7 Replies Latest reply on Oct 30, 2008 1:39 PM by Anil Saldanha

    Trust association and subject building for SSO

    Ganesh Sharma Newbie

      Hi *,

      This query is all about how to implement custom authentication and associate the subject with container. Details are as follows.

      We are using the IBM tivoli access manager for authentication and coarse level authorization and also achieving SSO for several applications running on different Jboss servers.

      Following are the details how it is happening

      1.User request for the protected resource (servlet url/ejb method) to container (Jboss)
      2.Webseal (TAM component) intercept the request and authenticate the user
      3.Webseal forwards the request to target container for response. But as the resources are protected the container needs to authenticate the user to create a server specific identity(Subject). In this case container sends the challenge to the Webseal and Webseal provides the user information in desired format(basic header/Form) to container.
      4.Container authenticates the user and rest of the folw is asusual.

      Now following is the problem we want to solve

      Problem statement: When we put the TAM as security layer, we want to authenticate the user only once. We don?t want that when the request is sent to container the container perform the authentication once again.

      What we want is that the Webseal just send the user id and group information to the container and container trust the tam and create the session based on this information.

      Actually by doing this we just want to eliminate one request/ response cycle between the Webseal and the container and one database/LDAP call.

      What we have done: Have modified the login module of container to authenticate a user without the password. So no database call is required. User is authenticated based on user id and roles are used for authorization.

      What we are looking for: How to save this information in container that the user is authenticated. Actually want to explore and modify the process of pre-authentication (how to get user information from i.e. Basic or Form ) and post-authentication (how to save authenticated user and create a session so further requests from the same user are not authenticated)

      Have tried to modify SecurityAssotiation a Jaas security manager but got confused in the complex implementation.

      We just want that when a request comes to the container for a protected resource it should check the http headers and get user id and its role information from the headers. Based on this information the user should be authenticated(without password) and the subject should be created and associated with the container cache.

      Help would be highly appriciated

      If you need further information then kindly contact me at


        • 1. Re: Trust association and subject building for SSO
          Anil Saldanha Master

          Ganesh, let me think on your usecase scenario a bit and suggest something.

          I have been thinking about the scenario where in users want to plug in Tivoli Access Manager to interoperate with JBoss security infrastructure. So your description is quiet descriptive. If I need some specific details, I will post here.

          Thanks for the description.

          • 2. Re: Trust association and subject building for SSO
            Anil Saldanha Master

            For the web layer, you can header based authentication. You will need some form of an authenticator. Look here for guidance:

            Once the login module is invoked, then the JBoss security layer takes care of the subject/caching etc. The authenticator should pluck the relevant information from the http request and then pass them to the jaas layer.

            Now for the ejb layer, I guess you will have to write a new interceptor and replace the security interceptor in the container configuration in conf/standardjboss.xml or write your own container config in jboss.xml in ejb jar.

            • 3. Re: Trust association and subject building for SSO
              Ganesh Sharma Newbie

              Hi Anil,
              Thanks a lot for instant reply and your interest.

              Firstly queries about your first reply
              Anil: You have talked about web layer and ejb layer. Well yes we do have separate interceptors for both layer but if I use form based authentication for web layer then the same user information is passed on to the ejb layer. I am looking for the same kind of solution that if I use the GenericHeaderBasedAuthentication for my web layer then the same information should be propagated to EJB layer. Update me if I am wrong.

              Secondly you have talked about Jboss security layer and Jaas layer. Let us elaborate these terms for common understanding
              Jboss security layer: the components which determine that the requested resource is protected or not and user is already authenticated or not. I am looking out for these components but not able to do so. Kindly provide information on the same that which components are doing this. Again update me if I am wrong.

              And the Jaas layer: it is the login module and security manager, realm mapping interface implementation doing authentication and role mapping

              Now coming back to the original problem, I can clearly envisage and divide the problem into two parts.

              1.How to get user information (from user in form, basic authentication or from headers in Generic header based authentication) and put it into cache

              2. Validate the user information and associate the roles

              Way ahead for problem 1
              Use the GenericHeaderBasedAuthentication or some other valve of tomcat and get the information from header rather then asking the user and cache it with the container.

              Way ahead for problem 2
              Modify the login module so that it don?t use the database but use the same information provided in headers for validation and role mapping.

              Priority wise first we are implementing the solution for problem 2, as it is more critical and it can eliminate the use of DB/LDAP. Secondly we will solve the problem 1.

              The information is detailed out so other users can also use the same without loosing time.

              Thanks again for help.

              Thanks & Regards,

              • 4. Re: Trust association and subject building for SSO
                Anil Saldanha Master

                You will know whether a particular WAR needs form or basic auth. Right? In that particular war, under WEB-INF/context.xml, provide an authenticator that extends FormAuthenticator or BasicAuthenticator.

                That is all you will need.

                As u see in the authenticator, the realm.authenticate call will invoke the jboss realm - do the jaas login and do any container related stuff.

                • 5. Re: Trust association and subject building for SSO
                  Roshan Dawrani Newbie

                  Hi Ganesh,
                  Can you please share how you resolved the authentication issues at web layer as well as the ejb layer in your scenario? I also have to something similar. I have to use a custom SSO solution that sends the authenticated user's name and role as cookies and with that I have to satisfy my web layer and ejb layer security requirements by creating the required principal and subject objects so that the containers are satisfied.

                  If you can share finally which approach you took it'll help me a lot. Did you end up extending some catalina Authenticator and some JBoss login module to skip the authentication step (as it has already been done by the custom SSO solution) or did you take any other approach?


                  • 6. Re: Trust association and subject building for SSO
                    Arshad Noor Newbie


                    While the GenericHeaderbasedAuthenticator can get the UserID/Password from the Request header, how does the CustomLoginModule get access to those values? I'm not seeing the connection.

                    Within a portlet or a servlet, its easy to get at those values (they're in the RenderRequest or ServletRequest, respectively); but if I want the CustomLoginModule to be used for the entire container, I'm not sure how the login() method in the CustomLoginModule gains access to the header-parameters. Some examples would be helpful in getting me to see the light. Thanks.

                    • 7. Re: Trust association and subject building for SSO
                      Anil Saldanha Master

                      Use the callback handler to get access to the values.