geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v2.1 > Configuring HTTP header-based authentication
Date Wed, 27 Oct 2010 07:50:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxDOC21&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Configuring+HTTP+header-based+authentication">Configuring
HTTP header-based authentication</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~chirunhua@gmail.com">Runhua
Chi</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >* {{&lt;log:option name=&quot;authenticationAuthority&quot;&gt;Siteminder&lt;/log:option&gt;}}:
Siteminder is the Single Sign-on system. <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >Similarly, you can configure a
deployment plan for the [LDAP Realm|LDAP <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">Security</span>
<span class="diff-added-words"style="background-color: #dfd;">realm|LDAP</span>
realm] or the [Database (SQL) Realm|Database <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">security</span>
<span class="diff-added-words"style="background-color: #dfd;">(SQL) Realm|SQL</span>
realm] to use the Siteminder for Single Sign-on. <br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
#f0f0f0}
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/GMOxDOC21/Certification+Authority"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/GMOxDOC21/Certification+Authority">Certification
Authority</a>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC21/Configuring+security"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC21/Configuring+security">Configuring security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;<a href="/confluence/display/GMOxDOC21/Configuring+Kerberos+Realm">Configuring
Kerberos Realm</a></td><td class='ScrollbarNextIcon'><a href="/confluence/display/GMOxDOC21/Configuring+Kerberos+Realm"><img
border='0' align='middle' src='/confluence/images/icons/forwd_16.gif' width='16' height='16'></a></td></tr></table></div>

<p>This chapter introduces the process of achieving Single Sign-on by using CA severs,such
as <a href="http://www.ca.com/us/internet-access-control.aspx" class="external-link" rel="nofollow">Siteminder</a>,
to validate authentication information passed by the the <a href="http://www.w3.org/Protocols/HTTP/1.0/spec.html#Message-Headers"
class="external-link" rel="nofollow">HTTP headers</a>. <b>Single Sign-on</b>
is a method that provides access control for the server. It enables the user to be authenticated
only once and gain access to the resource of multiple software systems. In other words, a
user agent that wishes to authenticate itself with a server might need to do so only once
for the same security realm using Single Sign-on.</p>

<p>During such authentication, a CA server cross-checks the information appended to
the HTTP headers. If the information is consistent with that defined by the security realm,
the identity of the client being authenticated is verified.</p>

<p>Applications which use the HTTP header-based authentication must configure their
deployment descriptor as follows:</p>
<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>Excerpt
from a deployment descriptor</b></div><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;login-config&gt;</span>
      <span class="code-tag">&lt;auth-method&gt;</span>GENERIC<span
class="code-tag">&lt;/auth-method&gt;</span>
      <span class="code-tag">&lt;realm-name&gt;</span>TestPropsRealm<span
class="code-tag">&lt;/realm-name&gt;</span>
<span class="code-tag">&lt;/login-config&gt;</span>
</pre>
</div></div>

<p>where</p>
<ul>
	<li><tt>&lt;realm-name&gt;TestPropsRealm&lt;/realm-name&gt;</tt>:
<tt>TestPropsRealm</tt> is the name of the security realm used for authentication.</li>
</ul>


<h1><a name="ConfiguringHTTPheader-basedauthentication-WorkingwithSiteminder"></a>Working
with Siteminder</h1>
<p>A well known CA server is <b>Siteminder</b>, which helps to provide information
to the application by setting specific headers on the HTTP request. By default, it uses the
<b>SM_USER</b> header to pass the username, which is later authenticated by the
<tt>GenericHttpHeaderLoginmodule</tt> class in the Geronimo server. </p>

<p>You can configure the security realm for HTTP header-based authentication. The following
TestPropsRealm.xml file is a deployment plan used to create a <a href="/confluence/pages/createpage.action?spaceKey=GMOxDOC21&amp;title=Properties+security+realm&amp;linkCreation=true&amp;fromPageId=24184554"
class="createlink">Properties file security realm</a> on the Geronimo server. Applications
which use this security realm can achieve Single Sign-on.</p>

<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>Excerpt
from TestPropsRealm.xml</b></div><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;module xmlns=<span class="code-quote">"http://geronimo.apache.org/xml/ns/deployment-1.2"</span>&gt;</span>
    <span class="code-tag">&lt;environment&gt;</span>
        <span class="code-tag">&lt;moduleId&gt;</span>
            <span class="code-tag">&lt;groupId&gt;</span>console.realm<span
class="code-tag">&lt;/groupId&gt;</span>
            <span class="code-tag">&lt;artifactId&gt;</span>TestPropsRealm<span
class="code-tag">&lt;/artifactId&gt;</span>
            <span class="code-tag">&lt;version&gt;</span>1.0<span class="code-tag">&lt;/version&gt;</span>
            <span class="code-tag">&lt;type&gt;</span>car<span class="code-tag">&lt;/type&gt;</span>
        <span class="code-tag">&lt;/moduleId&gt;</span>
        <span class="code-tag">&lt;dependencies&gt;</span>
            <span class="code-tag">&lt;dependency&gt;</span>
                <span class="code-tag">&lt;groupId&gt;</span>org.apache.geronimo.framework<span
class="code-tag">&lt;/groupId&gt;</span>
                <span class="code-tag">&lt;artifactId&gt;</span>j2ee-security<span
class="code-tag">&lt;/artifactId&gt;</span>
                <span class="code-tag">&lt;type&gt;</span>car<span
class="code-tag">&lt;/type&gt;</span>
            <span class="code-tag">&lt;/dependency&gt;</span>
        <span class="code-tag">&lt;/dependencies&gt;</span>
    <span class="code-tag">&lt;/environment&gt;</span>
    &lt;gbean name=<span class="code-quote">"TestSqlRealm"</span> class=<span
class="code-quote">"org.apache.geronimo.security.realm.GenericSecurityRealm"</span>

