2 Replies Latest reply on Apr 13, 2010 12:58 AM by madanosliw

    GenericHeaderAuthenticator / SiteMinder Authentication

    Edward Kujawski Newbie

      I have been studying how to receive the header authentication from SiteMinder into JBoss. I have been following the instructions from http://community.jboss.org/wiki/GenericHeaderBasedAuthentication but with limited sucess.

       

      What I've done:

       

       

      WEB-INF/jboss-web.xml:

      <jboss-web>
          <security-domain>java:/jaas/WebServiceTestDomain</security-domain>
      </jboss-web>

       

      WEB-INF/web.xml:

      ...

      <login-config>
           <auth-method>HEADER</auth-method>
           <realm-name>java:/jaas/WebServiceTestDomain</realm-name>
      </login-config>

      ...


      META-INF/context.xml:

      <?xml version="1.0" encoding="UTF-8"?>

      <deployment xmlns="urn:jboss:bean-deployer:2.0">

            <application-policy xmlns="urn:jboss:security-beans:1.0" name="WebServiceTestDomain">

              <authentication>
                  <login-module code="org.jboss.web.tomcat.security.GenericHeaderAuthenticator"
                          flag="required">
                          <!-- <module-option name="HttpHeaderForSSOAuth">SITEMINDER_AUTH</module-option> -->
                  </login-module>
                 
              </authentication>
          </application-policy>

       

      </deployment>

       

      <Context>
          <key>HEADER</key>
          <Valve className="org.jboss.web.tomcat.security.GenericHeaderAuthenticator"
              httpHeaderForSSOAuth="sm_ssoid,ct-remote-user,HTTP_OBLIX_UID"
              sessionCookieForSSOAuth="SMSESSION,CTSESSION,ObSSOCookie"/>
      </Context
      >

       

      This results in the following error when loading the page:

           java.lang.IllegalStateException: Http headers configuration in tomcat service missing

      ...FYI: which is an error from the following source code

      http://anonsvn.jboss.org/repos/jbossas/tags/JBoss_5_1_0_GA/tomcat/src/main/org/jboss/web/tomcat/security/GenericHeaderAuthenticator.java

       

      My question is, how do I set the HttpHeaderForSSOAuth parameter?

       

      ed

        • 1. Re: GenericHeaderAuthenticator / SiteMinder Authentication
          Celinio Fernandes Novice

          Hi,

          have you been able to fix your problem ?

          If yes, I would be interested to know how since I too need to authenticate my user through Siteminder SSO.

          Thanks.

          • 2. Re: GenericHeaderAuthenticator / SiteMinder Authentication
            madanosliw Newbie

            We got this working in JBoss 5 and added some custom stuff, but this is the basics:

             

            In JBoss 5, the configuration's going to have to go in the war deployers jboss-beans.xml:
            {jboss.home}/server/{configuration}/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml:
            <property name="authenticators">
                 <map keyClass="java.lang.String" valueClass="java.lang.String">
                      ...
            
                      <entry>
                           <key>HEADER</key>
                           <value>org.jboss.web.tomcat.security.GenericHeaderAuthenticator</value>
                      </entry>
                 </map>
            </property>
            
            
            The httpHeaderForSSOAuth (HTTP Header names carrying the principal from the Siteminder proxy) and sessionCookieForSSOAuth fields also go in the bean tag named "WarDeployer" in the same file:  
            <bean name="WarDeployer">
                 ...
                 <property name="httpHeaderForSSOAuth">SITEMINDER_AUTH_HEADER</property>
                 ...
            </bean>
            
            We actually wrote a custom authenticator based on the GenericHeaderAuthenticator.  If choosing to do this, a tip that will save you some time is that the attributes are capitalized when retrieving them:
            mserver.getAttribute(new ObjectName("jboss.web:service=WebServer"), "HttpHeaderForSSOAuth");
            When you've got the authenticator set up, you can refer to the type in your web.xml or jboss.xml:
            <auth-method>HEADER</auth-method>
            If using the siteminder header as a trusted authentication, you might need to write a custom login module to accept any username/empty password (I'm not sure about this, you might be able to not specify a login module and have the authentication work).