Web Services Security Guides › CA SiteMinder® Agent for JBoss › Configure the WSS Agent Security Interceptor to Protect Web Services on JBoss 6.x

Configure the WSS Agent Security Interceptor to Protect Web Services on JBoss 6.x

This section contains the following topics:

Make the CA SiteMinder® Agent Java Class Accessible to Your Applications

Configure the WSS Agent JAX-RPC HTTP Handler to Protect Web Services in JBoss 6.x

Configure WSS Agent Security Interceptor Protection for JAX-WS Web Services Over HTTP Transport

Configure WSS Agent Security Interceptor Protection for JAX-WS Web Services Over JMS Transport on JBoss 6.x

Define a JBossSX Security Domain for the SiteMinder Agent Login Module on JBoss 6.x

Restart the JBoss Application Server

Make the CA SiteMinder® Agent Java Class Accessible to Your Applications

To protect your applications with CA SiteMinder®, they must be able to access the CA SiteMinder® Agent Java classes in module com.ca.siteminder.jbossagent. To make the CA SiteMinder® Agent Java classes accessible to your applications, do one of the following procedures:

Configure the CA SiteMinder® Agent as a Global Module

Configure the CA SiteMinder® Agent as a global module by adding a new subsystem definition in the standalone.xml file.

Follow these steps:

Navigate to one of the following locations:
- Windows: JBOSS_HOME\standalone\configuration
- UNIX: JBOSS_HOME/standalone/configuration
Open standalone.xml in a text editor.

Add the following highlighted module name element to define the SiteMinder Agent as a global module in the "ee" web services subsystem:

<subsystem xmlns="urn:jboss:domain:ee:1.1">
  <global-modules>
    <module name="com.ca.siteminder.jbossagent" slot="main"/>
  </global-modules>
  <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
  <jboss-descriptor-property-replacement>true</jboss-descriptor-property-replacement>
</subsystem>

Save the file and exit the text editor.

Notes:

To configure the WSS Agent JAX-WS HTTP Handler to protect all JAX-WS web services, you must add the CA SiteMinder® Agent as a global module.
Configuring the CA SiteMinder® Agent as a global module makes it accessible to all web applications (using the CA SiteMinder® Agent Security Interceptor) and web services (using the WSS Agent Security Interceptor).
There is a conflict between the default JBoss and CA SiteMinder® xml-security libraries. If you configure the SiteMinder Agent as a global module, you must resolve that conflict.

More information

Configure the WSS Agent JAX-WS HTTP Handler to Protect all JAX-WS HTTP Web Services on JBoss 6.x

Resolve a Conflict Between the JBoss and WSS Agent xml-security Libraries if the SiteMinder Agent is Defined as a Global Module

Configure the WSS Agent JAX-WS JMS Handler for all JAX-WS JMS Web Services on JBoss 6.x

Resolve a Conflict Between the JBoss and WSS Agent xml-security Libraries if the SiteMinder Agent is Defined as a Global Module

There is a conflict between the default JBoss and CA SiteMinder® XML Security libraries. If you configure the SiteMinder Agent as a global module, remove the JBoss XML Security library (org.apache.santuario.xmlsec) from the module definitions in module.xml.

Follow these steps:

Navigate to the following location:
- Windows: JBOSS_HOME\modules\system\layers\base\org\jboss\as\webservices\server\integration\main
- UNIX: JBOSS_HOME/modules/system/layers/base/org/jboss/as/webservices/server/integration/main
Open module.xml in a text editor.

Locate and comment out the following line:

<!-- <module name="org.apache.santuario.xmlsec" export="true"/> -->

Note: For applications that depend on the default JBoss XML Security library, do one of the following procedures to enable them to access to it:

Package the org.apache.santuario.xmlsec JAR files as a separate module from the JBoss web services module and configure it as a dependency for those applications.
Include the org.apache.santuario.xmlsec JAR files in the application WAR file.

Configure the SiteMinder Agent as a Per-Application Dependency

If the CA SiteMinder® Agent is not defined as a global module, define it as a dependency in the jboss-deployment-structure.xml file of each application that you want to protect.

Follow these steps:

Navigate to the application WEB-INF directory.
Open jboss-deployment-structure.xml in a text editor.

Add the following module name element to the dependencies element:

<module name="com.ca.siteminder.jbossagent" />

For example:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
   <deployment>
       <dependencies>
             <module name="com.ca.siteminder.jbossagent" />
       </dependencies>          
   </deployment>
</jboss-deployment-structure>

Save the file and exit the text editor.

Configure the WSS Agent JAX-RPC HTTP Handler to Protect Web Services in JBoss 6.x

Configure each JAX-RPC HTTP web service to invoke the WSS Agent JAX-RPC HTTP Handler.

