[jboss-user] [Security & JAAS/JBoss] - Re: GenericHeaderBasedAuthentication

[sfisque]

"anil.saldhana at jboss.com" wrote : httpHeaderForSSOAuth="sm_ssoid,ct-remote-user,HTTP_OBLIX_UID"
  |   |          sessionCookieForSSOAuth="SMSESSION,CTSESSION,ObSSOCookie"
  | 
  | The first value is basically what oblix will be sending as the username in the http header.  The second one is what oblix will use as a session cookie. Do you have the header names passed by oblix?

i dug up the source so it appears the comma delimited list is a multiple choice of possible values the driver looks for.

from what i've gathered from the client, the Header is going to be XYZUSER.  they are not going to push the session_id (they say we should just trust the user_id published in the Header).

i've configured my context.xml to have the valve in question.  problem is, i tried to request the main page using curl and pushing the Header with a value that maps to a user in the app user table (we use the DatabaseServerLoginModule to handle mapping users and roles) but it always sends me the login page.

what i was expecting (maybe erroneously) that the GenericHeaderAuthenticator would intercept the request for the form and inject the user_id from the Header and then the DatabaseServerLoginModule (configured with "useFirstPass") would recognize we have a user_id and just map the roles.

my followup questions are:

1) if we are using an application policy in login-config.xml, does this negate the Valve in the context.xml or do they not play nicely together, requiring me to create a JAAS module and configure it in the login-config.xml?

2) if JAAS and the GenericHeader valve do not play nicely, can the GenericHeader be configured as a login module in login-config.xml?

TIA

== stanton


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4213848#4213848

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4213848