geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Geronimo Web Interceptors, WebSSO with Authentication Proxy
Date Fri, 24 Feb 2006 10:12:46 GMT
First, I%u2019d like to explain WebSEAL functionality in few words.

WebSEAL is some kind of the reverse proxy with authentication and authorization extensions.
WebSEAL is part of TAM (Tivoli Access Manager). Usually it works in front of HTTP or Application
Server in DMZ. Diagram below shows the hi-level architecture (flow of request) with WebSEAL:

[user] ---> [WebSEAL] ---> [firewall] ---> [HTTPServer] ---> [Geronimo]

Obviously Firewall and HTTPServer are not mandatory and for our consideration I propose analyse
this case without it. 

One instance of WebSEAL can work with more than one application (or web) server. WebSEAL provides
functionality like Web SSO, a lot of authentication mechanisms, Step-up of authentication
and a few more.

After WebSEAL authenticates the user, it adds his username (iv-user), groups (iv-groups) and
credentials (iv-creds) to the request which is forwarded to the backend-server. I hope Geronimo
can use this information to authenticate user automatically. 
Please correct me if I am wrong, my proposition is to use the Interceptor to do it. My problem
is that I don%u2019t know how to change the interceptor in Geronimo-jetty ;( 

>I'd like to be able to plug third-party authentication providers like
>this into Geronimo.  It's possible we can do it with a custom security
>login module.  

I know we can but I want to use WebSEAL or any other Authentication Proxy for authentication
and pre-authorization of the user requests.

>How much do you know about the WebSEAL API?  

I hope I know this API well :)

>If there 
>was some remote call we could make, for example, to supply a username
>and password and get back whether it was valid and a list of groups,
>that would be pretty easy to integrate.  

Of course TAM has API to do it. To be precise, I made it and this is works fine. But, I hope
you understand me, that it does not meet my needs.

>But I haven't heard of
>WebSEAL before, so I'm not even sure if it operates on usernames and
>passwords at all.

Yes, WebSEAL is based on LDAP Server and provides authentication mechanism based on user login/password.
I hope my explanation is clear enough, but if not I will try to answer for any questions.


> On 23 Feb 2006 10:26:32  0100, >> wrote:
> > Hi All,
> >
> > I am looking for information about Geronimo%u2019s Web Container
> Interceptors. It is preferred for me to use Jetty but Tomcat is good as
> well.
> > I plan to integrate Geronimo with Authentication Proxy like WebSEAL from
> TAM. If you look at WAS concept, there is TAI mechanism which integrates
> Authentication Proxy with Application Server. Does Geronimo have something
> like TAI from WAS?
> >
> > I thing it will be good to add my own interceptor or change the standard
> SecurityContextBeforeAfter one. Maybe, it will be enough to use my own
> Authenticator. What do you thing about it?
> >
> > Ps
> > I tried to use Tomcat SSO (ValveGBean) but it does not work.
> >
> > This is part of plan file:
> >     >gbean name="SecondValve"
> class="org.apache.geronimo.tomcat.ValveGBean">
> >         >attribute name="className">my.own.SSOClass>/attribute>
> >     >/gbean>
> >
> > Tomcat calls this SSOClass but it is before Geronimo loads Security
> Policy and when I add Credential to the request, it throws
> NullPointerException.
> > If someone is using this Tomcat SSO mechanism, any advices will be
> helpful for me.
> >
> >
> > Environment:
> > Linux RedHat 4 update 2
> > IBM JDK 1.4.8
> > Geronimo 1.0
> > Tivoli Access Manager 6
> > Tivoli Directory Server 6
> >
> > best regards,
> > sebo
> >
> >
> > ------------------------------------------------------------------
> > Jestes poszukiwana. Szuka Cie wysoki brunet!
> > >> >>
> >
> >

Ocen dziewczyny Playboya!!! >>>

View raw message