-
Notifications
You must be signed in to change notification settings - Fork 14
Setup Instructions
This page provides a step-by-step guide on how to setup PrOfESSOS.
Note: The instructions below have been tested with Ubuntu 18.04 and the current master branch at commit ab9bf71a5d50d9b5b646b23d52a080dde5fe3218. Different steps may be necessary for other distributions.
- Install tools and dependencies required to run/install PrOfESSOS
sudo -i
apt-get update && apt-get install openjdk-8-jdk maven git apache2 curl
- Enable Java 8
update-java-alternatives -s java-1.8.0-openjdk-amd64
- Install phantomjs
curl -L -O https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2 \
&& mkdir -p /opt/phantomjs \
&& tar xjf phantomjs-2.1.1-linux-x86_64.tar.bz2 --strip-components 1 -C /opt/phantomjs/ \
&& rm -f phantomjs-2.1.1-linux-x86_64.tar.bz2 \
&& ln -sf /opt/phantomjs/bin/phantomjs /usr/local/bin/phantomjs- Install WildFly AS
WILDFLY_VERSION="16.0.0.Final"
JBOSS_HOME="/opt/jboss/wildfly"
curl -O https://download.jboss.org/wildfly/$WILDFLY_VERSION/wildfly-$WILDFLY_VERSION.tar.gz \
&& tar xf wildfly-$WILDFLY_VERSION.tar.gz \
&& mv -p $HOME/wildfly-$WILDFLY_VERSION $JBOSS_HOME \
&& chown -R jboss:0 ${JBOSS_HOME} \
&& chmod -R g+rw ${JBOSS_HOME}
groupadd -r jboss && useradd -r -g jboss -m -d /opt/jboss -s /sbin/nologin -c "JBoss user" jboss
rm wildfly-$WILDFLY_VERSION.tar.gz \- Fetch the source:
cd
git clone https://github.com/RUB-NDS/PrOfESSOS
cd PrOfESSOS
PrOfESSOS requires three domains: one for the controller and one for each IdP ("attacker"/"honest"). The hostnames can be set in the file src/main/resources/servernames.properties. For this example, we assume the following settings:
controller = http://openid.example.org
honest-op = http://honest-idp.example.org
evil-op = http://attack-idp.example.org
Create the configuration file for WildFly as shown below
cat src/main/webapp/WEB-INF/jboss-web.xml
<jboss-web>
<context-root>/</context-root>
</jboss-web>
Then, compile the sources by running
mvn clean package
We need to enable WildFly's proxy-address-forwarding by adding the attribute proxy-address-forwarding="true" to the default http listener of the Undertow subsystem within the WildFly configuration. There are several ways to configure WildFly, for simplicity, we use the standalone mode and directly edit the configuration file at /opt/jboss/wildfly/standalone/configuration/standalone.xml. Search for default-server and change the default http-listener accordingly. The corresponding lines should look like this:
<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" [...]>
[...]
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
[...]Depending on your setup, you may also want to remove the https listener.
Next, we need to to provide the WildFly ApplicationServer with the compiled .war file. As noted above, we use WildFly's standalone deployment:
cp ./target/professos-1.0.0-SNAPSHOT.war /opt/jboss/wildfly/standalone/deployments/professos.warTo start WildFly in standalone mode, in another terminal or in the background, run:
sudo -u jboss /opt/jboss/wildfly/bin/standalone.sh -b 127.0.0.1 -bmanagement 127.0.0.1You may want to add the --debug option to be able to attach a debugger to port 8787 later on, in case you are setting up a development environment.
Enable the following modules:
a2enmod rewrite proxy_http headers
To make sure the WebApp correctly handles the different domains used by PrOfESSOS, we use Apache to rewrite the URLs. That is, while the controller domain is directly forwarded to the AS, the IdPs are routed via a dispatch servlet. Therefore, Apache needs to be configure to rewrite the URLs as follows:
ServerName openid.example.org
RewriteRule ^/.* http://localhost:8080$0
ServerName honest-idp.example.org
RewriteRule ^/.* http://localhost:8080/dispatch$0
ServerName attack-idp.example.org
RewriteRule ^/.* http://localhost:8080/dispatch$0
Here, port 8080 is where WildFly is configured to listen on.
The following exemplary Apache configuration uses the same host names as declared above and you will need to replace them with the actual domains of your deployment. Furthermore, the configuration assumes that letsencrypt certificates are used. You may of course use other means to provide TLS certificates to the Apache server and adjust your configuration accordingly.
