-
Notifications
You must be signed in to change notification settings - Fork 0
/
DeployingZxidServlets.txt
147 lines (109 loc) · 5.38 KB
/
DeployingZxidServlets.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
Deploying the ZXID filter and ZXID servlet to provide SSO to your web application
#################################################################################
<<author: 20101020, v0.1, Stijn Lievens>>
> N.B. The approach described here is more modern than
> zxidsrvlet.java + zxidappdemo.java approach documented
> elsewhere.
We assume that you have a web application running inside a servlet container
like Tomcat for which you would like to provide SSO capability.
1. Required Files
The following files are needed:
ZxidServlet.class:: the actual ZXID servlet which calls out to the native library
ZxidSSOFilter.class:: a simple filter which just checks whether a session has already
been established or not. If this is not the case the the user is
redirected to the ZxidServlet which will establish the session.
libzxidnji.so:: the native library
zxidjava.jar:: Java glue (XXX describe here)
2. Directory Layout
Below, we show the relevant parts of the web application directory
structure. Application specific portions (i.e. your servlets and JSPs
are not shown.)
your-webapp
|
+-- WEB-INF
|
+-- web.xml -- The deployment descriptor of the application
+-- classes -- The classes by your web application
| |
| +-- org
| |
| +-- zxid
| |
| +-- ZxidServlet.class
| `-- ZxidSSOFilter.class
|
+-- lib -- The libraries used
|
+-- libzxidjni.so
`-- zxidjava.jar
3. The Deployment Descriptor (aka web.xml)
In the deployment descriptor (web.xml) you need to do this at the very least:
a. Configure the SSO servlet.
This is done as follows:
<servlet>
<servlet-name>sso</servlet-name>
<servlet-class>org.zxid.ZxidServlet</servlet-class>
<init-param>
<param-name>zxid-configuration</param-name>
<param-value>zxid-configuration-here</param-value>
</init-param>
</servlet>
Of course, you are free to change the servlet's name to whatever you want.
The zxid configuration should be in query string format, but the & symbols
should be encoded as '&' thus e.g.
<param-value>
URL=https://your.host.here:8443/your-webapp/sso&PATH=/var/zxid
</param-value>
The recommended minimum configuration items are
URL:: Absolutely necessary. This is used to form EntityID and SAML end-points. This
has to match your domain name, port number, and local path as configured
at the web server level.
NICE_NAME:: Highly recommended. This human readable string is often shown
in the user interface and you +do not+ want the default value.
ORG_NAME:: Recommended. Affects your certificate and metadata.
ORG_LOCALITY:: Recommended. Affects your certificate and metadata.
ORG_STATE:: Recommended. Affects your certificate and metadata.
ORG_COUNTRY:: Recommended. Affects your certificate and metadata.
Please note that you can also put the configuration options in configuration
file at path /var/zxid/zxid.conf (default path unless you set configuration
option PATH). For further information, please consult zxid-conf.pd or zxidconf.h.
b. Next you have to put in a mapping from a path to the actual servlet
so that it gets invoked when this path is requested. This is done
as follows:
<servlet-mapping>
<servlet-name>sso</servlet-name>
<url-pattern>/sso</url-pattern>
</servlet-mapping>
The servlet name must match the one you used above.
c. You also need to define the SSO filter. This is done as follows:
<filter>
<filter-name>sso-filter</filter-name>
<filter-class>org.zxid.ZxidSSOFilter</filter-class>
<init-param>
<param-name>sso-location</param-name>
<param-value>sso</param-value>
</init-param>
</filter>
Note that the default value for sso-location is actually sso so you
wouldn't need to specify it here. The name of this parameter must match
(bar the leading slash) the url-pattern you specified in the servlet-mapping
for the SSO servlet.
d. Finally, you need to enable the sso-filter (probably as the first filter)
for any part of your web application that shouldn't be accessible without
a valid session.
As an example suppose you want to protect the entire web application,
then you would write the following filter-mapping:
<filter-mapping>
<filter-name>sso-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
4. Limitations
Note that the SSO filter only checks whether a session has been established.
As such the ZXID servlet is only invoked once (upon session creation). As such
this setup cannot be used to check whether the user is allowed access to the
requested resource. For this, an additional filter would be needed.
5. Warning
You will need to make sure that automatic session creation is turned off
in the unprotected part of your webapplication as not doing so would result
in the filter thinking that a session has indeed been established.
END