geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nicholas Irving" <>
Subject RE: Geronimo Web Interceptors, WebSSO with Authentication Proxy
Date Sat, 25 Feb 2006 04:40:11 GMT
Okay Trust Association Interceptor (TAI) 101 in terms of WebSphere.

Both the WebSeal and WebSphere use the same directory, otherwise when
somebody is authentication and authorized in WebSeal that user may not exist
in the WebSphere Security Realm.

There is some level of trust configured between the WebSeal and the
Application Server, normally this is done via Mutual SSL, which means that
the Application Server trusts that what it receives can only come from one
place. Secondly the TAI normally has the WebSeal hostname known to it, so
that if it receives a request via Mutual SSL it can trust the request
because it knows the HostName.

The TAI receives the request and examines the Headers for iv_user or
iv_creds, where iv_user is a UID or CN for an entry in the security realm
that it knows how to find. Iv_creds is a reference to a credential being
stored within the Policy Server, which WebSeal uses to authorize requests,
and in turn can be used in the TAM API to get that same identity. Most
common is iv_user, but iv_creds is becoming defacto because it cannot be
easily forged as it is an entry in the credential cache for the WebSeal and
Policy Server.

Some other information can be passed as well, such as an the identity of a
user that only the Application server knows the password for. This is to be
used in cases where Mutual SSL cannot be used, and adds an additional
directory lookup and means a password being stored in some way on the
Application Server.

Through whatever means the credential is then passed to the security context
to create a Security context in the Application Server through it normal
operational channels.

Iv_groups is a comma separate list of cn of the groups the identity belongs

-----Original Message-----
From: [] On Behalf Of Aaron
Sent: Friday, 24 February 2006 11:47 PM
Subject: Re: Geronimo Web Interceptors, WebSSO with Authentication Proxy

So it sounds like we need to accept a "trusted" username and group
list from the HTTP request?  It would be easy enough to prepare a
LoginModule to handle that.  The problem is, I suspect we'll need a
code change to the web containers so that they could provide HTTP
request information to the LoginModule on demand.  I imagine we'd
provide a way in the geronimo-web.xml to list the user and group
property names (iv-user, iv-groups) that should be passed in to the
LoginModule on request.

Can I just ask a couple more questions?

1) How is the information attached to the request?  Is it an HTTP
header or a get/post parameter?

2) What is the format of the group list for iv-groups?

3) Would you need the credentials for anything, e.g. if it's a
password, to turn around and log into a web service or CORBA service?


On 24 Feb 2006 11:12:46 +0100, <> wrote:
> First, I%u2019d like to explain WebSEAL functionality in few words.
> WebSEAL is some kind of the reverse proxy with authentication and
authorization extensions. WebSEAL is part of TAM (Tivoli Access Manager).
Usually it works in front of HTTP or Application Server in DMZ. Diagram
below shows the hi-level architecture (flow of request) with WebSEAL:
> [user] ---> [WebSEAL] ---> [firewall] ---> [HTTPServer] ---> [Geronimo]
> Obviously Firewall and HTTPServer are not mandatory and for our
consideration I propose analyse this case without it.
> One instance of WebSEAL can work with more than one application (or web)
server. WebSEAL provides functionality like Web SSO, a lot of authentication
mechanisms, Step-up of authentication and a few more.
> After WebSEAL authenticates the user, it adds his username (iv-user),
groups (iv-groups) and credentials (iv-creds) to the request which is
forwarded to the backend-server. I hope Geronimo can use this information to
authenticate user automatically.
> Please correct me if I am wrong, my proposition is to use the Interceptor
to do it. My problem is that I don%u2019t know how to change the interceptor
in Geronimo-jetty ;(
> >I'd like to be able to plug third-party authentication providers like
> >this into Geronimo.  It's possible we can do it with a custom security
> >login module.
> I know we can but I want to use WebSEAL or any other Authentication Proxy
for authentication and pre-authorization of the user requests.
> >How much do you know about the WebSEAL API?
> I hope I know this API well :)
> >If there
> >was some remote call we could make, for example, to supply a username
> >and password and get back whether it was valid and a list of groups,
> >that would be pretty easy to integrate.
> Of course TAM has API to do it. To be precise, I made it and this is works
fine. But, I hope you understand me, that it does not meet my needs.
> >But I haven't heard of
> >WebSEAL before, so I'm not even sure if it operates on usernames and
> >passwords at all.
> Yes, WebSEAL is based on LDAP Server and provides authentication mechanism
based on user login/password.
> I hope my explanation is clear enough, but if not I will try to answer for
any questions.
> Thanks,
> sebo
> > On 23 Feb 2006 10:26:32  0100, >>
> > > Hi All,
> > >
> > > I am looking for information about Geronimo%u2019s Web Container
> > Interceptors. It is preferred for me to use Jetty but Tomcat is good as
> > well.
> > > I plan to integrate Geronimo with Authentication Proxy like WebSEAL
> > TAM. If you look at WAS concept, there is TAI mechanism which integrates
> > Authentication Proxy with Application Server. Does Geronimo have
> > like TAI from WAS?
> > >
> > > I thing it will be good to add my own interceptor or change the
> > SecurityContextBeforeAfter one. Maybe, it will be enough to use my own
> > Authenticator. What do you thing about it?
> > >
> > > Ps
> > > I tried to use Tomcat SSO (ValveGBean) but it does not work.
> > >
> > > This is part of plan file:
> > >     >gbean name="SecondValve"
> > class="org.apache.geronimo.tomcat.ValveGBean">
> > >         >attribute name="className">my.own.SSOClass>/attribute>
> > >     >/gbean>
> > >
> > > Tomcat calls this SSOClass but it is before Geronimo loads Security
> > Policy and when I add Credential to the request, it throws
> > NullPointerException.
> > > If someone is using this Tomcat SSO mechanism, any advices will be
> > helpful for me.
> > >
> > >
> > > Environment:
> > > Linux RedHat 4 update 2
> > > IBM JDK 1.4.8
> > > Geronimo 1.0
> > > Tivoli Access Manager 6
> > > Tivoli Directory Server 6
> > >
> > > best regards,
> > > sebo
> > >
> > >
> > > ------------------------------------------------------------------
> > > Jestes poszukiwana. Szuka Cie wysoki brunet!
> > > >> >>
> > >
> > >
> >
> >
> ----------------------------------------------------------------------
> Ocen dziewczyny Playboya!!! >>>

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.1.0/269 - Release Date: 24/02/2006

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.1.0/269 - Release Date: 24/02/2006

View raw message