TODO
- アプリ作成
- サンプルと同等のアプリを一から作成
- Googleとの認証連携をやってみる
- SP
- SAML2LoginModule確認
- ハンドラのコード確認
要素のスキーマ確認 - Form認証指定の要不要の確認
設定ファイル確認
- IdP
- 署名付きのサンプル確認
- Tomcatで動かす
DONE
ログを確認
1.1. /sales/へのリクエスト時-1
ログの各行の定型部分は省略。
REQUEST URI =/sales/ authType=null characterEncoding=null contentLength=-1 contentType=null contextPath=/sales cookie=JSESSIONID=CBDAFB23F28D90849E23CB3DD676DB0F header=host=localhost:8080 header=user-agent=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; ja-jp) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 header=accept=application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 header=accept-language=ja-jp header=accept-encoding=gzip, deflate header=cookie=JSESSIONID=CBDAFB23F28D90849E23CB3DD676DB0F header=connection=keep-alive locale=ja_JP method=GET pathInfo=null protocol=HTTP/1.1 queryString=null remoteAddr=127.0.0.1 remoteHost=127.0.0.1 remoteUser=null requestedSessionId=CBDAFB23F28D90849E23CB3DD676DB0F scheme=http serverName=localhost serverPort=8080 servletPath=/index.jsp isSecure=false
1.2. /sales/へのリクエスト時-2
TRACE [org.jboss.security.plugins.JaasSecurityManager] (http-0.0.0.0-8080-1) Constructing DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@7556d1e2 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) CachePolicy set to: org.jboss.util.TimedCachePolicy@24c560f1 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) setCachePolicy, c=org.jboss.util.TimedCachePolicy@24c560f1
1.3. /sales/へのリクエスト時-3
TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Handlers are:[org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1477696b, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@2ba9fa4c] TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Handlers are : [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1477696b, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@2ba9fa4c] TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler TRACE [org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator] (http-0.0.0.0-8080-1) SAML Document=<ns3:AuthnRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" AssertionConsumerServiceURL="http://localhost:8080/sales/" ID="ID_24c6a996-5696-4556-b872-e7c875cb07f1" IssueInstant="2011-05-25T00:09:13.123+09:00" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><Issuer>http://localhost:8080/sales/</Issuer></ns3:AuthnRequest> TRACE [org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator] (http-0.0.0.0-8080-1) URL used for sending:http://localhost:8080/idp/?SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9%2Fo5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo%2B3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle%2FPP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz%2FW9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y%2FJwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd%2BB0CCxWlSN53edHp7eVLrI0J%2B17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP
2.1. /sales/からのレスポンス
authType=null contentLength=-1 contentType=null cookie=JSESSIONID=0804A3AF261E8E9E5355B4801A2EC5F8; domain=null; path=/sales header=Pragma=no-cache header=Cache-Control=no-cache, no-store header=Expires=Thu, 01 Jan 1970 09:00:00 JST header=Set-Cookie=JSESSIONID=0804A3AF261E8E9E5355B4801A2EC5F8; Path=/sales header=Location=http://localhost:8080/idp/?SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9%2Fo5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo%2B3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle%2FPP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz%2FW9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y%2FJwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd%2BB0CCxWlSN53edHp7eVLrI0J%2B17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP message=null remoteUser=null status=302
2.2. SAML Request
<?xml version="1.0"?> <ns3:AuthnRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" AssertionConsumerServiceURL="http://localhost:8080/sales/" ID="ID_24c6a996-5696-4556-b872-e7c875cb07f1" IssueInstant="2011-05-25T00:09:13.123+09:00" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <Issuer>http://localhost:8080/sales/</Issuer> </ns3:AuthnRequest>
3.1. /idp/へのリダイレクト時-1
