This section contains the following topics:
Required Background Information
SiteMinder Agent Security Interceptor
WSS Agent Security Interceptor
This chapter introduces the SiteMinder Agent for JBoss and describes how it integrates with the JBoss Application Server to secure J2EE resources deployed on that operating environment.
The SiteMinder Agent for JBoss provides the following two JBossSX custom security interceptors that allow it to be configured into SiteMinder and CA SiteMinder® Web Services Security environments as required:
The SiteMinder Agent Security Interceptor provides a SiteMinder Agent solution that provides SiteMinder access control for web application resources (including servlets, HTML pages, JSP, and image files).
The WSS Agent Security Interceptor provides a SiteMinder Web Services Security (WSS) Agent solution that provides CA SiteMinder® Web Services Security access control for JAX-WS and JAX-RPC web service resources.
This guide is not intended for users who are new to Java, J2EE standards, or application server technology and assumes that you have the following technical knowledge:
The SiteMinder Agent Security Interceptor provides an identity assertion solution for securing JBoss web container resources by perimeter authentication.
In the perimeter authentication model, user identity is validated outside the JBoss security domain and passed to the JBoss Application Server in the form of a token associated with the user request. An Identity Asserter configured within the JBoss security domain then obtains authenticated user information from the token.
The SiteMinder Agent Security Interceptor allows the JBoss Application Server to trust requests with associated SiteMinder session (SMSESSION) cookies so that these users are not challenged for credentials.
SiteMinder session cookies are obtained from a SiteMinder Web Agent on a proxy server configured to:
When you configure the SiteMinder Agent Security Interceptor as an identity asserter in a security realm, the JBossSX security framework passes any SiteMinder session cookies associated with a request for a resource within that realm to the SiteMinder Agent Security Interceptor for validation. The SiteMinder Agent Security Interceptor then:
Note: If you must only allow access to web applications for clients with existing SiteMinder Single Sign-On (SSO) sessions, you can use the SiteMinder Agent Security Interceptor as a standalone component without the proxy server-related components.
The SiteMinder Agent Security Interceptor consists of the following modules that you can configure into the JBossSX security framework:
In the JBossSX security framework, requests for web application resources in the web container are handled by default authenticators for Basic, Client-Cert, Form, and Digest authentication.
The SiteMinder Agent Security Interceptor provides the following custom replacement SiteMinder Agent Authenticators that extend the functionality of the JBoss default authenticators with the ability to authenticate a user request based on an associated SiteMinder session cookie:
(New) Authenticates user identity using the SiteMinder session cookie only. If there is no valid SiteMinder session cookie, the authenticator returns an authentication failure result.
(Replaces JBoss default BasicAuthenticator) First attempts to authenticate user identity using the SiteMinder session cookie. If there is no valid SiteMinder session cookie, performs Basic authentication.
(Replaces JBoss default FormAuthenticator) First attempts to authenticate user identity using the SiteMinder session cookie. If there is no valid SiteMinder session cookie, performs Form authentication.
(Replaces JBoss default ClientCertAuthenticator) First attempts to authenticate user identity using the SiteMinder session cookie. If there is no valid SiteMinder session cookie, performs Client-Cert authentication.
(Replaces JBoss default DigestAuthenticator) First attempts to authenticate user identity using the SiteMinder session cookie. If there is no valid SiteMinder session cookie, performs Digest authentication.
The SiteMinder Agent Authenticators first attempt to retrieve a SiteMinder session cookie from a request. If there is a valid SiteMinder session cookie, the SiteMinder Agent Login Module is used to authenticate the user and create user principles. If there is no valid SiteMinder session cookie, the appropriate JBossSX default authenticator functionality occurs.
The SiteMinder Agent Login Module authenticates credentials (username/password) obtained from valid SiteMinder session cookies by SiteMinder Agent authenticators.
If SiteMinder authentication is successful, the SiteMinder Agent Login Module populates a JAAS Subject with a SiteMinder Principal that contains the username and associated SiteMinder session data.
The WSS Agent Security Interceptor provides a SiteMinder WSS Agent solution for the JBoss Application Server. The WSS Agent Security Interceptor integrates the JBoss Application Server into the CA SiteMinder® Web Services Security environment, enabling you to implement policy-based fine-grained access control to protect JBoss-hosted JAX-RPC and JAX-WS web service resources. The WSS Agent Security Interceptor also supports bi-directional CA SiteMinder® Web Services Security/SiteMinder and JBoss single sign-on (SSO).
A high-level overview of the WSS Agent Security Interceptor architecture is shown in the following illustration
When fully configured into the JBossSX security infrastructure, the WSS Agent Security Interceptor does the following:
The WSS Agent Security Interceptor consists of the following modules that you can configure into the JBossSX security framework:
Note: You do not need to configure all WSS Agent modules, only the ones you require. WSS Agent modules can be configured globally for all web services of each type or for each individual web service.
The WSS Agent JAX-WS Handler is a custom JAX-WS Handler that intercepts requests for JAX-WS web services and authenticates credentials obtained from intercepted requests against associated user directories configured in CA SiteMinder® Web Services Security:
Note: The WSS Agent JAX-WS Handler can obtain credentials from SOAP requests or from associated SiteMinder session cookies of users with pre-established CA SiteMinder® Web Services Security and SiteMinder sessions.
If CA SiteMinder® Web Services Security authentication is successful, the WSS Agent JAX-WS Handler determines whether an authenticated user is allowed to access a protected JBoss resource, based on associated CA SiteMinder® Web Services Security authorization policies.
The WSS Agent JMS JAX-RPC Handler is a custom JAX-RPC Handler that intercepts requests for JAX-RPC web services sent over JMS transport and authenticates credentials obtained from those requests against user directories configured in CA SiteMinder® Web Services Security.
If CA SiteMinder® Web Services Security authentication is successful, the WSS Agent JMS JAX-RPC Handler determines whether an authenticated user is allowed to access a protected JBoss resource, based on associated CA SiteMinder® Web Services Security authorization policies.
The WSS Agent HTTP JAX-RPC Handler is a custom JAX-RPC Handler that intercepts SOAP message requests sent to JAX-RPC web services over HTTP transport and diverts them to the WSS Agent Login Module for authentication and authorization decisions.
Note: If you configure the WSS Agent JAX-RPC Handler, you must also configure the WSS Agent Login Module.
The WSS Agent Login Module is a JAAS Login Module that performs authentication and authorization for JAX-RPC web services protected by the WSS Agent HTTP JAX-RPC Handler. (Login Module functionality is built into the WSS Agent WS and JMS JAX-RPC Handlers.)
The WSS Agent Login Module can authenticate and authorize credentials obtained by the WSS Agent JAX-RPC Handler from SOAP requests or from associated SiteMinder session cookies of user with pre-established CA SiteMinder® Web Services Security and SiteMinder sessions.
If CA SiteMinder® Web Services Security authentication is successful, the WSS Agent Login Module determines whether an authenticated user is allowed to access a protected JBoss resource, based on associated CA SiteMinder® Web Services Security authorization policies.
Note: If you configure the WSS Agent Login Module, you must also configure the WSS Agent JAX-RPC Handler.
Copyright © 2013 CA.
All rights reserved.
|
|