Web Services Security Guides › CA SiteMinder WSS Agent for Oracle WebLogic Guide › SiteMinder WSS Agent for Oracle WebLogic Introduction

SiteMinder WSS Agent for Oracle WebLogic Introduction

This section contains the following topics:

SiteMinder WSS Agent for Oracle WebLogic Overview

Required Background Information

SiteMinder WSS Agent for Oracle WebLogic Components

Installation Location References

SiteMinder WSS Agent for Oracle WebLogic Overview

The SiteMinder Web Services Security (WSS) Agent for Oracle WebLogic (formerly SOA Agent) resides in a WebLogic application server, enabling you to protect WebLogic-hosted JAX-RPC web service resources.

The SiteMinder WSS Agent for Oracle WebLogic intercepts all SOAP messages sent over HTTP(S) or JMS transports to JAX-RPC web services deployed on the WebLogic Server. The SiteMinder WSS Agent then communicates with the Policy Server to authenticate and authorize the message sender and, upon successful authentication and authorization, passes the SOAP message on to the addressed web service.

A high-level overview of the SiteMinder WSS Agent for Oracle WebLogic Server architecture is shown in the following figure.

The SiteMinder WSS Agent for Oracle WebLogic provides the following features:

• Fine-grained access control of JAX-RPC web service resources
• Support for bi-directional CA SiteMinder WSS/SiteMinder and WebLogic single sign-on (SSO)

The SiteMinder WSS Agent additionally supports:

• Multi-byte character user names
• Centralized and dynamic agent configurations
• Caching of resource protection decisions and authentication and authorization decisions
• Logging
• Authorization auditing

Required Background Information

This section is not intended for users who are new to Java, J2EE standards, or application server technology. It assumes that you have the following technical knowledge:

• An understanding of Java, J2EE standards, J2EE application servers, and multi-tier architecture
• An understanding of JAX-RPC web service implementations and JAX-RPC handlers
• Familiarity with the WebLogic Security Framework for WebLogic Server
• Familiarity with Java Authentication and Authorization Server (JAAS) and WebLogic security-related topics
• Experience with managing the WebLogic Server, including tasks such as accessing the administrative console
• Familiarity with CA SiteMinder WSS concepts, terms, and Policy Server configuration tasks

Additionally, to effectively plan your security infrastructure, you must be familiar with the web services that you plan to protect with CA SiteMinder WSS.

SiteMinder WSS Agent for Oracle WebLogic Components

The SiteMinder WSS Agent for Oracle WebLogic consists of two modules that plug into the WebLogic security infrastructure.

• SiteMinder WSS Agent JAX-RPC Handler
• SiteMinder WSS Agent Login Module

  

SiteMinder WSS Agent JAX-RPC Handler

The SiteMinder WSS Agent JAX-RPC Handler is a custom JAX-RPC Handler that, when added to the deployment descriptor of a JAX-RPC web service, intercepts SOAP message requests for JAX-RPC web services and diverts them to the SiteMinder WSS Agent Login Module for authentication and authorization decisions.

SiteMinder WSS Agent Login Module

The SiteMinder WSS Agent Login Module is a JAAS Login Module that performs authentication and authorization for JAX-RPC web services protected by the SiteMinder WSS Agent for Oracle WebLogic.

The SiteMinder WSS Agent Login Module authenticates credentials obtained from the following request types against associated user directories configured in CA SiteMinder WSS:

• SOAP requests intercepted by the SiteMinder WSS Agent JAX-RPC Handler .
• Requests for web service resources from users with pre-established CA SiteMinder WSS and SiteMinder sessions (validating the session and obtaining user names from associated SiteMinder session ticket cookies)

If CA SiteMinder WSS authentication is successful, the SiteMinder WSS Agent Login Module populates a JAAS Subject with a CA SiteMinder WSS Principal that contains the username and associated CA SiteMinder WSS session data. The SiteMinder WSS Agent Login Module then determines whether an authenticated user is allowed to access a protected WebLogic resource, based on associated CA SiteMinder WSS authorization policies.

Installation Location References

In this guide:

• WSS_Home refers to the location where CA SiteMinder WSS is installed.
• WLS_HOME refers to the installed location of the WebLogic Server.