Note: There is no global way to configure the WSS Agent JAX-RPC HTTP Handler to protect all JAX_RPC web services.

Follow these steps:

Open the application webservices.xml deployment descriptor in a text editor.

Define the com.ca.soa.agent.appserver.jaxrpc.XMLAgentJaxrpcHandler.

For example:

<webservices ...>
   <webservice-description>
    ...
    <port-component>
      ...
      <handler>
        <handler-name>SM XMLAgentJaxrpc Handler</handler-name>
        <handler-class>com.ca.soa.agent.appserver.jaxrpc.XMLAgentJaxrpcHandler</handler-class>
      </handler>
    </port-component>
   </webservice-description>
  </webservices>

Verify that the CA SiteMinder® Agent Java class is accessible to the web service.

The JBoss WSS Agent JAX-RPC HTTP Handler is invoked only for this web service.

Configure WSS Agent Security Interceptor Protection for JAX-WS Web Services Over HTTP Transport

To configure the WSS Agent Security Interceptor to protect JAX-WS web services over HTTP transport, configure those services to invoke the WSS Agent JAX-WS HTTP Handler. You can configure global use of the JAX-WS Handler for all JAX-WS HTTP web services or configure it for individual web services, as required.

Configure the WSS Agent JAX-WS HTTP Handler to Protect all JAX-WS HTTP Web Services on JBoss 6.x

To configure the WSS Agent Security Interceptor to protect all JAX-WS HTTP web services, make the following changes to standalone.xml:

Add a subsystem definition to configure the agent as a global module (if it is not already present).
Add a pre-handler-chain definition to configure the WSS Agent JAX-WS HTTP Handler as the handler for all JAX-WS HTTP web services.

Follow these steps:

Navigate to one of the following locations:
- Windows: JBOSS_HOME\standalone\configuration
- UNIX: JBOSS_HOME/standalone/configuration
Open standalone-full.xml in a text editor.
If it is not already defined, configure the SiteMinder Agent as a global module

Add the following pre-handler-chain element to the "Standard Endpoint" endpoint-config element in the web services subsystem definition as the first such element defined:

<pre-handler-chain name="WSSAgent" protocol-bindings="##SOAP11_HTTP ##SOAP12_HTTP">
        <handler name="SoaJaxWsHandler" class="com.ca.soa.agent.jaxwsplugin.JaxWsHandler"/>
 </pre-handler-chain>

Note: The default standalone-full.xml does not have a web services subsystem predefined. If no web services subsystem is present, add one that includes the previous pre-handler-chain element. For example:

<subsystem xmlns="urn:jboss:4domain:webservices:1.2">
  <modify-wsdl-address>true</modify-wsdl-address>
  <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
  <endpoint-config name="Standard-Endpoint-Config">
     <pre-handler-chain name="WSSAgent" protocol-bindings="##SOAP11_HTTP ##SOAP12_HTTP">
        <handler name="SoaJaxWsHandler" class="com.ca.soa.agent.jaxwsplugin.JaxWsHandler"/>
     </pre-handler-chain>                              
  </endpoint-config>
  <client-config name="Standard-Client-Config"/>
</subsystem>

Save the file and exit the text editor.

The JBoss WSS Agent JAX-WS Handler is invoked for all JAX-WS HTTP web services.

Configure the WSS Agent JAX-WS HTTP Handler for a Single JAX-WS HTTP Web Service

Configure individual JAX-WS HTTP web services to invoke the WSS Agent JAX-WS Handler.

Follow these steps:

Create a handler chain configuration file, for example, Services_handler.xml, containing the following text:

<?xml version="1.0" encoding="UTF-8"?>
<handler-chains xmlns="http://java.sun.com/xml/ns/javaee">
  <handler-chain>
    <handler>
      <handler-name>JBoss JAX-WS PEP Interceptor</handler-name>
      <handler-class>com.ca.soa.agent.jaxwsplugin.JaxWsHandler</handler-class>
    </handler>
  </handler-chain>
</handler-chains>

Add the following JWS annotation to the web service JWS file:
```
@HandlerChain(file = "Services_handler.xml")
```
Verify that the CA SiteMinder® Agent Java class is accessible to the web service.

The JBoss WSS Agent JAX-WS Handler is invoked for the web service.

Configure WSS Agent Security Interceptor Protection for JAX-WS Web Services Over JMS Transport on JBoss 6.x

To configure the WSS Agent Web Interceptor to protect JAX-WS web services over JMS transport, configure those services to invoke the WSS Agent JAX-WS JMS Handler. You can configure global use of the JAX-WS JMS Handler for all JAX-WS JMS web services or configure it for individual web services, as required.

