2 Replies Latest reply on Sep 12, 2006 12:10 PM by anil.saldhana

    Security Impl



      I am currently working on a new security implementation for my company - I am a committer on JBossESB and thought what better people to ask my questions than fellow JBoss brethren :-)

      We are migrating to JBoss - but right now we are focused on security. There is a good oppty for us to integrate JBoss security at this point. My reqt. is for Delegated Authentication - we have currently have an application that performs Form based authentication, sets an encrypted cookie (with user and pass), this cookie on subsequent requests is decrypted by a webserver plug-in - which also sets the BASIC auth headers and forwards the request to our apps, then there is a JAAS plugin to take care of the application entitlements. Woo! Get all that.

      Right now - we would like to keep all that but offer our own SAML Delegated Authentication (browser based identity federation) scheme. We could just give our clients a different url for the saml assertions.

      I have looked through the docs and I do not see anything directly dealing with browser identity federation through the use of SAML assertions. Also, wondering if it would be possible to achieve this using non-JBoss appserver instances (keeping the BASIC auth) - I am thinking all requests would need to come through a marshalling framework to handle timeouts, etc... then populate the BASIC headers, forward the request - sound right?

      Or am I way off base?

      I would love to get this working as it would definitely be a high profile implementation.

      Thanks for any help.

        • 1. Re: Security Impl

          I had created a diagram for what I believe may be a working implementation but not sure if it is plausible and wanted to get advice. Looks like I cannot upload my diagram.

          Essentially the steps are as follows:

          1) Https request (housing a SAML assetion) comes to the web server and onto the JBoss SSO Federation instance.

          2) Based on this assertion - an LDAP lookup and binding takes place and is successful. A token is then generated (I guess this would be the perimeter authentication - but my perimeter is not large).

          3) The request is then forwarded with the token where 'Some Other App Server' non-JBoss receives the request and based on the token determines the application entitlements - using a identity assertion provide within a JAAS module (ie a portion of the SAML assertion could be used as a token) all roles are identified.

          4) Subsequent requests will directly go to the 'Some Other App Server' and will be serviced based on the previously generated session.

          Does this sound plausible? It seems to me that there should be a formal security service outside of applications. I cannot readily identify how to have this SSO/SAML assertion service integrate to our existing web applications. Any architectural knowledge would be much appreciated.

          Thank you in advance.

          • 2. Re: Security Impl


            That is the closest we are doing at JBoss.