2011-05-25 00:09:13,446 DEBUG [org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve] (http-0.0.0.0-8080-1) SP Sent::Method = GET SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9/o5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo+3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle/PP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz/W9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y/JwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd+B0CCxWlSN53edHp7eVLrI0J+17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP SAMLResponse=null true
3.2. /idp/へのリダイレクト時-2
[org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Storing the SAMLRequest/SAMLResponse and RelayState in session [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) Creating SDC for domain=jboss-web-policy [org.jboss.security.plugins.JaasSecurityManager] (http-0.0.0.0-8080-1) Constructing [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@7556d1e2 [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) CachePolicy set to: org.jboss.util.TimedCachePolicy@37fa3ed9 [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) setCachePolicy, c=org.jboss.util.TimedCachePolicy@37fa3ed9 [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Referer in finally block=null:user principal=null [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:{}
4.1. /idp/のFormへのSubmit時-1
2011-05-25 00:09:23,083 DEBUG [org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve] (http-0.0.0.0-8080-1) SP Sent::Method = POST SAMLRequest=null SAMLResponse=null true
4.2. /idp/のFormへのSubmit時-2 ユーザとロールを設定
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) Begin isValid, principal:tomcat, cache info: null [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) defaultLogin, principal=tomcat [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) Begin getAppConfigurationEntry(jboss-web-policy), size=12 [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) End getAppConfigurationEntry(jboss-web-policy), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule ControlFlag: LoginModuleControlFlag: required Options: [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) initialize [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Security domain: other [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) findResource: null [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Properties file=vfsfile:/opt/as/jboss-5.1.0.GA/server/default/deploy/idp.war/WEB-INF/classes/users.properties, defaults=null [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Loaded properties, users=[tomcat] [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) findResource: null [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Properties file=vfsfile:/opt/as/jboss-5.1.0.GA/server/default/deploy/idp.war/WEB-INF/classes/roles.properties, defaults=null [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Loaded properties, users=[tomcat] [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) login [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) User 'tomcat' authenticated, loginOk=true [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) commit, loginOk=true [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Checking user: tomcat, roles string: manager,sales,employee [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Adding to Roles: manager,sales,employee [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@2f2be3d9, subject=Subject(1786500032).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)) [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) updateCache, inputSubject=Subject(1786500032).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)), cacheSubject=Subject(1561168454).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)) [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@23f12964[Subject(1561168454).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)),credential.class=java.lang.String@620880001,expirationTime=1306251553453] [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) End isValid, true [org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@23f12964[Subject(1561168454).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)),credential.class=java.lang.String@620880001,expirationTime=1306251553453] [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Referer in finally block=http://localhost:8080/idp/?SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9%2Fo5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo%2B3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle%2FPP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz%2FW9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y%2FJwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd%2BB0CCxWlSN53edHp7eVLrI0J%2B17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP:user principal=null
