2 Replies Latest reply on Apr 13, 2010 12:58 AM by madanosliw

GenericHeaderAuthenticator / SiteMinder Authentication

edk9 Mar 11, 2010 10:31 AM

I have been studying how to receive the header authentication from SiteMinder into JBoss. I have been following the instructions from http://community.jboss.org/wiki/GenericHeaderBasedAuthentication but with limited sucess.

What I've done:

WEB-INF/jboss-web.xml:

<jboss-web>
<security-domain>java:/jaas/WebServiceTestDomain</security-domain>
</jboss-web>

WEB-INF/web.xml:

...

<login-config>
<auth-method>HEADER</auth-method>
<realm-name>java:/jaas/WebServiceTestDomain</realm-name>
</login-config>

...

META-INF/context.xml:

<?xml version="1.0" encoding="UTF-8"?>

<application-policy xmlns="urn:jboss:security-beans:1.0" name="WebServiceTestDomain">

<authentication>
            <login-module code="org.jboss.web.tomcat.security.GenericHeaderAuthenticator"
                    flag="required">
                    
            </login-module>

        </authentication>
    </application-policy>

</deployment>

<Context>
    <key>HEADER</key>
    <Valve className="org.jboss.web.tomcat.security.GenericHeaderAuthenticator"
        httpHeaderForSSOAuth="sm_ssoid,ct-remote-user,HTTP_OBLIX_UID"
        sessionCookieForSSOAuth="SMSESSION,CTSESSION,ObSSOCookie"/>
</Context>

This results in the following error when loading the page:

java.lang.IllegalStateException: Http headers configuration in tomcat service missing

...FYI: which is an error from the following source code

http://anonsvn.jboss.org/repos/jbossas/tags/JBoss_5_1_0_GA/tomcat/src/main/org/jboss/web/tomcat/security/GenericHeaderAuthenticator.java

My question is, how do I set the HttpHeaderForSSOAuth parameter?

1. Re: GenericHeaderAuthenticator / SiteMinder Authentication

longbeach Apr 12, 2010 9:31 PM (in response to edk9)

Hi,
have you been able to fix your problem ?
If yes, I would be interested to know how since I too need to authenticate my user through Siteminder SSO.
Thanks.
Actions
2. Re: GenericHeaderAuthenticator / SiteMinder Authentication

madanosliw Apr 13, 2010 12:58 AM (in response to longbeach)
We got this working in JBoss 5 and added some custom stuff, but this is the basics:

In JBoss 5, the configuration's going to have to go in the war deployers jboss-beans.xml:

{jboss.home}/server/{configuration}/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml:

<property name="authenticators">      <map keyClass="java.lang.String" valueClass="java.lang.String">           ...           <entry>                <key>HEADER</key>                <value>org.jboss.web.tomcat.security.GenericHeaderAuthenticator</value>           </entry>      </map> </property>

The httpHeaderForSSOAuth (HTTP Header names carrying the principal from the Siteminder proxy) and sessionCookieForSSOAuth fields also go in the bean tag named "WarDeployer" in the same file:

<bean name="WarDeployer">      ...      <property name="httpHeaderForSSOAuth">SITEMINDER_AUTH_HEADER</property>      ... </bean>

We actually wrote a custom authenticator based on the GenericHeaderAuthenticator. If choosing to do this, a tip that will save you some time is that the attributes are capitalized when retrieving them:

mserver.getAttribute(new ObjectName("jboss.web:service=WebServer"), "HttpHeaderForSSOAuth");

When you've got the authenticator set up, you can refer to the type in your web.xml or jboss.xml:

<auth-method>HEADER</auth-method>

If using the siteminder header as a trusted authentication, you might need to write a custom login module to accept any username/empty password (I'm not sure about this, you might be able to not specify a login module and have the authentication work).
Actions

Go to original post