Previous Topic: CA SiteMinder® Agent for JBossNext Topic: Install the SiteMinder Agent

Web Services Security GuidesCA SiteMinder® Agent for JBossOverview

Overview

This section contains the following topics:

Introduction

Required Background Information

SiteMinder Agent Security Interceptor

WSS Agent Security Interceptor

Introduction

This chapter introduces the SiteMinder Agent for JBoss and describes how it integrates with the JBoss Application Server to secure J2EE resources deployed on that operating environment.

The SiteMinder Agent for JBoss provides the following two JBossSX custom security interceptors that allow it to be configured into SiteMinder and CA SiteMinder® Web Services Security environments as required:

SiteMinder Agent Security Interceptor

The SiteMinder Agent Security Interceptor provides a SiteMinder Agent solution that provides SiteMinder access control for web application resources (including servlets, HTML pages, JSP, and image files).

WSS Agent Security Interceptor

The WSS Agent Security Interceptor provides a SiteMinder Web Services Security (WSS) Agent solution that provides CA SiteMinder® Web Services Security access control for JAX-WS and JAX-RPC web service resources.

Required Background Information

This guide is not intended for users who are new to Java, J2EE standards, or application server technology and assumes that you have the following technical knowledge:

SiteMinder Agent Security Interceptor

The SiteMinder Agent Security Interceptor provides an identity assertion solution for securing JBoss web container resources by perimeter authentication.

In the perimeter authentication model, user identity is validated outside the JBoss security domain and passed to the JBoss Application Server in the form of a token associated with the user request. An Identity Asserter configured within the JBoss security domain then obtains authenticated user information from the token.

How the SiteMinder Agent Security Interceptor Works

The SiteMinder Agent Security Interceptor allows the JBoss Application Server to trust requests with associated SiteMinder session (SMSESSION) cookies so that these users are not challenged for credentials.

SiteMinder session cookies are obtained from a SiteMinder Web Agent on a proxy server configured to:

When you configure the SiteMinder Agent Security Interceptor as an identity asserter in a security realm, the JBossSX security framework passes any SiteMinder session cookies associated with a request for a resource within that realm to the SiteMinder Agent Security Interceptor for validation. The SiteMinder Agent Security Interceptor then:

  1. Validates the token by calling the Policy Server to verify that its session is valid (SiteMinder session cookie).
  2. Obtains the requester userDN from the token and maps it to a username.
  3. Passes the associated username and SiteMinder session information back to the JBossSX security framework.

Note: If you must only allow access to web applications for clients with existing SiteMinder Single Sign-On (SSO) sessions, you can use the SiteMinder Agent Security Interceptor as a standalone component without the proxy server-related components.

SiteMinder Agent Security Interceptor Components

The SiteMinder Agent Security Interceptor consists of the following modules that you can configure into the JBossSX security framework:

SiteMinder Agent Authenticators

In the JBossSX security framework, requests for web application resources in the web container are handled by default authenticators for Basic, Client-Cert, Form, and Digest authentication.

The SiteMinder Agent Security Interceptor provides the following custom replacement SiteMinder Agent Authenticators that extend the functionality of the JBoss default authenticators with the ability to authenticate a user request based on an associated SiteMinder session cookie:

SMJBossIdentityAsserter

(New) Authenticates user identity using the SiteMinder session cookie only. If there is no valid SiteMinder session cookie, the authenticator returns an authentication failure result.

SMJBossBasicAuthenticator

(Replaces JBoss default BasicAuthenticator) First attempts to authenticate user identity using the SiteMinder session cookie. If there is no valid SiteMinder session cookie, performs Basic authentication.  

SMJBossFormAuthenticator

(Replaces JBoss default FormAuthenticator) First attempts to authenticate user identity using the SiteMinder session cookie. If there is no valid SiteMinder session cookie, performs Form authentication.

SMJBossClientCertAuthenticator

(Replaces JBoss default ClientCertAuthenticator) First attempts to authenticate user identity using the SiteMinder session cookie. If there is no valid SiteMinder session cookie, performs Client-Cert authentication.  

SMJBossDigestAuthenticator

(Replaces JBoss default DigestAuthenticator) First attempts to authenticate user identity using the SiteMinder session cookie. If there is no valid SiteMinder session cookie, performs Digest authentication.

The SiteMinder Agent Authenticators first attempt to retrieve a SiteMinder session cookie from a request. If there is a valid SiteMinder session cookie, the SiteMinder Agent Login Module is used to authenticate the user and create user principles. If there is no valid SiteMinder session cookie, the appropriate JBossSX default authenticator functionality occurs.

