Web Services Security Guides › CA SiteMinder® Agent for JBoss › Configure SiteMinder Policies to Protect Web Applications

Configure SiteMinder Policies to Protect Web Applications

This section contains the following topics:

Configure a SiteMinder Agent Security Interceptor Authentication Realm

(Optional) Configure the Agent to Return Group Membership to JBoss Using Responses

Example: Configure the SiteMinder Agent Web Interceptor to return groups using responses

Configure Security Policies for the Proxy Server Web Agent

Configure a SiteMinder Agent Security Interceptor Authentication Realm

Configure a realm on the Policy Server to allow the SiteMinder Agent Security Interceptor to validate users' credentials using information obtained from SiteMinder session cookies. You use the SiteMinder Administrative UI to create the SiteMinder Agent Security Interceptor authentication realm.

For more information about the SiteMinder Administrative UI and its use to create domains and realms, see the CA SiteMinder® Policy Server Configuration Guide.

Follow these steps:

1. Click Policies, Domains.
2. Click Domain, Create Domain.
3. The Create Domain pane opens.

   Note: You can click Help for a description of fields, controls, and their respective requirements.

4. Type the name and a description of the Domain in the fields on the General group box.
5. Add one or more user directories that contain the users who can access the protected resources.
6. Create the validation realm:
   1. Click the Realms tab on the Domain pane, New Realm, OK.
   2. The Create Realm pane opens.
   3. Enter the following information:
      • Name: A unique name for the realm—for example, SiteMinder Agent Security Interceptor Validation Realm
      • Description: An optional description for the validation realm
      • Agent: The name of the SiteMinder Agent identity that you created for the SiteMinder Agent for JBoss.
      • Resource Filter: /smauthenticationrealm
      • Authentication Scheme: Basic

      Note: You do not need to configure any rules for the validation realm.

   4. Specify session properties in the Session group box:
      • Disable all session time-outs
      • Ensure the No Persistent Session option is selected
   5. Click Finish.

      The Create Realm Task is submitted for processing.

7. Click Submit.

   The Create Domain Task is submitted for processing.

(Optional) Configure the Agent to Return Group Membership to JBoss Using Responses

The SiteMinder Agent Web Interceptor can be configured to return physical or virtual group membership information to JBoss using SiteMinder HTTP header responses from the Policy Server during user authentication.

When the SiteMinder Agent Web Interceptor receives responses containing the _SM_JBOSS_GROUP=group name syntax, the SiteMinder Agent Web Interceptor converts the group_name value to a J2EE principal and adds this principal to the subject after successful authentication.

group_name

Specifies a response attribute value from the Policy Server that could be a physical group name from the user store or a virtual group.

The SiteMinder Agent adds the same amount of group principals as responses received from the Policy Server.

Note: The SiteMinder Agent Web Interceptor can only process _SM_JBOSS_GROUP response attributes to return group membership information to JBoss. It cannot process other response attributes added to HTTP header variables to pass information to a web application.

To configure Groups as responses for the SiteMinder Agent

1. Configure an OnAuthAccept group authentication rule with a * resource filter in the SiteMinder Authentication Realm.
2. Create SiteMinder HTTP header responses using the _SM_JBOSS_GROUP variable name in the policy domain for the SiteMinder Authentication Realm.

   Note: The SiteMinder Administrative UI shows an additional underscore before "_SM_JBOSS_GROUP" when it displays the variable name, so that it appears as "HTTP__SM_JBOSS_GROUP". This is not an error and can be ignored.

3. In the policy domain for the SiteMinder Authentication Realm:
   1. Create a group policy.
   2. Attach the users who belong to the group policy.
   3. Attach the group authentication rule to this policy.
   4. Bind the group response to the group authentication rule.

Example: Configure the SiteMinder Agent Web Interceptor to return groups using responses

The following example shows one method of configuring the SiteMinder Agent Web Interceptor to return groups using responses:

1. In the SiteMinder Authentication Realm, configure an OnAuthAccept rule named Group Authentication Rule with a * resource filter.
2. In the policy domain for the SiteMinder Authentication Realm, create SiteMinder responses with a static HTTP header attribute for the following sample JBoss groups:

1. In the policy domain for the SiteMinder Authentication Realm:
   1. Configure a policy named Group Administrator Policy.
   2. Attach the Administrator group or users, who belong to the Administrator group, to this policy.
   3. Attach the Group Authentication Rule to this policy.
   4. Bind the Group Administrator response to this rule.
   5. Repeat this step and configure separate policies for the Deployers, Operators, and Monitors groups.
   6. Bind the Group Administrator response to this rule.
2. Repeat Step 3 to configure separate policies for the Deployers, Operators, and Monitors groups.

Configure Security Policies for the Proxy Server Web Agent

To configure the SiteMinder Agent for JBoss to protect web applications by perimeter authentication, create policies that specify how the Web Agent on the proxy server controls access to the URL that represents the proxied JBoss web application resources.

Note: For complete information about SiteMinder policy configuration for web resources, see the CA SiteMinder Policy Configuration Guide.