4 Replies Latest reply on Dec 4, 2009 8:00 PM by anil.saldhana

ADFS JBossWS and friends

acoliver Dec 4, 2009 1:14 AM

I'm going to ask this as if it were a user question. Anil told me to post it here :-) Mainly I'm proposing a scenario.

The basic requirement

IE/Flash ----SOAP----JBoss----SOAP----AnotherJBoss---SOAP---NOTJBOSS

ActiveDirectory

The present solution (https://jira.jboss.org/jira/browse/JBAS-2681):

Microsoft Certificate Server
Fixed LDAPExtLoginModule to let me authorize only and use the principal from the cert
SSL Cert authentication

That gets us step 1.
Step 2 is how does JBoss call AnotherJBoss passing the credentials

Present solution involves NOT calling the same port (because I have to NOT do client cert re-authentication) and passing WS-Security info, using another login module that says "if JBoss said he's authenticated then he must be authenticated". Basically ID and origination IP is the credential.

So how do I get a real single sign on session from client call one server and share that session up to another and possible another NOT JBoss server? What software, standards, configuration is involved? How would one put such a thing together.

Ideally the client would:
* only use SSL Authentication anywhere once (Because cross authentication is a bear)
* be able to authorize (get his groups and/or roles) in a convenient manner.

1. Re: ADFS JBossWS and friends

anil.saldhana Dec 4, 2009 6:35 AM (in response to acoliver)

From what I can see, you really need to provide some handler at the first instance where the IP origination has to be assumed as the credential. After that, you may need custom login modules to handle the interaction of this morphed security context (username, IP cred) and deal with the AD for the group information.

The scenario looks similar to a regular invocation of username/password except that we use IP origination as the cred. The login modules you write should just use the username to get hold of the groups from AD.
Actions
2. Re: ADFS JBossWS and friends

anil.saldhana Dec 4, 2009 6:36 AM (in response to acoliver)

One aspect that may be important is the trust between the computers. Just because an invocation comes with user/ip origination, do you trust?
Actions
3. Re: ADFS JBossWS and friends

acoliver Dec 4, 2009 7:44 AM (in response to acoliver)

right but that is a "now/point-to-point" solution. We're doing that now. We want something more like: http://www.infoq.com/resource/articles/ws-standards-wcf-bustamante/en/resources/wstrust.jpg and this http://www.infoq.com/resource/articles/ws-standards-wcf-bustamante/en/resources/transport2.jpg
Actions
4. Re: ADFS JBossWS and friends

anil.saldhana Dec 4, 2009 8:00 PM (in response to acoliver)

That is the reference to the trust I mentioned. An STS gives the necessary trust in an heterogeneous environment.
Actions

Go to original post