Previous Topic: Configure the SiteMinder Agent Security Interceptor to Protect Web Applications on JBoss 5.xNext Topic: Configure SiteMinder Policies to Protect Web Applications

Web Services Security GuidesCA SiteMinder® Agent for JBossConfigure the SiteMinder Agent Security Interceptor to Protect Web Applications on JBoss 6.x

Configure the SiteMinder Agent Security Interceptor to Protect Web Applications on JBoss 6.x

This section contains the following topics:

Configure the SiteMinder Agent Authenticator for Applications on JBoss 6.x

Make the CA SiteMinder® Agent Java Class Accessible to Your Applications

Define a JBossSX Security Domain for the SiteMinder Agent Login Module on JBoss 6.x

Configure Web Applications to Invoke the SiteMinder Agent Security Interceptor

Restart the JBoss Application Server

Configure the SiteMinder Agent Authenticator for Applications on JBoss 6.x

The SiteMinder Agent Authenticator extends the functionality of the JBossSX default authenticators with the ability to authenticate a user request that is based on an associated SiteMinder session cookie.

To configure a web application to use the SiteMinder Agent Authenticator to handle requests, create a jboss-web.xml file in the application WEB-INF directory. Configuring a jboss-web.xml file overrides the default authenticators.

Follow these steps:

  1. Navigate to the application WEB-INF directory.
  2. Open jboss-web.xml in a text editor.
  3. Define a context element containing a valve subelement that specifies the class name of the SiteMinder Agent Authenticator which you want to handle application requests.

    To configure the application to use SMJBoss6BasicAuthenticator, type:

    <Valve className="com.ca.soa.agent.appserver.authenticator.jBoss.SMJBoss6BasicAuthenticator"/>

    To configure the application to use the SMJBoss6FormAuthenticator, type:

    <Valve className="com.ca.soa.agent.appserver.authenticator.jBoss.SMJBoss6FormAuthenticator"/>

    To configure the application to use SMJBoss6ClientCertAuthenticator, type:

    <Valve className="com.ca.soa.agent.appserver.authenticator.jBoss.SMJBoss6ClientCertAuthenticator"/>

    To configure the application to use SMJBoss6DigestAuthenticator, type:

    <Valve className="com.ca.soa.agent.appserver.authenticator.jBoss.SMJBoss6DigestAuthenticator"/>

    To configure the application to use the SMJBoss6IdentityAsserter, type:

    <Valve className="com.ca.soa.agent.appserver.authenticator.jBoss.SMJBoss6IdentityAsserter"/>
  4. Save the file and exit the text editor.

Make the CA SiteMinder® Agent Java Class Accessible to Your Applications

To protect your applications with CA SiteMinder®, they must be able to access the CA SiteMinder® Agent Java classes in module com.ca.siteminder.jbossagent. To make the CA SiteMinder® Agent Java classes accessible to your applications, do one of the following procedures:

Configure the CA SiteMinder® Agent as a Global Module

Configure the CA SiteMinder® Agent as a global module by adding a new subsystem definition in the standalone.xml file.

Follow these steps:

  1. Navigate to one of the following locations:
  2. Open standalone.xml in a text editor.
  3. Add the following highlighted module name element to define the SiteMinder Agent as a global module in the "ee" web services subsystem: 
    <subsystem xmlns="urn:jboss:domain:ee:1.1">
  <global-modules>
    <module name="com.ca.siteminder.jbossagent" slot="main"/>
  </global-modules>
  <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
  <jboss-descriptor-property-replacement>true</jboss-descriptor-property-replacement>
</subsystem>
  4. Save the file and exit the text editor.

Notes:

More information

Configure the WSS Agent JAX-WS HTTP Handler to Protect all JAX-WS HTTP Web Services on JBoss 6.x

Resolve a Conflict Between the JBoss and WSS Agent xml-security Libraries if the SiteMinder Agent is Defined as a Global Module

Configure the WSS Agent JAX-WS JMS Handler for all JAX-WS JMS Web Services on JBoss 6.x

Resolve a Conflict Between the JBoss and WSS Agent xml-security Libraries if the SiteMinder Agent is Defined as a Global Module

There is a conflict between the default JBoss and CA SiteMinder® XML Security libraries. If you configure the SiteMinder Agent as a global module, remove the JBoss XML Security library (org.apache.santuario.xmlsec) from the module definitions in module.xml.

