactionImpl [TransactionImpl.java:56] On TransactionImpl creation, JpaCompliance#isJpaTransactionComplianceEnabled == false
2019-08-06 12:00:19,775 DEBUG [main] o.h.e.t.i.TransactionImpl [TransactionImpl.java:84] begin
2019-08-06 12:00:19,776 DEBUG [main] o.h.l.Loader [Loader.java:2269] Loading entity: [org.jordi.h2db.springboot.models.User#2]
2019-08-06 12:00:19,777 DEBUG [main] o.h.SQL [SqlStatementLogger.java:94] select user0_.id as id1_0_0_, user0_.age as age2_0_0_, user0_.first_name as first_na3_0_0_, user0_.last_name as last_nam4_0_0_ from users user0_ where user0_.id=?
2019-08-06 12:00:19,780 DEBUG [main] o.h.l.Loader [DelegatingBasicLogger.java:384] Result set row: 0
2019-08-06 12:00:19,781 DEBUG [main] o.h.l.Loader [Loader.java:1532] Result row: EntityKey[org.jordi.h2db.springboot.models.User#2]
2019-08-06 12:00:19,784 DEBUG [main] o.h.e.i.TwoPhaseLoad [TwoPhaseLoad.java:145] Resolving associations for [org.jordi.h2db.springboot.models.User#2]
2019-08-06 12:00:19,785 DEBUG [main] o.h.e.i.TwoPhaseLoad [TwoPhaseLoad.java:290] Done materializing entity [org.jordi.h2db.springboot.models.User#2]
2019-08-06 12:00:19,785 DEBUG [main] o.h.l.Loader [Loader.java:2298] Done entity load
2019-08-06 12:00:19,786 DEBUG [main] o.h.e.t.i.TransactionImpl [TransactionImpl.java:101] committing
2019-08-06 12:00:19,787 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:141] Processing flush-time cascades
2019-08-06 12:00:19,787 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:193] Dirty checking collections
2019-08-06 12:00:19,788 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:115] Flushed: 0 insertions, 1 updates, 0 deletions to 1 objects
2019-08-06 12:00:19,789 DEBUG [main] o.h.e.i.AbstractFlushingEventListener [AbstractFlushingEventListener.java:122] Flushed: 0 (re)creations, 0 updates, 0 removals to 0 collections
2019-08-06 12:00:19,789 DEBUG [main] o.h.i.u.EntityPrinter [EntityPrinter.java:110] Listing entities:
2019-08-06 12:00:19,790 DEBUG [main] o.h.i.u.EntityPrinter [EntityPrinter.java:117] org.jordi.h2db.springboot.models.User{firstName=Joana, lastName=Fernandez, id=2, age=11}
2019-08-06 12:00:19,790 DEBUG [main] o.h.SQL [SqlStatementLogger.java:94] update users set age=?, first_name=?, last_name=? where id=?
2019-08-06 12:00:19,810 DEBUG [Thread-3] o.h.i.SessionFactoryImpl [SessionFactoryImpl.java:792] HHH000031: Closing

VAGRANT W10

It took me a lot of time to get over the below problem Raw-mode is unavailable courtesy of Hyper-V. (VERR_SUPDRV_NO_RAW_MODE_HYPER_V_ROOT).

to fix it   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled set to 0

CDI in JEE-Jakarta EE part I

Dependence injection commontly CI or CD/CI or CDI is the framework for JEE for dependence injection. Very similar to Spring. It also was know as IoC or inversion of control. the point is that de dependeces are injected instead of created by new…​ Injected means that the container created and pass the reference…​. thats all…​.

Specification

In case of OpenLiberty is based in JBooss implementation http://weld.cdi-spec.org/

Features

Instalation

In CDI 1.0 was necessary a file META-INF/beans.xml but not in later version. This file also can be located in anohter places.

Scopes

CDI is based in a concept of container which is actually a on memory key-value data object database. this container or database is partitionated in scopes so a bean only can see its neigbourds in its scope. the scope come from applications scope

• @RequestScoped

• @SessionScoped

• @ApplicationScoped

• @ConversationScoped. This is similar to transacctional in jpa…​.

Names

El Names or @Name("myname") is a name to be referenced either JSP or JSF

Creation

The below sample create a Bean of type String…​ how does it solve conflicts?

    @Produces
    @Property("")
    String  valueofProperty(InjectionPoint injectionPoint){
        Property property = injectionPoint.getAnnotated().getAnnotation(Property.class);
        return "clave mas "+ property.value();
           }

Ambiguity.

if CDI is actually a key-value. how does it look up objects?. by the type. and the ambibuguity is solved with custom anotations or called @Qualifier.

@Qualifier
@Target({ ElementType.FIELD,ElementType.METHOD, ElementType.TYPE,ElementType.PARAMETER })
@Retention(RetentionPolicy.RUNTIME)
public @interface Property {
    @Nonbinding
    String value() default "";

Use

The most commotn is by @Inject similar to @Autowired in Spring}