Workshop Shibbolizing An Application

In this guide, we will write a Java Server Page (JSP) application that will be protected by Shibboleth. The JSP is a simply "reflector" that will echo back attributes that was sent over by the Shibboleth IdP. This is to demonstrate how an actual application that is to be shibbolized can be modified in the same way. The attributes that it obtains via Shibboleth, can then be used by the application for AuthZ^? decisions.

Prerequisites

• You have installed on an IdP following the instructions here.
• You have installed a Shibboleth Service Provider following the instructions here. This is the machine where we will deploy our JSP application.
• Java 1.5.x with JAVA_HOME environment set up to point to this location.
• tomcat 5, apache2, mod_jk are installed and configured

Set environment

•  export TOMCAT_HOME=/usr/local/tomcat

• Edit $TOMCAT_HOME/conf/server.xml file. Make sure that the following block is there:

        <Connector port="8009" address="127.0.0.1" request.tomcatAuthentication="false"
            enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

• jk-mount "jsp-examples", edit vhost at /etc/apache2/sites-available/003* and put just before the enclosing </VirtualHost>

  JkMount /jsp-examples* shibboleth
  

• Stop and restart Tomcat 5 and Apache 2 by executing the scripts:

  •  /etc/init.d/tomcat5.5 stop

  •  /etc/init.d/tomcat5.5 start

  •  /etc/init.d/apache2 restart

• Test that the Tomcat connector is working by pointing your browser to "https://MY_DNS/jsp-examples". You should see testing page.

Deploy Demo JSP application

• Download the attached demo.jsp.txt file, rename it to "demo.jsp" and place it in /usr/share/tomcat5.5-webapps/jsp-examples directory

  •  mv demo.jsp.txt /usr/share/tomcat5.5-webapps/jsp-examples/demo.jsp

• The relevant part of the code in the JSP page where it retrieves the value from the HTTP RequestHeaders^? is:

     String surname = request.getHeader("Shib-Person-surname");
     String affiliation = request.getHeader("Shib-EP-UnscopedAffiliation");
     String nickname = request.getHeader("Shib-EP-Nickname");
  
     if(surname != null && surname.trim().length() == 0) surname = null;
     if(affiliation != null && affiliation.trim().length() == 0) affiliation = null;
     if(nickname != null && nickname.trim().length() == 0) nickname = null;
  

• The JSP application reflects attributes and values passed via Shibboleth, and has three service levels:
  • Bronze service requires release of “eduPersonAffiliation” attribute only.
  • Silver service requires release of “eduPersonAffiliation” and “eduPersonNickname” attributes.
  • Gold service requires release of “eduPersonAffiliation”, “eduPersonNickname” and “sn” attributes.
• To understand how the values are set in the header, please consult the Resolver, ARP, AAP guides.

Protect the JSP Application with Shibboleth

• Edit the ssl virtual host, "/etc/apache2/sites-available/003*" file. Just before the closing VirtualHost^? element, add the following block:

<Location /jsp-examples/demo.jsp>
    AuthType shibboleth
    ShibRequireSession On
    require valid-user
</Location>

• Test your newly installed Shibboleth SP application by opening a browser from you local computer and point it to the URL "https://MY_DNS/jsp-examples/demo.jsp". When redirected to the WAYF, select your IdP, log in with your credentials and you should then see the reflector page indicating the attributes being sent from the IdP to the SP and then onto your application.