Follow these steps:

  1. Navigate to the following location:
  2. Open module.xml in a text editor.
  3. Locate and comment out the following line: 
    <!-- <module name="org.apache.santuario.xmlsec" export="true"/> -->

Note: For applications that depend on the default JBoss XML Security library, do one of the following procedures to enable them to access to it:

Configure the SiteMinder Agent as a Per-Application Dependency

If the CA SiteMinder® Agent is not defined as a global module, define it as a dependency in the jboss-deployment-structure.xml file of each application that you want to protect.

Follow these steps:

  1. Navigate to the application WEB-INF directory.
  2. Open jboss-deployment-structure.xml in a text editor.
  3. Add the following module name element to the dependencies element: 
    <module name="com.ca.siteminder.jbossagent" />

    For example:

    <?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
   <deployment>
       <dependencies>
             <module name="com.ca.siteminder.jbossagent" />
       </dependencies>          
   </deployment>
</jboss-deployment-structure>
  4. Save the file and exit the text editor.

Define a JBossSX Security Domain for the SiteMinder Agent Login Module on JBoss 6.x

Define a JBoss security domain named SiteMinderDomain that configures the SiteMinder Agent Login Module required to authenticate credentials obtained by SiteMinder Agent authenticators. Configure the SiteMinderDomain by adding a <security-domain-name> element to the standalone.xml file.

Follow these steps:

  1. Navigate to one of the following locations:
  2. Open the standalone.xml file in a text editor.
  3. Add the following <security-domain-name> element: 
    <security-domain name="SiteMinderDomain" cache-type="default">
 	<authentication>
	        <login-module code="com.ca.soa.agent.appserver.authenticator.jBoss.SMJBossLoginModule" flag="required"/>
	</authentication>
</security-domain>
  4. Save the file and exit the text editor.

Configure Web Applications to Invoke the SiteMinder Agent Security Interceptor

To protect a web application using the SiteMinder Agent Security Interceptor, edit its deployment descriptor to enable security and map it to the SiteMinderDomain security domain.

Edit the Application Deployment Descriptor to Enable Security

Edit the web.xml deployment descriptor to enable security for each web application that you want to protect with the SiteMinder Agent Web Interceptor. The web.xml file is located in the application WEB-INF directory.

For more information about the web.xml file and constituent element syntax, see the JBoss Enterprise Application Platform documentation.

To Edit the web.xml deployment descriptor to enable security

  1. Navigate to the web application WEB-INF directory
  2. Open the web.xml deployment descriptor file in a text editor.
  3. Add one or more security-constraint elements defining what resources in the web application are to be protected. For example: 
    <security-constraint>
    <display-name>Constraint1</display-name>
    <web-resource-collection>
        <web-resource-name>admin resource</web-resource-name>
        <description/>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>adminRole</role-name>
    </auth-constraint>
</security-constraint>
  4. Add a security-role element defining roles used by the application. For example: 
    <security-role>
     <description/>
     <role-name>adminRole</role-name>
</security-role>
  5. Add a login-config element. The auth-method subelement of the login-config element defines the authentication method (BASIC, FORMS, and so on) and therefore determines which globally configured SiteMinder Agent Authenticator will be invoked. For example, the following login-config element would result in the SMJBossFormAuthenticator handling application requests: 
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name/>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/fail_login.jsp</form-error-page>
    </form-login-config>
</login-config>
  6. Save the file and exit the text editor
  7. Install or update the web application.
Map Web Applications to the SiteMinderDomain Security Domain

Create a jboss-web.xml deployment descriptor file that defines the SiteMinderDomain as the security domain for each web application that you want to protect with the SiteMinder Agent. The jboss-web.xml file must be created in the application WEB-INF directory.

To map a web application to the SiteMinderDomain security domain

  1. Navigate to the application WEB-INF directory.
  2. Open a text editor.
  3. Enter the following: 
    <jboss-web>
  <security-domain>java:/jaas/SiteMinderDomain</security-domain>
</jboss-web>
  4. Save the file as jboss-web.xml and exit the text editor.

Restart the JBoss Application Server

Restart the JBoss Application Server to commit configuration changes you made for the SiteMinder Agent.

To restart the JBoss Application Server

  1. If necessary, stop the JBoss Application Server process.
  2. Open a command window.
  3. Navigate to the JBOSS_HOME/bin directory.
  4. Run the run.bat (Windows) or run.sh (UNIX) script.

The JBoss Application Server restarts with the configuration changes you made for the SiteMinder Agent.