Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[higgins-dev] SAML2 IdP deployment 
Hello,

I've been trying to deploy the saml2idp.server and saml2idp.test projects following the instrucitons on the higgins wiki:
- http://wiki.eclipse.org/SAML2_IdP_Overview_1.0
- http://wiki.eclipse.org/SAML2_IdP_Deployment_1.0
- http://wiki.eclipse.org/SAML2_IdP_Development_1.0

I think there could be made some improvements to the documentation for the unexperienced user. Although the documentations is quite extensive, there is an essential part missing:
How does the system hosting the IdP have to be setup in order to be abel to install/deploy the WAR files?!?
- Tomcat configuration (especially Java Security Permissions)
- Logging configuration

Up to now I've spent quite some time figuring out the missing parts of the installation process (still a work in progress).
My goal was to get the saml2idp.server up and running on a dedicated Ubuntu 9.10 Server system using Tomcat 6. I'll not go into details about the Ubuntu Server, Tomcat and OpenLDAP installation here. In order to get the sam2idp server and test projects to run correctly I had to fix a few things.

First of all I deployed the saml2idp.server and saml2idp.test WAR files (Stable B-1-1M7) from:
- http://www.eclipse.org/higgins/downloads_parser.php?loc=/downloads/saml2idp.server
- http://www.eclipse.org/higgins/downloads_parser.php?loc=/downloads/saml2idp.test

Taking a look at the tomcat logs showed a ClassNotFoundException for org.apache.commons.logging.LogFactory.

In order to reduce the problem domain I undeployed the saml2idp.server app. As it turns out the saml2idp.test app doesn't contain the commons-logging.jar. In fact there are no jars in the WEB-INF/lib folder except the higgins-util-saml_1.0.700.jar.

So I figured I would take a look at the project dependencies... Installing Eclipse, etc. on another machine and checking out the projects from Subversion manually was a hurdle on it's own since the docs of the required projects are outdated (http://wiki.eclipse.org/SAML2_IdP_Development_1.0#Check_out_sources_manually).

By examining the build files for the saml2idp.test projects I found that they are incomplete.

Index: build.xml
===================================================================
--- build.xml	(revision 23458)
+++ build.xml	(working copy)
@@ -278,6 +278,7 @@
             <fileset dir="${org.eclipse.higgins.dependencies.redistributable.location}">
                 <include name="commons-codec-1.3/commons-codec-1.3.jar"/>
                 <include name="commons-logging-1.0.4/commons-logging-1.0.4.jar"/>
+                <include name="log4j-1.2.13/log4j-1.2.13.jar"/>
                 <include name="xmlsec-1.4.0/xmlsec-1.4.0.jar"/>
                 <include name="xercesImpl/xercesImpl.jar"/>
                 <include name="xalan-2.6.0/xalan-2.6.0.jar"/>

				 
Index: buildwar.xml
===================================================================
--- buildwar.xml	(revision 23458)
+++ buildwar.xml	(working copy)
@@ -16,6 +16,9 @@
     	<antcall target="-copy.dep.jars">
     		<param name="toDir" value="${build.dir}/warlibs"/>
     	</antcall>
+		<antcall target="copy.libs">
+    		<param name="toDir" value="${build.dir}/warlibs"/>
+    	</antcall>
     </target>
 
 
Rebuilding the WAR file for the saml2idp.test project, includes now all the dependencies (jars). Redeploying the app and checking the logs again show an AccessControlException "access denied (java.util.PropertyPermission jsr105Provider read)".

To resolve this probleme temporarily I added the following to /etc/tomcat6/policy.d/50local.policy:

grant codeBase "file:${catalina.base}/webapps/saml2idp.server.test/-" {
    permission java.security.AllPermission;
};

grant codeBase "file:${catalina.base}/webapps/saml2idp.server/-" {
    permission java.security.AllPermission;
};

Restarting tomcat and the exceptions in the log are gone...

But there is one more thing to do, the saml2idp apps should be writing some log files! They have their log4j.properties files in the right place but they are not configured to log to a file. I modified them to look like the following:

log4j.rootLogger=INFO, A
log4j.logger.org.eclipse.higgins.saml2idp=ALL
log4j.appender.A=org.apache.log4j.DailyRollingFileAppender
log4j.appender.A.File=${catalina.home}/logs/saml2idp.log
log4j.appender.A.DatePattern='.'yyyy-MM-dd
log4j.appender.A.Append=true
log4j.appender.A.Threshold=ALL
log4j.appender.A.layout=org.apache.log4j.PatternLayout
log4j.appender.A.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n

But there was still no logfile created. After some google-ing it appeared that commons-logging needs a configuration file on its own, so I placed a file called commons-logging.properties in the same folder as the log4j.properties file that looks like this:

org.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger
log4j.configuration=log4j.properties

Restarting tomcat and there we have the saml2idp.log file!

Assuming the saml2idp.server and test apps are configured according to the docs the test RP should be working now (and it was in my case).


What I would like to do now is figure out the required Java Security Permissions to get rid of the AllPermission since this thing should be secured!!!
Does anybody have a policy file for tomcat6 around?

I hope my remarks can help somebody getting up and running the saml2idp with less trouble.

Regards,
Marcel

- 
Hochschule Luzern
Technik & Architektur

Technikumstrasse 21, CH-6048 Horw
www.hslu.ch/technik-architektur

CC Distributed Secure Software Systems
Marcel Gasser

Back to the top