SiteMinder Agent Login Module

The SiteMinder Agent Login Module authenticates credentials (username/password) obtained from valid SiteMinder session cookies by SiteMinder Agent authenticators.

If SiteMinder authentication is successful, the SiteMinder Agent Login Module populates a JAAS Subject with a SiteMinder Principal that contains the username and associated SiteMinder session data.

WSS Agent Security Interceptor

The WSS Agent Security Interceptor provides a SiteMinder WSS Agent solution for the JBoss Application Server. The WSS Agent Security Interceptor integrates the JBoss Application Server into the CA SiteMinder® Web Services Security environment, enabling you to implement policy-based fine-grained access control to protect JBoss-hosted JAX-RPC and JAX-WS web service resources. The WSS Agent Security Interceptor also supports bi-directional CA SiteMinder® Web Services Security/SiteMinder and JBoss single sign-on (SSO).

A high-level overview of the WSS Agent Security Interceptor architecture is shown in the following illustration

SiteMinder WSS Agent Interceptor overview

How the WSS Agent Security Interceptor Works

When fully configured into the JBossSX security infrastructure, the WSS Agent Security Interceptor does the following:

  1. Intercepts SOAP requests sent over HTTP(S) or JMS transports to JAX-RPC and JAX-WS web services deployed on the JBoss Application Server.
  2. Communicates with the Policy Server to authenticate and authorize the message sender
  3. Upon successful authentication and authorization, passes the request message on to the addressed web service.
WSS Agent Security Interceptor Components

The WSS Agent Security Interceptor consists of the following modules that you can configure into the JBossSX security framework:

Note: You do not need to configure all WSS Agent modules, only the ones you require. WSS Agent modules can be configured globally for all web services of each type or for each individual web service.

SiteMinder WSS Agent Interceptor Architecture

WSS Agent JAX-WS Handler

The WSS Agent JAX-WS Handler is a custom JAX-WS Handler that intercepts requests for JAX-WS web services and authenticates credentials obtained from intercepted requests against associated user directories configured in CA SiteMinder® Web Services Security:

Note: The WSS Agent JAX-WS Handler can obtain credentials from SOAP requests or from associated SiteMinder session cookies of users with pre-established CA SiteMinder® Web Services Security and SiteMinder sessions.

If CA SiteMinder® Web Services Security authentication is successful, the WSS Agent JAX-WS Handler determines whether an authenticated user is allowed to access a protected JBoss resource, based on associated CA SiteMinder® Web Services Security authorization policies.

WSS Agent JMS JAX-RPC Handler

The WSS Agent JMS JAX-RPC Handler is a custom JAX-RPC Handler that intercepts requests for JAX-RPC web services sent over JMS transport and authenticates credentials obtained from those requests against user directories configured in CA SiteMinder® Web Services Security.

If CA SiteMinder® Web Services Security authentication is successful, the WSS Agent JMS JAX-RPC Handler determines whether an authenticated user is allowed to access a protected JBoss resource, based on associated CA SiteMinder® Web Services Security authorization policies.

WSS Agent HTTP JAX-RPC Handler

The WSS Agent HTTP JAX-RPC Handler is a custom JAX-RPC Handler that intercepts SOAP message requests sent to JAX-RPC web services over HTTP transport and diverts them to the WSS Agent Login Module for authentication and authorization decisions.

Note: If you configure the WSS Agent JAX-RPC Handler, you must also configure the WSS Agent Login Module.

WSS Agent Login Module

The WSS Agent Login Module is a JAAS Login Module that performs authentication and authorization for JAX-RPC web services protected by the WSS Agent HTTP JAX-RPC Handler. (Login Module functionality is built into the WSS Agent WS and JMS JAX-RPC Handlers.)

The WSS Agent Login Module can authenticate and authorize credentials obtained by the WSS Agent JAX-RPC Handler from SOAP requests or from associated SiteMinder session cookies of user with pre-established CA SiteMinder® Web Services Security and SiteMinder sessions.

If CA SiteMinder® Web Services Security authentication is successful, the WSS Agent Login Module determines whether an authenticated user is allowed to access a protected JBoss resource, based on associated CA SiteMinder® Web Services Security authorization policies.

Note: If you configure the WSS Agent Login Module, you must also configure the WSS Agent JAX-RPC Handler.