Configuration Guides › SiteMinder Agent for JBoss Guide › Overview › SiteMinder Agent Security Interceptor › How the SiteMinder Agent Security Interceptor Works

How the SiteMinder Agent Security Interceptor Works

The SiteMinder Agent Security Interceptor allows the JBoss Application Server to trust requests with associated SiteMinder session (SMSESSION) cookies so that these users are not challenged for credentials.

SiteMinder session cookies are obtained from a SiteMinder Web Agent on a proxy server configured to:

• Intercept HTTP requests for JBoss resources
• Authenticate and authorize users through policies defined on the Policy Server
• Forward requests together with user credentials (in a session cookie) to the application server as shown in the following illustration:

  

When you configure the SiteMinder Agent Security Interceptor as an identity asserter in a security realm, the JBossSX security framework passes any SiteMinder session cookies associated with a request for a resource within that realm to the SiteMinder Agent Security Interceptor for validation. The SiteMinder Agent Security Interceptor then:

1. Validates the token by calling the Policy Server to verify that its session is valid (SiteMinder session cookie).
2. Obtains the requester userDN from the token and maps it to a username.
3. Passes the associated username and SiteMinder session information back to the JBossSX security framework.

Note: If you must only allow access to web applications for clients with existing SiteMinder Single Sign-On (SSO) sessions, you can use the SiteMinder Agent Security Interceptor as a standalone component without the proxy server-related components.