is it possible to package Shibboleth entirely winith a WAR?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

is it possible to package Shibboleth entirely winith a WAR?

Morgan Packard
Hello,
I'm moving forward with my Shibboleth work. I'm curious why the install process places files outside the app server. I'd be more comfortable having everything contained in a WAR, doing the configuration locally, having everything contained nicely in source control and in a maven project. Are there folks working with Shibboleth this way, or is pretty much everone running the install script on their production servers?
thanks,
-Morgan
Reply | Threaded
Open this post in threaded view
|

Re: is it possible to package Shibboleth entirely winith a WAR?

Chad La Joie
Put everything in to the war would be the common "JEE approved" way of
doing things.  It's also a terrible idea.  Needing to crack open the
WAR, edit files, and recreate it every time you need to make a
configuration change would be a maintenance nightmare.  Especially given
that the majority of deployers couldn't actually tell you what a WAR is
actually supposed to look like.

So, could you do this?  yes.  Should you?  Absolutely not.

Morgan Packard wrote:

> Hello,
> I'm moving forward with my Shibboleth work. I'm curious why the install
> process places files outside the app server. I'd be more comfortable having
> everything contained in a WAR, doing the configuration locally, having
> everything contained nicely in source control and in a maven project. Are
> there folks working with Shibboleth this way, or is pretty much everone
> running the install script on their production servers?
> thanks,
> -Morgan
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: is it possible to package Shibboleth entirely winith a WAR?

Morgan Packard
Yeah, I realized after thinking a bit that that the config files were left outside the war on purpose, for easy access.
thanks,
-m-

On Tue, Dec 30, 2008 at 12:29 PM, Chad La Joie <[hidden email]> wrote:
Put everything in to the war would be the common "JEE approved" way of
doing things.  It's also a terrible idea.  Needing to crack open the
WAR, edit files, and recreate it every time you need to make a
configuration change would be a maintenance nightmare.  Especially given
that the majority of deployers couldn't actually tell you what a WAR is
actually supposed to look like.

So, could you do this?  yes.  Should you?  Absolutely not.

Morgan Packard wrote:
> Hello,
> I'm moving forward with my Shibboleth work. I'm curious why the install
> process places files outside the app server. I'd be more comfortable having
> everything contained in a WAR, doing the configuration locally, having
> everything contained nicely in source control and in a maven project. Are
> there folks working with Shibboleth this way, or is pretty much everone
> running the install script on their production servers?
> thanks,
> -Morgan
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch




--
+++++++++++++++++++++++++++++++++++++++
morganpackard.com
myspace.com/morganpackard
finediving.org
anticipaterecordings.com
(646) 206-8337
Reply | Threaded
Open this post in threaded view
|

Re: is it possible to package Shibboleth entirely winith a WAR?

R Andrew Johnston
In reply to this post by Morgan Packard

Hi Morgan,

Organizing the idp webapp files more conventionally (within a
single filesystem directory for instance) is easy to do. We find
this organization to align well with developer expectations. Let
me know if you would like the details.

--
andrew


On Tue, 30 Dec 2008, Morgan Packard wrote:

> Hello,
> I'm moving forward with my Shibboleth work. I'm curious why the install
> process places files outside the app server. I'd be more comfortable having
> everything contained in a WAR, doing the configuration locally, having
> everything contained nicely in source control and in a maven project. Are
> there folks working with Shibboleth this way, or is pretty much everone
> running the install script on their production servers?
> thanks,
> -Morgan
>
Reply | Threaded
Open this post in threaded view
|

Re: is it possible to package Shibboleth entirely winith a WAR?

Morgan Packard
Thanks R Andrew,
I'd love to hear about your setup if you have time to fill me in a bit.
-Morgan

On 12/30/08, R Andrew Johnston <[hidden email]> wrote:

>
>  Hi Morgan,
>
>  Organizing the idp webapp files more conventionally (within a single
> filesystem directory for instance) is easy to do. We find this organization
> to align well with developer expectations. Let me know if you would like the
> details.
>
>  --
>  andrew
>
>
>
>  On Tue, 30 Dec 2008, Morgan Packard wrote:
>
>
> > Hello,
> > I'm moving forward with my Shibboleth work. I'm curious why the install
> > process places files outside the app server. I'd be more comfortable
> having
> > everything contained in a WAR, doing the configuration locally, having
> > everything contained nicely in source control and in a maven project. Are
> > there folks working with Shibboleth this way, or is pretty much everone
> > running the install script on their production servers?
> > thanks,
> > -Morgan
> >
> >
>


--
+++++++++++++++++++++++++++++++++++++++
morganpackard.com
myspace.com/morganpackard
finediving.org
anticipaterecordings.com
(646) 206-8337
Reply | Threaded
Open this post in threaded view
|

Re: is it possible to package Shibboleth entirely winith a WAR?

R Andrew Johnston

On Wed, 31 Dec 2008, Morgan Packard wrote:

> Thanks R Andrew,
> I'd love to hear about your setup if you have time to fill me in a bit.
> -Morgan
>

Hi Morgan,

Sorry for the lag. Here are some hints

Organizing the idp webapp files more conventionally (within a single
filesystem directory) is easy to do. These are the main steps...

** The idp installer places seven active config files external to the
    idp web application.

* internal.xml, service.xml

Can be moved to idp/WEB-INF/conf/ and their location can be specified
in idp/WEB-INF/web.xml as:

   <param-name>contextConfigLocation</param-name>
   <param-value>/WEB-INF/conf/internal.xml</param-value>

* logging.xml (referenced in internal.xml),
   attribute-filter.xml, attribute-resolver.xml, handler.xml,
   relying-party.xml (all four referenced in service.xml)

These five files can be moved to a location such as
idp/WEB-INF/classes and then loaded as "ClasspathResource" instead of
"FilesystemResource".


** There are a handful of additional external references within the
    idp webapp:

* credentials

The credentials installed to /etc/shibboleth-idp-2.x.x/credentials/ are
referenced by full path in idp/WEB-INF/web.xml. These can be moved to
a location such as idp/WEB-INF/conf/credentials/. Unfortunately, there
isn't an obvious workaround to having to use an absolute path in
web.xml.

* login.config (if you need it) is specified via a file://
   URI in a commented section of handler.xml.

* miscellaneous

Target directory for log files is specified in logging.xml.

Full path to metadata resources can be specified in relying-party.xml.

There are a few jar files that need to be on your Tomcat endorsed path
according to the Shib install documentation
(https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare). Tomcat
6.0.19 is expected to contain a bugfix
(https://issues.apache.org/bugzilla/show_bug.cgi?id=46232) which would
allow a customized endorsed path, so these jars could be outside of
CATALINA_HOME.


Repackaging this way eliminates the need for a
/etc/shibboleth-idp-2.x.x/ directory on your production hosts.

--
andrew