Commit 0eafe9f0 authored by Gradl, Tobias's avatar Gradl, Tobias
Browse files

726: Finalize v1.0 for release with Schema Registry

Task-Url: https://minfba.de.dariah.eu/mantisbt/view.php?id=726
parent 622d0710
......@@ -48,58 +48,83 @@ java -cp dariahsp-core-0.0.4-SNAPSHOT-jar-with-dependencies.jar eu.dariah.de.dar
## Implementing security
Spring security related configuration is packed in three context files:
* security-context-common.xml contains
* security-context-local.xml
* security-context-saml.xml
* *security-context-common.xml* contains all security related beans that are relevant for both local and SAML based authentication methods. The common context is included in the -local and -saml context files.
* *security-context-local.xml* defines beans only necessary in local authentication enviroments.
* *security-context-saml.xml* respectively only includes beans that are required for SAML processing.
With the environment flag `-Dsaml=true` the local context is no longer loaded and the saml context comes into play. When set to false or missing, the local context is loaded.
### Local user database
Without specifying the saml environment parameter, the sample application starts in local authentication mode.
To support local authentication, configure this library as in the *security-local-context.xml* template. To complete the setup for this method, applications might want to implement the *UserService* interface (base implementation *BaseUserService*) to provide access to persisted user information.
A sample dariahsp.yml configuration
```yaml
auth:
local:
users:
- username: 'admin'
#this hash represents the BCrypt encoded 'password'
passhash: '$2a$10$nbXRnAx5wKurTrbaUkT/MOLXKAJgpT8R71/jujzPwgXXrG.OqlBKW'
roles: ["ROLE_ADMINISTRATOR"]
saml:
keystore:
path: /path/to/keystore.jks
#Uncomment if keystore is not protected by password
#pass: 'somepass'
alias: minfba.de.dariah.eu
#leave aliaspass empty if no password has been set
aliaspass: 'aliaspass'
```
The implementation needs to be provided to the *LocalAuthenticationProvider*.
In cases that do not require user detail persistence, no implementation of the *UserDetails* should be provided to the *LocalAuthenticationProvider*.
### SAML
## Further info
### Java keystore
Based on a X.509 keypair and certificate chains, the required Java keystore can easily be consolidated with `openssl` and the `keytool` (comes with Java installation). The followings steps show the commands for the example of the keystore for dfa.de.dariah.eu and the appropriate input. Please modify accordingly:
**Convert pem/pem keypair to p12 for easier input:**
For the -name argument make sure to chose the later alias of the keypair in the keystore -- specified in the following step with the -alias argument.
```
$ openssl pkcs12 -export -name dfa.de.dariah.eu -in dfa-de-dariah-eu-signed.pem -inkey dfa-de-dariah-eu-privatekey.pem > dfa-de-dariah-eu.p12
```
**Import p12 keypair and create Java keystore**
```
$ keytool -importkeystore -alias dfa.de.dariah.eu -srckeystore dfa-de-dariah-eu.p12 -destkeystore dfa-de-dariah-eu.jks -srcstoretype pkcs12
```
**Import required trusted ca certificates (in our case the chain of our keypair and the trusted SAML metadata provider keychains)**
```
$ keytool -import -trustcacerts -alias gwdg_certificate_chain_g2 -file gwdg_certificate_chain_g2.pem -keystore dfa-de-dariah-eu.jks
$ keytool -import -trustcacerts -alias dfn-aai -file dfn-aai.pem -keystore dfa-de-dariah-eu.jks
$ keytool -import -trustcacerts -alias dfn-aai-g2 -file dfn-aai.g2.pem -keystore dfa-de-dariah-eu.jks
```
A more or less convenient option to view and edit Java keystore can be found in the [KeyStore Explorer](http://keystore-explorer.org/)
**Specify configuration parameters**
```
saml.keystore.path = /path/to/dfa-de-dariah-eu.jks
saml.keystore.pass = password # as entered in step 2 (keytool -importkeystore)
saml.keystore.alias = dfa.de.dariah.eu
saml.keystore.aliaspass = password # as entered in step 1 (openssl pkcs12 -export)
```
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment