[jboss-user] [Security & JAAS/JBoss] - Trust association and subject building for SSO

ganesh_asha do-not-reply at jboss.com
Tue Jan 9 05:48:38 EST 2007 

Hi *,

This query is all about how to implement custom authentication and associate the subject with container. Details are as follows.

We are using the IBM tivoli access manager for authentication and coarse level authorization and also achieving SSO for several applications running on different Jboss servers.

Following are the details how it is happening

1.User request for the protected resource (servlet url/ejb method) to container (Jboss)
2.Webseal (TAM component) intercept the request and authenticate the user
3.Webseal forwards the request to target container for response. But as the resources are protected the container needs to authenticate the user to create a server specific identity(Subject). In this case container sends the challenge to the Webseal and Webseal provides the user information in desired format(basic header/Form) to container.
4.Container authenticates the user and rest of the folw is asusual.

Now following is the problem we want to solve

Problem statement: When we put the TAM as security layer, we want to authenticate the user only once. We don?t want that when the request is sent to container the container perform the authentication once again.

What we want is that the Webseal just send the user id and group information to the container and container trust the tam and create the session based on this information. 

Actually by doing this we just want to eliminate one request/ response cycle between the Webseal and the container and one database/LDAP call. 

What we have done: Have modified the login module of container to authenticate a user without the password. So no database call is required. User is authenticated based on user id and roles are used for authorization.

What we are looking for: How to save this information in container that the user is authenticated. Actually want to explore and modify the process of pre-authentication (how to get user information from  i.e. Basic or Form ) and post-authentication (how to save authenticated user and create a session so further requests from the same user are not authenticated) 

Have tried to modify SecurityAssotiation a Jaas security manager but got confused in the complex implementation.

We just want that when a request comes to the container for a protected resource it should check the http headers and get user id and its role information from the headers. Based on this information the user should be authenticated(without password) and the subject should be created and associated with the container cache.

Help would be highly appriciated

If you need further information then kindly contact me at 
sharama.ganesh at wipro.com

Ganesh

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3999386#3999386

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3999386

More information about the jboss-user mailing list