5.1. /idp/へのリダイレクト時-1
2011-05-25 00:09:23,104 DEBUG [org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve] (http-0.0.0.0-8080-1) SP Sent::Method = GET SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9/o5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo+3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle/PP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz/W9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y/JwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd+B0CCxWlSN53edHp7eVLrI0J+17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP SAMLResponse=null true
5.2. /idp/へのリダイレクト時-2 SAML Response作成
[org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Storing the SAMLRequest/SAMLResponse and RelayState in session [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Referer in finally block=null:user principal=GenericPrincipal[tomcat(employee,manager,sales,)] [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Retrieved saml messages and relay state from sessionsaml Request message=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9/o5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo+3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle/PP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz/W9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y/JwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd+B0CCxWlSN53edHp7eVLrI0J+17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP::SAMLResponseMessage=null:relay state=nullSignature=null::sigAlg=null [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Handlers are=[org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler@204db0e4, org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@4c98594d, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@260ef584, org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler@2018c0a1] [org.picketlink.identity.federation.web.util.IDPWebRequestUtil] (http-0.0.0.0-8080-1) Domains that IDP trusts=localhost,jboss.com,jboss.org and issuer domain=localhost [org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler] (http-0.0.0.0-8080-1) Domains that IDP trusts=localhost,jboss.com,jboss.org and issuer domain=localhost [org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler] (http-0.0.0.0-8080-1) AssertionConsumerURL=http://localhost:8080/sales/::assertion validity=300000 [org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler] (http-0.0.0.0-8080-1) Response=<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns3:Response Destination="http://localhost:8080/sales/" IssueInstant="2011-05-25T00:09:23.117+09:00" Version="2.0" InResponseTo="ID_24c6a996-5696-4556-b872-e7c875cb07f1" ID="ID_4573ac56-abf5-40a3-85d0-01500328f844" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer>http://localhost:8080/idp/</Issuer><ns3:Status><ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns3:Status><Assertion IssueInstant="2011-05-25T00:09:23.117+09:00" ID="ID_99a02bcc-1a82-4b6c-8040-d3fa418cad90" Version="2.0"><Issuer>http://localhost:8080/idp/</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">tomcat</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="ID_24c6a996-5696-4556-b872-e7c875cb07f1" Recipient="http://localhost:8080/sales/" NotOnOrAfter="2011-05-25T00:09:23.117+09:00" NotBefore="2011-05-25T00:09:23.117+09:00"/></SubjectConfirmation></Subject><Conditions NotOnOrAfter="2011-05-25T00:14:23.117+09:00" NotBefore="2011-05-25T00:09:23.117+09:00"/><AttributeStatement><Attribute FriendlyName="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"><AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">employee</AttributeValue></Attribute><Attribute FriendlyName="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"><AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">manager</AttributeValue></Attribute><Attribute