                 xsi:type=<span class="code-quote">"dep:gbeanType"</span> <span
class="code-keyword">xmlns:dep</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/deployment-1.2"</span>

                 <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>&gt;
        <span class="code-tag">&lt;attribute name=<span class="code-quote">"realmName"</span>&gt;</span>TestPropsRealm<span
class="code-tag">&lt;/attribute&gt;</span>
        <span class="code-tag">&lt;reference name=<span class="code-quote">"ServerInfo"</span>&gt;</span>
            <span class="code-tag">&lt;name&gt;</span>ServerInfo<span
class="code-tag">&lt;/name&gt;</span>
        <span class="code-tag">&lt;/reference&gt;</span>
        <span class="code-tag">&lt;xml-reference name=<span class="code-quote">"LoginModuleConfiguration"</span>&gt;</span>
            <span class="code-tag">&lt;log:login-config <span class="code-keyword">xmlns:log</span>=<span
class="code-quote">"http://geronimo.apache.org/xml/ns/loginconfig-2.0"</span>&gt;</span>
                <span class="code-tag">&lt;log:login-module control-flag=<span
class="code-quote">"REQUIRED"</span> wrap-principals=<span class="code-quote">"false"</span>&gt;</span>
                    <span class="code-tag">&lt;log:login-domain-name&gt;</span>TestPropsRealm<span
class="code-tag">&lt;/log:login-domain-name&gt;</span>
                    <span class="code-tag">&lt;log:login-module-class&gt;</span>org.apache.geronimo.security.realm.providers.GenericHttpHeaderPropertiesFileLoginModule<span
class="code-tag">&lt;/log:login-module-class&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"groupsURI"</span>&gt;</span>var/security/demo_groups.properties<span
class="code-tag">&lt;/log:option&gt;</span>
					<span class="code-tag">&lt;log:option name=<span class="code-quote">"headerNames"</span>&gt;</span>SM_USER<span
class="code-tag">&lt;/log:option&gt;</span>
					<span class="code-tag">&lt;log:option name=<span class="code-quote">"authenticationAuthority"</span>&gt;</span>Siteminder<span
class="code-tag">&lt;/log:option&gt;</span>
                <span class="code-tag">&lt;/log:login-module&gt;</span>
            <span class="code-tag">&lt;/log:login-config&gt;</span>
        <span class="code-tag">&lt;/xml-reference&gt;</span>
    <span class="code-tag">&lt;/gbean&gt;</span>
<span class="code-tag">&lt;/module&gt;</span>
</pre>
</div></div>

<p>where</p>
<ul>
	<li><tt>GenericHttpHeaderPropertiesFileLoginModule</tt>: is the class that
enables the Generic Http Header to be used for authentication with Properties file security
realms. When working with the LDAP Realm or Database (SQL) Realm, the <tt>GenericHttpHeaderLdapLoginModule</tt>
and <tt>GenericHttpHeaderSqlLoginmodule</tt> are used respectively.</li>
	<li><tt>&lt;log:option name="groupsURI"&gt;var/security/demo_groups.properties&lt;/log:option&gt;</tt>:
indicates that the demo_groups.properties file is the properties file for the security realm.</li>
	<li><tt>&lt;log:option name="headerNames"&gt;SM_USER&lt;/log:option&gt;</tt>:
<tt>SM_USER</tt> is the name of the header that passes the username to the server
for authentication.</li>
	<li><tt>&lt;log:option name="authenticationAuthority"&gt;Siteminder&lt;/log:option&gt;</tt>:
Siteminder is the Single Sign-on system.</li>
</ul>


<p>Similarly, you can configure a deployment plan for the <a href="/confluence/display/GMOxDOC21/LDAP+Realm"
title="LDAP realm">LDAP Realm</a> or the <a href="/confluence/display/GMOxDOC21/Database+%28SQL%29+Realm"
title="SQL realm">Database (SQL) Realm</a> to use the Siteminder for Single Sign-on.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Configuring+HTTP+header-based+authentication">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=24184554&revisedVersion=2&originalVersion=1">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Configuring+HTTP+header-based+authentication?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message