LogFormat "%h %l %u %t %{REQUEST_SCHEME}x://%{Host}i \"%r\" %>s %b" combined_host
<VirtualHost *:80>
ServerName openid.example.org
RewriteEngine On
# RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
# RequestHeader set Proxy-ip "%{REMOTE_HOST}e"
# RequestHeader set Proxy-keysize "%{SSL_CIPHER_ALGKEYSIZE}s"
ProxyPreserveHost On
# RewriteRule ^/.* http://localhost:8080/dispatch$0 [L,P]
RewriteRule ^/.* https://openid.example.org$0 [L,R]
</VirtualHost>
<VirtualHost *:443>
ServerName openid.example.org
RewriteEngine On
SSLEngine on
SSLCACertificatePath /etc/ssl/certs
SSLOptions +StdEnvVars +ExportCertData
RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
RequestHeader set Proxy-ip "%{REMOTE_HOST}s"
RequestHeader set Proxy-keysize "%{SSL_CIPHER_ALGKEYSIZE}s"
ProxyPreserveHost On
RewriteCond %{REQUEST_URI} "^/dispatch"
RewriteRule ^/.* / [L,R]
# route newcomers directly to the RP Test site
RewriteRule ^/$ /rp-verifier.html [L,R]
#RewriteRule ^/.* http://localhost:8080$0 [L,P]
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/opiv_access.log combined_host
ErrorLog ${APACHE_LOG_DIR}/opiv_error.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/honest-idp.example.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/honest-idp.example.org/privkey.pem
</VirtualHost>
<VirtualHost *:80>
ServerName honest-idp.example.org
RewriteEngine On
# RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
# RequestHeader set Proxy-ip "%{REMOTE_HOST}e"
# RequestHeader set Proxy-keysize "%{SSL_CIPHER_ALGKEYSIZE}s"
ProxyPreserveHost On
# RewriteRule ^/.* http://localhost:8080/dispatch$0 [L,P]
RewriteRule ^/.* https://honest-idp.example.org$0 [L,R]
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/opiv_access.log combined_host
ErrorLog ${APACHE_LOG_DIR}/opiv_error.log
</VirtualHost>
<VirtualHost *:443>
ServerName honest-idp.example.org
RewriteEngine On
SSLEngine on
SSLCACertificatePath /etc/ssl/certs
SSLOptions +StdEnvVars +ExportCertData
RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
RequestHeader set Proxy-ip "%{REMOTE_HOST}e"
RequestHeader set Proxy-keysize "%{SSL_CIPHER_ALGKEYSIZE}s"
ProxyPreserveHost On
RewriteRule ^/.* http://localhost:8080/dispatch$0 [L,P]
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/opiv_access.log combined_host
ErrorLog ${APACHE_LOG_DIR}/opiv_error.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/honest-idp.example.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/honest-idp.example.org/privkey.pem
</VirtualHost>
<VirtualHost *:80>
ServerName attack-idp.example.org
RewriteEngine On
# RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
# RequestHeader set Proxy-ip "%{REMOTE_HOST}e"
# RequestHeader set Proxy-keysize "%{SSL_CIPHER_ALGKEYSIZE}s"
ProxyPreserveHost On
# RewriteRule ^/.* http://localhost:8080/dispatch$0 [L,P]
RewriteRule ^/.* https://attack-idp.example.org$0 [L,R]
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/opiv_access.log combined_host
ErrorLog ${APACHE_LOG_DIR}/opiv_error.log
</VirtualHost>
<VirtualHost *:443>
ServerName attack-idp.example.org
RewriteEngine On
SSLEngine on
SSLCACertificatePath /etc/ssl/certs
SSLOptions +StdEnvVars +ExportCertData
RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
RequestHeader set Proxy-ip "%{REMOTE_HOST}e"
RequestHeader set Proxy-keysize "%{SSL_CIPHER_ALGKEYSIZE}s"
ProxyPreserveHost On
RewriteRule ^/.* http://localhost:8080/dispatch$0 [L,P]
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/opiv_access.log combined_host
ErrorLog ${APACHE_LOG_DIR}/opiv_error.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/honest-idp.example.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/honest-idp.example.org/privkey.pem
</VirtualHost>Copy the config to Apache's sites-available folder, adjust it to match your requirements and enable with the a2ensite command. Reload Apache and PrOfESSOS should be reachable at the configured controller domain.
For a local deployment, you will want to map the configured domains to the loopback device in your /etc/hosts file. If you do not need TLS, you may switch the comments of the RewriteRules in the VirtualHost blocks that listen on port 80.
Note that the demo service provider advertised by PrOfESSOS' rp-verifier.html page won't work as it is not part of the above instructions and needs to be setup separately.