FriendlyName="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"><AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">sales</AttributeValue></Attribute></AttributeStatement></Assertion></ns3:Response> [org.picketlink.identity.federation.web.util.IDPWebRequestUtil] (http-0.0.0.0-8080-1) IDP:Destination=http://localhost:8080/sales/ [org.picketlink.identity.federation.web.util.IDPWebRequestUtil] (http-0.0.0.0-8080-1) Redirecting to=http://localhost:8080/sales/?SAMLResponse=7ZVba9swFMe%2FStAehyL5ltjCMWQNhUAv0JSytyHLx4mGLRlJIe23n%2Bw2aTrSdIyxl%2B0lKIefzuV%2FzpFzZSN2B7bTysLosW2UZd40Q1ujmOZW%2Br%2B8BcucYKv59RULx5R1RjstdIOeL5yHubVgnNQKHdyHM7RxrmOE7Ha78S4aa7MmIaWU0Ix4qLJy%2FekVj9%2FBA0LjHgclPL0A66TifaQD32jBm422jqU0pcTyBixBo%2BVihpaLb3EyjbhIJpiXdYJjyiOcJhXFNEgojcK0TuPYw2ovz70eroWxmPAsm%2BBk4n%2FixDso02mIYSrSaSJKOq0Df83aLSyVdVy5GQppEGCa4DC5p5TRjIXROAimn%2F2JUjR6AGOHvL1gqMiHu6Y4XYSsOpKTFyTv27dy3G3t8flCVzB64M0WzvfGDjRbbYUAaxEpcnLscL5v3V6xLOM0LIXAAU9DHJcTgVMaU1xFNY%2BDVPAqo3%2Bt9NW2%2FA7CFfmNr2u5GF1q03J3vuDeIitcDyjr%2BtjWgXKocLoV3OXk2dnB%2B4VWtezhXoVrcBtdnY8gWlYCN2DQSR8L7vjvjtSNdl%2FApw4fiurJW3Vr5rUD8yF8B0J2EvpenV2bfjpOVPRqLXJvr2RvtH8o2SB%2BC%2Fsc5s4ZWW4d9FMKrc%2F7yDa6NL6Sqnnq2zhDRjfgA%2Fx0%2FpVB4d5jb92PSuk5gY4iDdv18kQ92ndfqK%2FXVyuxgZajAys%2FhrEctkf4hD3P3FPnC3i0fl%2BNVGtUQNs1%2BgkgJ2%2FzKY4M%2F54qLVd8Dea%2FKMeiDMt7XhJyaqXI4fF%2F%2BSjsn6ziBw%3D%3D [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:{}
5.3. /idp/へのリダイレクト時-3 SAML Response
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ns3:Response xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8080/sales/" IssueInstant="2011-05-25T00:09:23.117+09:00" Version="2.0" InResponseTo="ID_24c6a996-5696-4556-b872-e7c875cb07f1" ID="ID_4573ac56-abf5-40a3-85d0-01500328f844"> <Issuer>http://localhost:8080/idp/</Issuer> <ns3:Status> <ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </ns3:Status> <Assertion IssueInstant="2011-05-25T00:09:23.117+09:00" ID="ID_99a02bcc-1a82-4b6c-8040-d3fa418cad90" Version="2.0"> <Issuer>http://localhost:8080/idp/</Issuer> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> tomcat </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="ID_24c6a996-5696-4556-b872-e7c875cb07f1" Recipient="http://localhost:8080/sales/" NotOnOrAfter="2011-05-25T00:09:23.117+09:00" NotBefore="2011-05-25T00:09:23.117+09:00"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2011-05-25T00:14:23.117+09:00" NotBefore="2011-05-25T00:09:23.117+09:00"/> <AttributeStatement> <Attribute FriendlyName="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"> <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> employee </AttributeValue> </Attribute> <Attribute FriendlyName="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"> <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> manager </AttributeValue> </Attribute> <Attribute FriendlyName="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"> <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> sales </AttributeValue> </Attribute> </AttributeStatement> </Assertion> </ns3:Response>
6.1. /sales/へのリダイレクト時-1
REQUEST URI =/sales/ authType=null characterEncoding=null contentLength=-1 contentType=null contextPath=/sales cookie=JSESSIONID=0804A3AF261E8E9E5355B4801A2EC5F8 header=host=localhost:8080 header=origin=http://localhost:8080 header=accept-encoding=gzip, deflate header=accept-language=ja-jp header=user-agent=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; ja-jp) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 header=accept=application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 header=referer=http://localhost:8080/idp/?SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9%2Fo5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo%2B3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle%2FPP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz%2FW9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y%2FJwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd%2BB0CCxWlSN53edHp7eVLrI0J%2B17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP header=cookie=JSESSIONID=0804A3AF261E8E9E5355B4801A2EC5F8 header=connection=keep-alive locale=ja_JP method=GET