Configure Policy Objects for the SiteMinder Agent Security Interceptor

Web Services Security Guides › CA SiteMinder® Agent for JBoss › Configure the SiteMinder Agent Security Interceptor to Protect Web Applications on JBoss 5.x › Configure Policy Objects for the SiteMinder Agent Security Interceptor

Configure Policy Objects for the SiteMinder Agent Security Interceptor

Create an authentication realm and security policies to protect web application resources hosted on JBoss using the SiteMinder Administrative UI.

Configure a SiteMinder Agent Security Interceptor Authentication Realm

Configure an authentication realm on the Policy Server to allow the SiteMinder Agent Security Interceptor to validate users credentials using information obtained from CA SiteMinder® session cookies. Use the Administrative UI to create the SiteMinder Agent Security Interceptor authentication realm.

Follow these steps:

Click Policies, Domains.
Click Domain, Create Domain.
The Create Domain pane opens.
Note: You can click Help for a description of fields, controls, and their respective requirements.
Type the name and a description of the Domain in the fields on the General group box.
Add one or more user directories that contain the users who can access the protected resources.
Create the authentication realm:
1. Click the Realms tab on the Domain pane, New Realm, OK.
2. The Create Realm pane opens.
3. Enter the following information:
  - Name: A unique name for the realm—for example, SiteMinder Agent Security Interceptor Authentication Realm
  - Description: An optional description for the validation realm
  - Agent: The name of the agent identity that you created for the Agent for JBoss.
  - Resource Filter: /smauthenticationrealm
  - Authentication Scheme: Basic
  Note: You do not need to configure any rules for the validation realm.
4. Specify session properties in the Session group box:
  - Disable all session time-outs
  - Ensure the No Persistent Session option is selected
5. Click Finish.
  The Create Realm Task is submitted for processing.
Click Submit.
The Create Domain Task is submitted for processing.

(Optional) Configure the Agent to Return Group Membership to JBoss Using Responses

The SiteMinder Agent Web Interceptor can be configured to return physical or virtual group membership information to JBoss using SiteMinder HTTP header responses from the Policy Server during user authentication.

When the SiteMinder Agent Web Interceptor receives responses containing the _SM_JBOSS_GROUP=group name syntax, the SiteMinder Agent Web Interceptor converts the group_name value to a J2EE principal and adds this principal to the subject after successful authentication.

group_name: Specifies a response attribute value from the Policy Server that could be a physical group name from the user store or a virtual group.

The SiteMinder Agent adds the same amount of group principals as responses received from the Policy Server.

Note: The SiteMinder Agent Web Interceptor can only process _SM_JBOSS_GROUP response attributes to return group membership information to JBoss. It cannot process other response attributes added to HTTP header variables to pass information to a web application.

To configure Groups as responses for the SiteMinder Agent

Configure an OnAuthAccept group authentication rule with a * resource filter in the SiteMinder Authentication Realm.
Create SiteMinder HTTP header responses using the _SM_JBOSS_GROUP variable name in the policy domain for the SiteMinder Authentication Realm.
Note: The SiteMinder Administrative UI shows an additional underscore before "_SM_JBOSS_GROUP" when it displays the variable name, so that it appears as "HTTP__SM_JBOSS_GROUP". This is not an error and can be ignored.
In the policy domain for the SiteMinder Authentication Realm:
1. Create a group policy.
2. Attach the users who belong to the group policy.
3. Attach the group authentication rule to this policy.
4. Bind the group response to the group authentication rule.

Example: Configure the SiteMinder Agent Web Interceptor to return groups using responses

The following example shows one method of configuring the SiteMinder Agent Web Interceptor to return groups using responses:

In the SiteMinder Authentication Realm, configure an OnAuthAccept rule named Group Authentication Rule with a * resource filter.
In the policy domain for the SiteMinder Authentication Realm, create SiteMinder responses with a static HTTP header attribute for the following sample JBoss groups:

Group Administrators

Attribute kind: Static HTTP Header

Variable name: _SM_JBOSS_GROUP

Variable value: Administrators

Group Deployers

Attribute kind: Static HTTP Header

Variable name: _SM_JBOSS_GROUP

Variable value: Deployers

Group Monitors

Attribute kind: Static HTTP Header

Variable name: _SM_JBOSS_GROUP

Variable value: Monitors

Group Operators

Attribute kind: Static HTTP Header

Variable name: _SM_JBOSS_GROUP

Variable value: Operators
In the policy domain for the SiteMinder Authentication Realm:
1. Configure a policy named Group Administrator Policy.
2. Attach the Administrator group or users, who belong to the Administrator group, to this policy.
3. Attach the Group Authentication Rule to this policy.
4. Bind the Group Administrator response to this rule.
5. Repeat this step and configure separate policies for the Deployers, Operators, and Monitors groups.
6. Bind the Group Administrator response to this rule.
Repeat Step 3 to configure separate policies for the Deployers, Operators, and Monitors groups.

Configure Security Policies for the Proxy Server Web Agent

To configure the SiteMinder Agent for JBoss to protect web applications by perimeter authentication, create policies that specify how the Web Agent on the proxy server controls access to the URL that represents the proxied JBoss web application resources.