Important! Do not place the WSS Agent JAX-WS HTTP Handler and the WSS Agent JAX-WS JMS Handler in the same handler chain. If you configure either handler in the default handler chain for the container, verify that all JAX-WS web services in the container use the corresponding transport.

Configure the WSS Agent JAX-WS JMS Handler for all JAX-WS JMS Web Services on JBoss 6.x

To configure the WSS Agent Security Interceptor to protect all JAX-WS JMS web services, make the following changes to standalone.xml:

Add a subsystem definition to configure the agent as a global module (if it is not already present).
Add a pre-handler-chain definition to configure the WSS Agent JAX-WS JMS Handler as the handler for all JAX-WS JMS web services.

Follow these steps:

Navigate to one of the following locations:
- Windows: JBOSS_HOME\standalone\configuration
- UNIX: JBOSS_HOME/standalone/configuration
Open standalone.xml in a text editor.
If it is not already defined, configure the SiteMinder Agent as a global module

Add the following pre-handler-chain element to the "Standard Endpoint" endpoint-config element in the web services subsystem definition as the first such element defined:

<pre-handler-chain name="WSSAgent" protocol-bindings="##SOAP11_HTTP ##SOAP12_HTTP">
        <handler name="SoaJaxWsJMSHandler" class="com.ca.soa.agent.jaxwsplugin.JaxWsJMSHandler"/>
 </pre-handler-chain>

Note: The default standalone.xml does not have a web services subsystem predefined. If no web services subsystem is present, add one that includes the previous pre-handler-chain element. For example:

<subsystem xmlns="urn:jboss:4domain:webservices:1.2">
  <modify-wsdl-address>true</modify-wsdl-address>
  <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
  <endpoint-config name="Standard-Endpoint-Config">
     <pre-handler-chain name="WSSAgent" protocol-bindings="##SOAP11_HTTP ##SOAP12_HTTP">
        <handler name="SoaJaxWsJMSHandler" class="com.ca.soa.agent.jaxwsplugin.JaxWsJMSHandler"/>
     </pre-handler-chain>                              
  </endpoint-config>
  <client-config name="Standard-Client-Config"/>
</subsystem>

Save the file and exit the text editor.

The JBoss WSS Agent JAX-WS Handler is invoked for all JAX-WS JMS web services.

Configure the WSS Agent JAX-WS Handler for a Single JAX-WS JMS Web Service on JBoss 6.x

You can configure individual JAX-WS JMS web services to invoke the WSS Agent JAX-WS JMS Handler.

Follow these steps:

Create a handler chain configuration file, for example, Services_handler.xml, containing the following text:

<?xml version="1.0" encoding="UTF-8"?>
<handler-chains xmlns="http://java.sun.com/xml/ns/javaee">
  <handler-chain>
    <handler>
      <handler-name>JBoss JAX-WS PEP Interceptor</handler-name>
      <handler-class>com.ca.soa.agent.jmsplugin.JaxWsJMSHandler</handler-class>
    </handler>
  </handler-chain>
</handler-chains>

Add the following JWS annotation to the web service JWS file:
```
@HandlerChain(file = "Services_handler.xml")
```
Verify that the CA SiteMinder® Agent Java class is accessible to the web service.

The JBoss WSS Agent JAX-WS Handler is invoked only for this web service.

Define a JBossSX Security Domain for the SiteMinder Agent Login Module on JBoss 6.x

Define a JBoss security domain named SiteMinderDomain that configures the SiteMinder Agent Login Module required to authenticate credentials obtained by SiteMinder Agent authenticators. Configure the SiteMinderDomain by adding a <security-domain-name> element to the standalone.xml file.

Follow these steps:

Navigate to one of the following locations:
- Windows: JBOSS_HOME\standalone\configuration
- UNIX: JBOSS_HOME/standalone/configuration
Open the standalone.xml file in a text editor.

Add the following <security-domain-name> element:

<security-domain name="SiteMinderDomain" cache-type="default">
 	<authentication>
	        <login-module code="com.ca.soa.agent.appserver.authenticator.jBoss.SMJBossLoginModule" flag="required"/>
	</authentication>
</security-domain>

Save the file and exit the text editor.

Restart the JBoss Application Server

Restart the JBoss Application Server to commit configuration changes you made for the SiteMinder Agent.

To restart the JBoss Application Server

If necessary, stop the JBoss Application Server process.
Open a command window.
Navigate to the JBOSS_HOME/bin directory.
Run the run.bat (Windows) or run.sh (UNIX) script.

The JBoss Application Server restarts with the configuration changes you made for the SiteMinder Agent.