>Hi,
>
>I'm hoping that one of you Tomcat experts out there may be able to give
>me a hint as to what to try next:
>
>I've got my IdP looking up attributes using ldap just fine (thanks to
>Jon Warbrick and Adrian Barker for their resolver.xml samples) and have
>moved on to getting Tomcat to do the authentication by LDAP.
>
>The authentication bit seems to be working, when I go to Testshib it
>redirects me to the sample login page. If I put in duff credentials it
>says so and keeps me at the username and password page but if I put in
>the right credentials instead of sending me jubilantly back to
>testship.org for a glass of champagne I get a Tomcat slap on the wrist
>page:
>
>"HTTP Status 403 - Access to the requested resource has been denied
>
>type Status report
>
>message Access to the requested resource has been denied
>
>description Access to the specified resource (Access to the requested
>resource has been denied) has been forbidden.
>Apache Tomcat/5.5.23"
>
>The URL its using is:
>
>https://mgraytemp3.its.dundee.ac.uk/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.testshib.org%2FShibboleth.sso%2FSAML%2FPOST&time=1182154866&target=cookie&providerId=https%3A%2F%2Fsp.testshib.org%2Fshibboleth%2Ftestshib%2Fsp
>
>No doubt I've made a boob with my Tomcat config (not really knowing what
>I'm doing), I followed the cookbook at:
>
>https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/Tomcat%20Authentication%20for%20Shibboleth%20IdP
>
>I'm using Tomcat 5.5 and Apache 2.0.59, openssl 0.9.7m all on SUSE (SLED
>10).
>
>Cheers
>Andy
Here is the recipe that we used for Tomcat authentication. I can't take
any credit for it - it was just copied from other sources. Parts of it
are specific to the configuration here, but these should be obvious.
18. Change the login page to use tomcat
18.1. -
18.2. Change server.xml
cd /usr/local/tomcat/apache-tomcat-5.5.12/conf
cp /nfs/rcs/sysman/pp/shib-conf/server.xml.tomcat-auth /usr/local/tomcat/apache-tomcat-5.5.12/conf/server.xml
The details of the changes are:
Change the line:
request.tomcatAuthentication="true"
Configure a Tomcat 'realm' (= authentication database)
Use the JNDIRealm for ldap:
<!-- Define the top level container in our container hierarchy -->
<Engine name="Catalina" defaultHost="localhost">
...
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="cn=.....,dc=ucl,dc=ac,dc=uk"
connectionPassword="zzzzzzzz"
connectionURL="ldap://uclusers-dc1.uclusers.ucl.ac.uk:389"
alternateURL="ldap://uclusers-dc2.uclusers.ucl.ac.uk:389"
userBase="ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk"
userSearch="(cn={0})"
userSubtree="true"
/>
Note: to use a flat file, use the following:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
Valve for logging ?
No, skip the following:
#o Also copy the following block within "Host" element:
#<Context path="/shibboleth-idp" docBase="shibboleth-idp"
# debug="0"reloadable="true" crossContext="true">
# <Logger className="org.apache.catalina.logger.FileLogger"
# prefix="localhost_shibboleth_log." suffix=".txt"
# timestamp="true"/>
#</Context>
18.3. Change web.xml for shibboleth-idp:
cd /usr/local/tomcat/apache-tomcat-5.5.12/webapps/shibboleth-idp/WEB-INF
Save in /nfs/rcs/sysman/pp/shib-conf:
cp /nfs/rcs/sysman/pp/shib-conf/web.xml /usr/local/tomcat/apache-tomcat-5.5.12/webapps/shibboleth-idp/WEB-INF/web.xml
Note: this file is overwritten if Shibboleth is upgraded
Add <security-constraint> as follows:
<security-constraint>
<display-name>Restrict Access to Shibboleth SSO</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/IdP</url-pattern>
<url-pattern>/SSO</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
18.4. tomcat-users.xml
cd /usr/local/tomcat/apache-tomcat-5.5.12/conf
No change needed
18.5. Customise the web forms:
These are in the following directory:
cd /usr/local/tomcat/apache-tomcat-5.5.12/webapps/shibboleth-idp
login.jsp
login-error.jsp
Note: these files are overwritten when Shibboleth is upgraded.
The files are saved in /nfs/rcs/sysman/pp/shib-conf
cp /nfs/rcs/sysman/pp/shib-conf/login.jsp login.jsp
cp /nfs/rcs/sysman/pp/shib-conf/login-error.jsp login-error.jsp
To create the login jsp files, do the following:
The template login file is in
/nfs/fs-b/sysman/pp/shib-conf/shib-login.shtml
Copy the file to somewhere in the web tree, eg. as ccaaarb:
cp /nfs/fs-b/sysman/pp/shib-conf/shib-login.shtml /nfs/rcs/www/webdocs/arbb-test
Use wget to fetch the resolved file to the shib-a/b machines:
cd /usr/local/tomcat/apache-tomcat-5.5.12/webapps/shibboleth-idp
wget http://www.ucl.ac.uk/arbb-test/shib-login.shtml
Edit shib-login.shtml to change any relative links for images to
absolute ones:
<img src="/images/spacer.gif"
to
<img src="http://www.ucl.ac.uk/images/spacer.gif"
cp shib-login.shtml login.jsp
cp shib-login.shtml login-error.jsp
Edit login-error.jsp: after the lines:
<form method=post action="j_security_check">
<table bgcolor="#CDDAEB">
add the line:
<tr><td colspan="2"><span class="text1">Incorrect userid or password. Please try again.</span>
Save these files in /nfs/fs-b/sysman/pp/shib-conf/
Also change the message in the files:
IdP.jsp
IdPError.jsp
cp IdP.jsp IdP-orig.jsp
cp IdPError.jsp IdPError-orig.jsp
cp /nfs/rcs/sysman/pp/shib-conf/IdP.jsp IdP.jsp
cp /nfs/rcs/sysman/pp/shib-conf/IdPError.jsp IdPError.jsp
The changes are:
In IdP.jsp, change:
Shibboleth Authentication Request Processed
to
Redirecting to requested site
and in IdPError.jsp, change:
Shibboleth Identity Provider Failure
to
Authentication Failure
Save these files in /nfs/fs-b/sysman/pp/shib-conf/
18.6. Change httpd.conf
Comment out the entire <Location /shibboleth-idp/SSO> block
cd /usr/local/apache/conf
cp /nfs/rcs/sysman/pp/shib-conf/httpd.conf.tomcat-auth httpd.conf
Restart Apache and Tomcat.
Adrian Barker, Information Systems
University College London, Gower Street, London WC1E 6BT
External phone: +44 20 7679 5140, Fax (+44) 20 7388 5406
Internal phone: x 25140
Email: [log in to unmask]
|