This section contains the following topics:
Configure the SiteMinder Agent Authenticator for Applications on JBoss 6.x
Make the CA SiteMinder® Agent Java Class Accessible to Your Applications
Define a JBossSX Security Domain for the SiteMinder Agent Login Module on JBoss 6.x
Configure Web Applications to Invoke the SiteMinder Agent Security Interceptor on JBoss 5.x
Restart the JBoss Application Server
The SiteMinder Agent Authenticator extends the functionality of the JBossSX default authenticators with the ability to authenticate a user request that is based on an associated SiteMinder session cookie.
To configure a web application to use the SiteMinder Agent Authenticator to handle requests, create a jboss-web.xml file in the application WEB-INF directory. Configuring a jboss-web.xml file overrides the default authenticators.
Follow these steps:
To configure the application to use SMJBoss6BasicAuthenticator, type:
<Valve className="com.ca.soa.agent.appserver.authenticator.jboss.SMJBoss6BasicAuthenticator"/>
To configure the application to use the SMJBoss6FormAuthenticator, type:
<Valve className="com.ca.soa.agent.appserver.authenticator.jboss.SMJBoss6FormAuthenticator"/>
To configure the application to use SMJBoss6ClientCertAuthenticator, type:
<Valve className="com.ca.soa.agent.appserver.authenticator.jboss.SMJBoss6ClientCertAuthenticator"/>
To configure the application to use SMJBoss6DigestAuthenticator, type:
<Valve className="com.ca.soa.agent.appserver.authenticator.jboss.SMJBoss6DigestAuthenticator"/>
To configure the application to use the SMJBoss6IdentityAsserter, type:
<Valve className="com.ca.soa.agent.appserver.authenticator.jboss.SMJBoss6IdentityAsserter"/>
To protect your applications with CA SiteMinder®, they must be able to access the CA SiteMinder® Agent Java classes in module com.ca.siteminder.jbossagent. To make the CA SiteMinder® Agent Java classes accessible to your applications, do one of the following procedures:
Configure the CA SiteMinder® Agent as a global module by adding a new subsystem definition in the standalone.xml file.
Follow these steps:
<subsystem xmlns="urn:jboss:domain:ee:1.1"> <global-modules> <module name="com.ca.siteminder.jbossagent" slot="main"/> </global-modules> <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> <jboss-descriptor-property-replacement>true</jboss-descriptor-property-replacement> </subsystem>
Notes:
There is a conflict between the default JBoss and CA SiteMinder® XML Security libraries. If you configure the SiteMinder Agent as a global module, remove the JBoss XML Security library (org.apache.santuario.xmlsec) from the module definitions in module.xml.
Follow these steps:
<!-- <module name="org.apache.santuario.xmlsec" export="true"/> -->
Note: For applications that depend on the default JBoss XML Security library, do one of the following procedures to enable them to access to it:
If the CA SiteMinder® Agent is not defined as a global module, define it as a dependency in the jboss-deployment-structure.xml file of each application that you want to protect.
Follow these steps:
<module name="com.ca.siteminder.jbossagent" />
For example:
<?xml version="1.0" encoding="UTF-8"?> <jboss-deployment-structure> <deployment> <dependencies> <module name="com.ca.siteminder.jbossagent" /> </dependencies> </deployment> </jboss-deployment-structure>
Define a JBoss security domain named SiteMinderDomain that configures the SiteMinder Agent Login Module required to authenticate credentials obtained by SiteMinder Agent authenticators. Configure the SiteMinderDomain by adding a <security-domain-name> element to the standalone.xml file.
Follow these steps:
<security-domain name="SiteMinderDomain" cache-type="default"> <authentication> <login-module code="com.ca.soa.agent.appserver.jaas.XMLAgentLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">anonymous</module-option> </login-module> </authentication> </security-domain>
To protect a web application (in the web or EJB container) using the SiteMinder Agent Security Interceptor, edit its deployment descriptor to enable security and map it to the SiteMinderDomain security domain.
Edit the web.xml deployment descriptor to enable security for each web application that you want to protect with the SiteMinder Agent Web Interceptor. The web.xml file is located in the application WEB-INF directory.
For more information about the web.xml file and constituent element syntax, see the JBoss Enterprise Application Platform documentation.
Follow these steps:
<security-constraint> <display-name>Constraint1</display-name> <web-resource-collection> <web-resource-name>admin resource</web-resource-name> <description/> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description/> <role-name>adminRole</role-name> </auth-constraint> </security-constraint>
<security-role> <description/> <role-name>adminRole</role-name> </security-role>
<login-config> <auth-method>FORM</auth-method> <realm-name/> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/fail_login.jsp</form-error-page> </form-login-config> </login-config>
Create a jboss-web.xml deployment descriptor file that defines the SiteMinderDomain as the security domain for each web application that you want to protect with the SiteMinder Agent. The jboss-web.xml file must be created in the application WEB-INF directory.
Follow these steps:
<jboss-web> <security-domain>java:/jaas/SiteMinderDomain</security-domain> </jboss-web>
Restart the JBoss Application Server to commit configuration changes you made for the SiteMinder Agent.
To restart the JBoss Application Server
The JBoss Application Server restarts with the configuration changes you made for the SiteMinder Agent.
Copyright © 2014 CA.
All rights reserved.
|
|