Commit 0eafe9f0 authored by Gradl, Tobias's avatar Gradl, Tobias
Browse files

726: Finalize v1.0 for release with Schema Registry

Task-Url: https://minfba.de.dariah.eu/mantisbt/view.php?id=726
parent 622d0710
...@@ -48,58 +48,83 @@ java -cp dariahsp-core-0.0.4-SNAPSHOT-jar-with-dependencies.jar eu.dariah.de.dar ...@@ -48,58 +48,83 @@ java -cp dariahsp-core-0.0.4-SNAPSHOT-jar-with-dependencies.jar eu.dariah.de.dar
## Implementing security ## Implementing security
Spring security related configuration is packed in three context files: Spring security related configuration is packed in three context files:
* security-context-common.xml contains * *security-context-common.xml* contains all security related beans that are relevant for both local and SAML based authentication methods. The common context is included in the -local and -saml context files.
* security-context-local.xml * *security-context-local.xml* defines beans only necessary in local authentication enviroments.
* security-context-saml.xml * *security-context-saml.xml* respectively only includes beans that are required for SAML processing.
With the environment flag `-Dsaml=true` the local context is no longer loaded and the saml context comes into play. When set to false or missing, the local context is loaded.
### Local user database ### Local user database
Without specifying the saml environment parameter, the sample application starts in local authentication mode. Without specifying the saml environment parameter, the sample application starts in local authentication mode.
To support local authentication, configure this library as in the *security-local-context.xml* template. To complete the setup for this method, applications might want to implement the *UserService* interface (base implementation *BaseUserService*) to provide access to persisted user information. A sample dariahsp.yml configuration
```yaml
auth:
local:
users:
- username: 'admin'
#this hash represents the BCrypt encoded 'password'
passhash: '$2a$10$nbXRnAx5wKurTrbaUkT/MOLXKAJgpT8R71/jujzPwgXXrG.OqlBKW'
roles: ["ROLE_ADMINISTRATOR"]
saml:
keystore:
path: /path/to/keystore.jks
#Uncomment if keystore is not protected by password
#pass: 'somepass'
alias: minfba.de.dariah.eu
#leave aliaspass empty if no password has been set
aliaspass: 'aliaspass'
```
The implementation needs to be provided to the *LocalAuthenticationProvider*.
In cases that do not require user detail persistence, no implementation of the *UserDetails* should be provided to the *LocalAuthenticationProvider*.
### SAML
## Further info
### Java keystore
Based on a X.509 keypair and certificate chains, the required Java keystore can easily be consolidated with `openssl` and the `keytool` (comes with Java installation). The followings steps show the commands for the example of the keystore for dfa.de.dariah.eu and the appropriate input. Please modify accordingly:
**Convert pem/pem keypair to p12 for easier input:**
For the -name argument make sure to chose the later alias of the keypair in the keystore -- specified in the following step with the -alias argument.
```
$ openssl pkcs12 -export -name dfa.de.dariah.eu -in dfa-de-dariah-eu-signed.pem -inkey dfa-de-dariah-eu-privatekey.pem > dfa-de-dariah-eu.p12
```
**Import p12 keypair and create Java keystore**
```
$ keytool -importkeystore -alias dfa.de.dariah.eu -srckeystore dfa-de-dariah-eu.p12 -destkeystore dfa-de-dariah-eu.jks -srcstoretype pkcs12
```
**Import required trusted ca certificates (in our case the chain of our keypair and the trusted SAML metadata provider keychains)**
```
$ keytool -import -trustcacerts -alias gwdg_certificate_chain_g2 -file gwdg_certificate_chain_g2.pem -keystore dfa-de-dariah-eu.jks
$ keytool -import -trustcacerts -alias dfn-aai -file dfn-aai.pem -keystore dfa-de-dariah-eu.jks
$ keytool -import -trustcacerts -alias dfn-aai-g2 -file dfn-aai.g2.pem -keystore dfa-de-dariah-eu.jks
```
A more or less convenient option to view and edit Java keystore can be found in the [KeyStore Explorer](http://keystore-explorer.org/)
**Specify configuration parameters**
```
saml.keystore.path = /path/to/dfa-de-dariah-eu.jks
saml.keystore.pass = password # as entered in step 2 (keytool -importkeystore)
saml.keystore.alias = dfa.de.dariah.eu
saml.keystore.aliaspass = password # as entered in step 1 (openssl pkcs12 -export)
```
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment