This chapter introduces the process of achieving Single Sign-on by using CA severs,such as Siteminder, to validate authentication information passed by the the HTTP headers. Single Sign-on is a method that provides access control for the server. It enables the user to be authenticated only once and gain access to the resource of multiple software systems. In other words, a user agent that wishes to authenticate itself with a server might need to do so only once for the same security realm using Single Sign-on.

During such authentication, a CA server cross-checks the information appended to the HTTP headers. If the information is consistent with that defined by the security realm, the identity of the client being authenticated is verified.

Applications which use the HTTP header-based authentication must configure their deployment descriptor as follows:

Excerpt from a deployment descriptor
<login-config>
      <auth-method>GENERIC</auth-method>
      <realm-name>TestPropsRealm</realm-name>
</login-config>

where

  • <realm-name>TestPropsRealm</realm-name>: TestPropsRealm is the name of the security realm used for authentication.

Working with Siteminder

A well known CA server is Siteminder, which helps to provide information to the application by setting specific headers on the HTTP request. By default, it uses the SM_USER header to pass the username, which is later authenticated by the GenericHttpHeaderLoginmodule class in the Geronimo server.

You can configure the security realm for HTTP header-based authentication. The following TestPropsRealm.xml file is a deployment plan used to create a Properties file security realm on the Geronimo server. Applications which use this security realm can achieve Single Sign-on.

Excerpt from TestPropsRealm.xml
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>TestPropsRealm</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="TestSqlRealm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" 
                 xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" 
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">TestPropsRealm</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
                <log:login-module control-flag="REQUIRED" wrap-principals="false">
                    <log:login-domain-name>TestPropsRealm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.GenericHttpHeaderPropertiesFileLoginModule</log:login-module-class>
                    <log:option name="groupsURI">var/security/demo_groups.properties</log:option>
					<log:option name="headerNames">SM_USER</log:option>
					<log:option name="authenticationAuthority">Siteminder</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>

where

  • GenericHttpHeaderPropertiesFileLoginModule: is the class that enables the Generic Http Header to be used for authentication with Properties file security realms. When working with the LDAP Realm or Database (SQL) Realm, the GenericHttpHeaderLdapLoginModule and GenericHttpHeaderSqlLoginmodule are used respectively.
  • <log:option name="groupsURI">var/security/demo_groups.properties</log:option>: indicates that the demo_groups.properties file is the properties file for the security realm.
  • <log:option name="headerNames">SM_USER</log:option>: SM_USER is the name of the header that passes the username to the server for authentication.
  • <log:option name="authenticationAuthority">Siteminder</log:option>: Siteminder is the Single Sign-on system.

Similarly, you can configure a deployment plan for the LDAP Realm or the Database (SQL) Realm to use the Siteminder for Single Sign-on.

  • No labels