Version 8

    Topic: Integrate 3rd party security products/systems with JBoss Security when the authentication results are passed as http request headers.

     

     

     

    Usecase:If the user has configured Siteminder/RSA Cleartrust web agent that plugs into Apache and does the preliminary authentication before transferring the user to JBoss/Tomcat. After authentication, the web request that comes to JBoss/Tomcat will have the user id and session key as http header variables. Now what those header values are is dependent on the product.  Web applications deployed on JBoss/Tomcat can pick up these header values and then do generic authentication.

     

     

     

    Availability: Starting JBoss 4.0.5.GA with the inclusion of http://jira.jboss.com/jira/browse/JBAS-2283. Option 1) is only available as of JBoss 4.2.3.GA with the inclusion of http://jira.jboss.org/jira/browse/JBAS-4804

     

     

     

    Documentation:

     

     

     

    Either

     

    1) Have a context.xml in WEB-INF of your web application with the following valve:

    <Context> 
      <Valve className="org.jboss.web.tomcat.security.GenericHeaderAuthenticator" 
             httpHeaderForSSOAuth="sm_ssoid,ct-remote-user,HTTP_OBLIX_UID"
             sessionCookieForSSOAuth="SMSESSION,CTSESSION,ObSSOCookie"></Valve>
    </Context>
    

    or

     

     

    2) You can configure this generic authenticator at the tomcat service level for form based authentication.

     

     

    <?xml version="1.0" encoding="UTF-8"?>
    <!-- $Id: jboss-service.xml 56775 2006-09-12 17:10:15Z anil.saldhana@jboss.com $ -->
    
    <server>
    <mbean code="org.jboss.web.tomcat.tc5.Tomcat5"
     name="jboss.web:service=WebServer" xmbean-dd="META-INF/webserver-xmbean.xml">
     <!-- You can configure a set of authenticators keyed by http-auth method used -->
      <attribute name="Authenticators" serialDataType="jbxb">
         <java:properties xmlns:java="urn:jboss:java-properties"
              xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"                    
                    xs:schemaLocation="urn:jboss:java-properties resource:java-properties_1_0.xsd">
              <java:property>
                 <java:key>BASIC</java:key>                                                  
                       <java:value>org.apache.catalina.authenticator.BasicAuthenticator</java:value>
               </java:property>
              <java:property>
                 <java:key>CLIENT-CERT</java:key>
                 <java:value>org.apache.catalina.authenticator.SSLAuthenticator</java:value>
              </java:property>
              <java:property>
                  <java:key>DIGEST</java:key>
                  <java:value>org.apache.catalina.authenticator.DigestAuthenticator</java:value>
              </java:property>
              <java:property>
                   <java:key>FORM</java:key>
                   <java:value>org.jboss.web.tomcat.security.GenericHeaderAuthenticator</java:value>
              </java:property> 
              <java:property>
                <java:key>NONE</java:key>                                
                      <java:value>org.apache.catalina.authenticator.NonLoginAuthenticator</java:value>
              </java:property>  
                  </java:properties> 
            </attribute> 
    ....
    

    For more information, look at http://wiki.jboss.org/wiki/Wiki.jsp?page=ExternalizeTomcatAuthenticators

     

     

    If you would like to configure the ssoid and the session key, please look at the following attributes in jboss-service.xml of deploy/jbossweb-tomcat55.sar/META-INF

     

    <!-- JBAS-2283: Custom Header based authentication -->
    <attribute name="HttpHeaderForSSOAuth">sm_ssoid,ct-remote-user,HTTP_OBLIX_UID</attribute>
    <attribute name="SessionCookieForSSOAuth">SMSESSION,CTSESSION,ObSSOCookie</attribute>
    

     

    How does this work?

     

     

     

    The authenticator checks for the presence of the header id and the session key as configured and then passes these as username and password into the JAAS framework driving the JBoss security layer.

     

    Now you should have a custom JAAS login module that can deal with this user id and session key. Then retrieve the roles from anywhere (for example, contacting the web agent or 3rd party system) and populate the subject with the roles.

     

     

    If for some reason, there are no header values that match the configured values, regular form based authentication semantics apply.

     

    FAQ

     

    1.  I would like to write my own authenticator. Can you please show me the source code for GenericHeaderAuthenticator?

    http://anonsvn.jboss.org/repos/jbossas/branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/GenericHeaderAuthenticator.java

     

    2. Where can I seek support for this?

    For free support, use the user forum at: http://www.jboss.org/index.html?module=bb&op=viewforum&f=49

    For quick response, look for JBoss official support.