Skip to content

Use JAAS Python

Jump to bottom
biancini edited this page Jul 13, 2012 · 2 revisions

Usage of JAAS and Python modules

Goal of the configuration

Goal of this page is to describe the procedure to user Java and Python APIs to authenticate users via Shibboleth.

The JAAS and Python modules work contacting the Shibboleth HTTP Basic authentication mechanism. The configuration of this authentication mechanism can be found on this wiki at the following page:

[Configuration to authenticate via HTTP Basic Authentication]

Installation of a protected resource listing session attributes

The JAAS and Python modules work trying to access a protected resource on Apache (protected in the sense that it is behind Shibboleth HTTP Basic authentication) listing all session attributes.

This resource is provided in the form of a very simple PHP page to be put on Apache behind Shibboleth authentication with, for example, the following configuration:

# Directory created as a test to show Shibboleth authentication parameters
Alias /secure "/var/www/html/secure"

<Directory "/var/www/html/secure">
   SSLRequireSSL
   ShibRequireSessionWith PAMLogin
   AuthType shibboleth
   ShibRequireSession On
   ShibUseHeaders On
   require valid-user
   require none
</Directory>

This PHP page can be modified specyfing:

  • in the $headers array all the fields that must be retrieved from SERVER PHP object and put in the user Shibboleth session
  • the function eval_authenticateduser() can be implemented to return a value different from true for users to which the login must be denied.

JAAS module

The JAAS module is available in the folder jaas_module after the compilation it is possible to create a jar that must be added to the classpath of the running application.

After that to configure JAAS parameters, the following file must be created (as in the example provided in the jaas_module folder):

/*
  This is the JAAS configuration file used to authenticate users with Shibboleth.

  A JAAS configuration file is a grouping of LoginModules defined in the following manner:
  <LoginModuleClass> <Flag> <ModuleOptions>;

  LoginModuleClass - fully qualified class name of the LoginModule class
      Flag             - indicates whether the requirement level for the modules;
                         allowed values: required, requisite, sufficient, optional
  ModuleOptions    - a space delimited list of name="value" options

  For complete documentation on the format of this file see:
  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html

  For LoginModules available within the Sun JVM see:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/LoginConfigFile.html
*/


Shibboleth {
  it.infn.mib.shibboleth.jaas.JAASShibbolethLoginModule required
                url="https://servername.com/pam.php"
                sslcheck="false"
                sess_username="username"
                truststore=""
                truststore_password=""
                debug="false";
};

The parameters that can be specified to this authentication module are:

  • url = specifies the URL of a protected resource showing a list of session values (described above)
  • sslcheck = specifies whether the SSL certificate for HTTPS must be checked against a real CA authority
  • sess_username = is the field in Shibboleth session that contains the value to be used as username (usually uid or mail field can be used)
  • truststore = the trustore to be used to verify SSL HTTP certificates
  • truststore_password = the password used to access the trustore used to verify SSL HTTP certificates
  • debug = specifies whether debug information must be produced or not

Code example

To login with Shibboleth using this JAAS module, the following code is sufficient:

try {
    LoginContext lc =  new LoginContext("Shibboleth", new MyCallbackHandler());
    lc.login();
    System.out.println("User logged in successfully.");
} catch (LoginException e) {
    System.err.println("Error logging in user.");
    e.printStackTrace();
}

In the class it.infn.mib.shibboleth.jaas.test.LoginMain an example of this code is provided. This example class also uses the login information obtained by Shibboleth to invoke a webservice on the SP and behind the same Shibboleth authentication requirement.

Python module

The Python module is available in the folder python_module and is implemented in the shibauth python package.

To configure Python parameters, the following file must be created (as in the example provided in the python_module folder):

[HTTP params]
url=https://servername.com/pam.php
sslcheck=false
sess_username=username
debug=false

The parameters that can be specified to this authentication module are:

  • url = specifies the URL of a protected resource showing a list of session values (described above)
  • sslcheck = specifies whether the SSL certificate for HTTPS must be checked against a real CA authority
  • sess_username = is the field in Shibboleth session that contains the value to be used as username (usually uid or mail field can be used)
  • debug = specifies whether debug information must be produced or not

Code example

To login with Shibboleth using this Python module, the following code is sufficient:

import shibauth

if __name__ == "__main__":
    username = raw_input('Enter your username: ')
    password = getpass.getpass('Enter your password: ')

    try:
        loggeduser, session = shibauth.login(username, password)
        print "User logged in successfully."
    except Exception, e:
        print "Error logging in user: %s" % e

In the file login.py an example of this code is provided. This example class also uses the login information obtained by Shibboleth to invoke a webservice on the SP and behind the same Shibboleth authentication requirement.

Clone this wiki locally