parameter=SAMLResponse=7ZVba9swFMe/StAehyL5ltjCMWQNhUAv0JSytyHLx4mGLRlJIe23n+w2aTrSdIyxl+0lKIefzuV/zpFzZSN2B7bTysLosW2UZd40Q1ujmOZW+r+8BcucYKv59RULx5R1RjstdIOeL5yHubVgnNQKHdyHM7RxrmOE7Ha78S4aa7MmIaWU0Ix4qLJy/ekVj9/BA0LjHgclPL0A66TifaQD32jBm422jqU0pcTyBixBo+VihpaLb3EyjbhIJpiXdYJjyiOcJhXFNEgojcK0TuPYw2ovz70eroWxmPAsm+Bk4n/ixDso02mIYSrSaSJKOq0Df83aLSyVdVy5GQppEGCa4DC5p5TRjIXROAimn/2JUjR6AGOHvL1gqMiHu6Y4XYSsOpKTFyTv27dy3G3t8flCVzB64M0WzvfGDjRbbYUAaxEpcnLscL5v3V6xLOM0LIXAAU9DHJcTgVMaU1xFNY+DVPAqo3+t9NW2/A7CFfmNr2u5GF1q03J3vuDeIitcDyjr+tjWgXKocLoV3OXk2dnB+4VWtezhXoVrcBtdnY8gWlYCN2DQSR8L7vjvjtSNdl/Apw4fiurJW3Vr5rUD8yF8B0J2EvpenV2bfjpOVPRqLXJvr2RvtH8o2SB+C/sc5s4ZWW4d9FMKrc/7yDa6NL6Sqnnq2zhDRjfgA/x0/pVB4d5jb92PSuk5gY4iDdv18kQ92ndfqK/XVyuxgZajAys/hrEctkf4hD3P3FPnC3i0fl+NVGtUQNs1+gkgJ2/zKY4M/54qLVd8Dea/KMeiDMt7XhJyaqXI4fF/+Sjsn6ziBw== pathInfo=null protocol=HTTP/1.1 queryString=SAMLResponse=7ZVba9swFMe%2FStAehyL5ltjCMWQNhUAv0JSytyHLx4mGLRlJIe23n%2Bw2aTrSdIyxl%2B0lKIefzuV%2FzpFzZSN2B7bTysLosW2UZd40Q1ujmOZW%2Br%2B8BcucYKv59RULx5R1RjstdIOeL5yHubVgnNQKHdyHM7RxrmOE7Ha78S4aa7MmIaWU0Ix4qLJy%2FekVj9%2FBA0LjHgclPL0A66TifaQD32jBm422jqU0pcTyBixBo%2BVihpaLb3EyjbhIJpiXdYJjyiOcJhXFNEgojcK0TuPYw2ovz70eroWxmPAsm%2BBk4n%2FixDso02mIYSrSaSJKOq0Df83aLSyVdVy5GQppEGCa4DC5p5TRjIXROAimn%2F2JUjR6AGOHvL1gqMiHu6Y4XYSsOpKTFyTv27dy3G3t8flCVzB64M0WzvfGDjRbbYUAaxEpcnLscL5v3V6xLOM0LIXAAU9DHJcTgVMaU1xFNY%2BDVPAqo3%2Bt9NW2%2FA7CFfmNr2u5GF1q03J3vuDeIitcDyjr%2BtjWgXKocLoV3OXk2dnB%2B4VWtezhXoVrcBtdnY8gWlYCN2DQSR8L7vjvjtSNdl%2FApw4fiurJW3Vr5rUD8yF8B0J2EvpenV2bfjpOVPRqLXJvr2RvtH8o2SB%2BC%2Fsc5s4ZWW4d9FMKrc%2F7yDa6NL6Sqnnq2zhDRjfgA%2Fx0%2FpVB4d5jb92PSuk5gY4iDdv18kQ92ndfqK%2FXVyuxgZajAys%2FhrEctkf4hD3P3FPnC3i0fl%2BNVGtUQNs1%2BgkgJ2%2FzKY4M%2F54qLVd8Dea%2FKMeiDMt7XhJyaqXI4fF%2F%2BSjsn6ziBw%3D%3D remoteAddr=127.0.0.1 remoteHost=127.0.0.1 remoteUser=null requestedSessionId=0804A3AF261E8E9E5355B4801A2EC5F8 scheme=http serverName=localhost serverPort=8080 servletPath=/index.jsp isSecure=false
6.2. /sales/へのリダイレクト時-2
[org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] [org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil] (http-0.0.0.0-8080-1) Now=2011-05-25T00:09:23.270+09:00 ::notBefore=2011-05-25T00:09:23.117+09:00::notOnOrAfter=2011-05-25T00:14:23.117+09:00 [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) Begin isValid, principal:tomcat, cache info: null [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) defaultLogin, principal=tomcat [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) Begin getAppConfigurationEntry(sp), size=12 [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) End getAppConfigurationEntry(sp), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule ControlFlag: LoginModuleControlFlag: required Options: [org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) initialize [org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) Security domain: sp [org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) login [org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) User 'tomcat' authenticated, loginOk=true [org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) commit, loginOk=true [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@1e5dfa5e, subject=Subject(736116965).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)) [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) updateCache, inputSubject=Subject(736116965).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)), cacheSubject=Subject(264540388).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)) [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@320470d2[Subject(264540388).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)),credential.class=java.lang.String@620880001,expirationTime=1306251553095] [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) End isValid, true [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@320470d2[Subject(264540388).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)),credential.class=java.lang.String@620880001,expirationTime=1306251553095] [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
6.3. /sales/へのリダイレクト時-3
authType=FORM contentLength=-1 contentType=text/html;charset=ISO-8859-1 header=Pragma=No-cache header=Cache-Control=no-cache header=Expires=Thu, 01 Jan 1970 09:00:00 JST header=X-Powered-By=Servlet 2.5; JBoss-5.0/JBossWeb-2.1 message=null remoteUser=tomcat status=200