|
|
|
The SiteMinder Agent makes responses available for use in J2EE components. Responses pass user attributes, DN attributes, static text, or customized active responses from the Policy Server to the SiteMinder Agent. The SiteMinder Agent makes responses returned by the Policy Server available in the SmUser principal. The Policy Server returns two responses:
During authentication, these Policy Server responses are returned to the SiteMinder Authentication Provider, which is responsible for attaching the responses to the SiteMinder principal.
During authorization, these Policy Server responses are returned to the SiteMinder Authorization Provider, which is responsible for attaching the responses to the SmUser principal.
Authorization Responses from the SiteMinder Policy Server are returned to the SiteMinder Authorization Provider during authorization. The SiteMinder Authorization Provider is responsible for attaching these responses to the SmUser Principal.
The SmUser principal provides access to responses using public interfaces. You can configure responses against WebLogic rules and they must be obtained programmatically using the following calls:
Returns the name of a principal.
Returns the user DN of a principal.
Returns the session ID of a principal.
Returns the session spec of a principal.
Returns the Object ID of the user directory a principal was authenticated against.
Returns the responses returned by the Policy Server during authentication.
Returns the responses returned by the Policy Server during authorization of a resource by a principal.
The following code snippet is an example that shows the WebLogic Server obtaining SmUser principals response attributes in a J2EE Servlet:
public void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException
{
javax.security.auth.Subject subject = weblogic.security.Security.getCurrentSubject ();
java.util.Set set = subject.getPrincipals
(com.netegrity.siteminder.weblogic.sspi.auth.SmWLSUser.class);
java.util.Iterator i = set.iterator();
while (i.hasNext())
{
SmWLSUser smUser = (SmWLSUser)i.next();
// Get Authentication Responses
HashMap auResponseMap = smUser.getAuthResponses();
// Get Authorization Responses
HashMap azResponseMap = smUser.getAzResponses();
}
}
Because the SiteMinder Agent makes responses available in the SmUser Principal, there are limitations associated with availability of these responses, as noted in the following table. These limitations are due to the behavior of WebLogic Server Security Services.
|
J2EE Component |
Authentication Responses |
Authorization Responses |
|---|---|---|
|
Web client accessing servlet. Responses requested within the servlet or JSP |
Available* |
Available |
|
Java client accessing EJB.Responses requested within the EJB on the server side |
Available* |
Available |
|
Java client accessing the EJB. Responses request on the client side, that is, on the remote Java Virtual Machine. |
Available* |
Not Available** |
*The Authentication responses are available after the authentication phase. During the validation phase, the authentication responses are not altered and, as a result, authentication responses are only set during the initial authentication.
**The Authorization responses are not available, as the SmUser principal is serialized to the client JVM during the authentication phase. The Authorization requests do not alter the principal. As a result, the SmUser principal is not reserialized to the client during authorization requests and authorization responses are not available inside a serialized SmUser principal on a remote JVM. Also, Authorization responses are only available for J2EE components that the responses bind to. For example, if a servlet accesses an EJB, the Authorization responses are only available for the servlet before accessing the EJB. Once the EJB is accessed by the servlet code, EJB responses are available in the EJB.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |