geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo v3.0 > Configuring HTTP header-based authentication
Date Wed, 25 May 2011 04:41:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/4/_/styles/combined.css?spaceKey=GMOxDOC30&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxDOC30/Configuring+HTTP+header-based+authentication">Configuring
HTTP header-based authentication</a></h2>
    <h4>Page  <b>added</b> by             <a href="https://cwiki.apache.org/confluence/display/~chirunhua@gmail.com">Runhua
Chi</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
#f0f0f0}
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
width='33%' class='ScrollbarPrevName'>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/display/GMOxDOC30/Administering+Security"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/display/GMOxDOC30/Administering+Security">Administering Security</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;</td></tr></table></div>

<p>This chapter introduces the process of achieving Single Sign-on by using CA severs,such
as <a href="http://www.ca.com/us/internet-access-control.aspx" class="external-link" rel="nofollow">Siteminder</a>,
to validate authentication information that is passed by the the <a href="http://www.w3.org/Protocols/HTTP/1.0/spec.html#Message-Headers"
class="external-link" rel="nofollow">HTTP headers</a>.</p>

<p><b>Single Sign-on</b> is a method that provides access control for the
server. It enables you to be authenticated only once and gain access to the resource of multiple
software systems. In other words, a user agent that wishes to authenticate itself with a server
might need to do so only once for the same security realm using Single Sign-on.</p>

<p>During such authentication, a CA server cross-checks the information that is appended
to the HTTP headers. If the information is consistent with what the security realm defines,
the identity of the client being authenticated is verified.</p>

<p>Applications that use the HTTP header-based authentication must configure their deployment
descriptor as follows:</p>
<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>Excerpt
from a deployment descriptor</b></div><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;login-config&gt;</span>
      <span class="code-tag">&lt;auth-method&gt;</span>GENERIC<span
class="code-tag">&lt;/auth-method&gt;</span>
      <span class="code-tag">&lt;realm-name&gt;</span>TestPropsRealm<span
class="code-tag">&lt;/realm-name&gt;</span>
<span class="code-tag">&lt;/login-config&gt;</span>
</pre>
</div></div>

<p>where</p>
<ul>
	<li><tt>&lt;realm-name&gt;TestPropsRealm&lt;/realm-name&gt;</tt>:
<tt>TestPropsRealm</tt> is the name of the security realm used for authentication.</li>
</ul>


<h1><a name="ConfiguringHTTPheader-basedauthentication-WorkingwithSiteminder"></a>Working
with Siteminder</h1>
<p>A well-known CA server is <b>Siteminder</b>, which helps to provide information
to the application by setting specific headers on the HTTP request. By default, it uses the
<b>SM_USER</b> header to pass the user name, which is later authenticated by the
<tt>GenericHttpHeaderLoginmodule</tt> class in WebSphere Application Server Community
Edition. </p>

<p>You can configure the security realm for HTTP header-based authentication. The following
TestPropsRealm.xml file is a deployment plan used to create a <a href="/confluence/pages/createpage.action?spaceKey=GMOxDOC30&amp;title=Properties+security+realm&amp;linkCreation=true&amp;fromPageId=26120769"
class="createlink">Properties file security realm</a> on the application server.
Applications that use this security realm can achieve Single Sign-on.</p>

<div class="code panel" style="border-style: solid;border-width: 1px;"><div class="codeHeader
panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><b>Excerpt
from TestPropsRealm.xml</b></div><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;module xmlns=<span class="code-quote">"http://geronimo.apache.org/xml/ns/deployment-1.2"</span>&gt;</span>
    <span class="code-tag">&lt;environment&gt;</span>
        <span class="code-tag">&lt;moduleId&gt;</span>
            <span class="code-tag">&lt;groupId&gt;</span>console.realm<span
class="code-tag">&lt;/groupId&gt;</span>
            <span class="code-tag">&lt;artifactId&gt;</span>TestPropsRealm<span
class="code-tag">&lt;/artifactId&gt;</span>
            <span class="code-tag">&lt;version&gt;</span>1.0<span class="code-tag">&lt;/version&gt;</span>
            <span class="code-tag">&lt;type&gt;</span>car<span class="code-tag">&lt;/type&gt;</span>
        <span class="code-tag">&lt;/moduleId&gt;</span>
        <span class="code-tag">&lt;dependencies&gt;</span>
            <span class="code-tag">&lt;dependency&gt;</span>
                <span class="code-tag">&lt;groupId&gt;</span>org.apache.geronimo.framework<span
class="code-tag">&lt;/groupId&gt;</span>
                <span class="code-tag">&lt;artifactId&gt;</span>j2ee-security<span
class="code-tag">&lt;/artifactId&gt;</span>
                <span class="code-tag">&lt;type&gt;</span>car<span
class="code-tag">&lt;/type&gt;</span>
            <span class="code-tag">&lt;/dependency&gt;</span>
        <span class="code-tag">&lt;/dependencies&gt;</span>
    <span class="code-tag">&lt;/environment&gt;</span>
    &lt;gbean name=<span class="code-quote">"TestSqlRealm"</span> class=<span
class="code-quote">"org.apache.geronimo.security.realm.GenericSecurityRealm"</span>

                 xsi:type=<span class="code-quote">"dep:gbeanType"</span> <span
class="code-keyword">xmlns:dep</span>=<span class="code-quote">"http://geronimo.apache.org/xml/ns/deployment-1.2"</span>

                 <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>&gt;
        <span class="code-tag">&lt;attribute name=<span class="code-quote">"realmName"</span>&gt;</span>TestPropsRealm<span
class="code-tag">&lt;/attribute&gt;</span>
        <span class="code-tag">&lt;reference name=<span class="code-quote">"ServerInfo"</span>&gt;</span>
            <span class="code-tag">&lt;name&gt;</span>ServerInfo<span
class="code-tag">&lt;/name&gt;</span>
        <span class="code-tag">&lt;/reference&gt;</span>
        <span class="code-tag">&lt;xml-reference name=<span class="code-quote">"LoginModuleConfiguration"</span>&gt;</span>
            <span class="code-tag">&lt;log:login-config <span class="code-keyword">xmlns:log</span>=<span
class="code-quote">"http://geronimo.apache.org/xml/ns/loginconfig-2.0"</span>&gt;</span>
                <span class="code-tag">&lt;log:login-module control-flag=<span
class="code-quote">"REQUIRED"</span> wrap-principals=<span class="code-quote">"false"</span>&gt;</span>
                    <span class="code-tag">&lt;log:login-domain-name&gt;</span>TestPropsRealm<span
class="code-tag">&lt;/log:login-domain-name&gt;</span>
                    <span class="code-tag">&lt;log:login-module-class&gt;</span>org.apache.geronimo.security.realm.providers.GenericHttpHeaderPropertiesFileLoginModule<span
class="code-tag">&lt;/log:login-module-class&gt;</span>
                    <span class="code-tag">&lt;log:option name=<span class="code-quote">"groupsURI"</span>&gt;</span>var/security/demo_groups.properties<span
class="code-tag">&lt;/log:option&gt;</span>
					<span class="code-tag">&lt;log:option name=<span class="code-quote">"headerNames"</span>&gt;</span>SM_USER<span
class="code-tag">&lt;/log:option&gt;</span>
					<span class="code-tag">&lt;log:option name=<span class="code-quote">"authenticationAuthority"</span>&gt;</span>Siteminder<span
class="code-tag">&lt;/log:option&gt;</span>
                <span class="code-tag">&lt;/log:login-module&gt;</span>
            <span class="code-tag">&lt;/log:login-config&gt;</span>
        <span class="code-tag">&lt;/xml-reference&gt;</span>
    <span class="code-tag">&lt;/gbean&gt;</span>
<span class="code-tag">&lt;/module&gt;</span>
</pre>
</div></div>

<p>where</p>
<ul>
	<li><tt>GenericHttpHeaderPropertiesFileLoginModule</tt>: is the class that
enables the Generic Http Header to be used for authentication with Properties file security
realms. When working with the LDAP Realm or Database (SQL) Realm, the <tt>GenericHttpHeaderLdapLoginModule</tt>
and <tt>GenericHttpHeaderSqlLoginmodule</tt> are used respectively.</li>
	<li><tt>&lt;log:option name="groupsURI"&gt;var/security/demo_groups.properties&lt;/log:option&gt;</tt>:
indicates that the <tt>demo_groups.properties</tt> file is the properties file
for the security realm.</li>
	<li><tt>&lt;log:option name="headerNames"&gt;SM_USER&lt;/log:option&gt;</tt>:
<tt>SM_USER</tt> is the name of the header that passes the user name to the server
for authentication.</li>
	<li><tt>&lt;log:option name="authenticationAuthority"&gt;Siteminder&lt;/log:option&gt;</tt>:
Siteminder is the Single Sign-on system.</li>
</ul>


<p>Similarly, you can configure a deployment plan for the <a href="/confluence/pages/createpage.action?spaceKey=GMOxDOC30&amp;title=LDAP+Security+realm&amp;linkCreation=true&amp;fromPageId=26120769"
class="createlink">LDAP Realm</a> or the <a href="/confluence/pages/createpage.action?spaceKey=GMOxDOC30&amp;title=Database+security+realm&amp;linkCreation=true&amp;fromPageId=26120769"
class="createlink">Database (SQL) Realm</a> to use the Siteminder for Single Sign-on.</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="https://cwiki.apache.org/confluence/display/GMOxDOC30/Configuring+HTTP+header-based+authentication">View
Online</a>
              |
       <a href="https://cwiki.apache.org/confluence/display/GMOxDOC30/Configuring+HTTP+header-based+authentication?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message