So it sounds like we need to accept a "trusted" username and group
list from the HTTP request? It would be easy enough to prepare a
LoginModule to handle that. The problem is, I suspect we'll need a
code change to the web containers so that they could provide HTTP
request information to the LoginModule on demand. I imagine we'd
provide a way in the geronimo-web.xml to list the user and group
property names (iv-user, iv-groups) that should be passed in to the
LoginModule on request.
Can I just ask a couple more questions?
1) How is the information attached to the request? Is it an HTTP
header or a get/post parameter?
2) What is the format of the group list for iv-groups?
3) Would you need the credentials for anything, e.g. if it's a
password, to turn around and log into a web service or CORBA service?
Thanks,
Aaron
On 24 Feb 2006 11:12:46 +0100, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> First, I%u2019d like to explain WebSEAL functionality in few words.
>
> WebSEAL is some kind of the reverse proxy with authentication and
> authorization extensions. WebSEAL is part of TAM (Tivoli Access Manager).
> Usually it works in front of HTTP or Application Server in DMZ. Diagram below
> shows the hi-level architecture (flow of request) with WebSEAL:
>
> [user] ---> [WebSEAL] ---> [firewall] ---> [HTTPServer] ---> [Geronimo]
>
> Obviously Firewall and HTTPServer are not mandatory and for our consideration
> I propose analyse this case without it.
>
> One instance of WebSEAL can work with more than one application (or web)
> server. WebSEAL provides functionality like Web SSO, a lot of authentication
> mechanisms, Step-up of authentication and a few more.
>
> After WebSEAL authenticates the user, it adds his username (iv-user), groups
> (iv-groups) and credentials (iv-creds) to the request which is forwarded to
> the backend-server. I hope Geronimo can use this information to authenticate
> user automatically.
> Please correct me if I am wrong, my proposition is to use the Interceptor to
> do it. My problem is that I don%u2019t know how to change the interceptor in
> Geronimo-jetty ;(
>
> >I'd like to be able to plug third-party authentication providers like
> >this into Geronimo. It's possible we can do it with a custom security
> >login module.
>
> I know we can but I want to use WebSEAL or any other Authentication Proxy for
> authentication and pre-authorization of the user requests.
>
> >How much do you know about the WebSEAL API?
>
> I hope I know this API well :)
>
> >If there
> >was some remote call we could make, for example, to supply a username
> >and password and get back whether it was valid and a list of groups,
> >that would be pretty easy to integrate.
>
> Of course TAM has API to do it. To be precise, I made it and this is works
> fine. But, I hope you understand me, that it does not meet my needs.
>
> >But I haven't heard of
> >WebSEAL before, so I'm not even sure if it operates on usernames and
> >passwords at all.
>
> Yes, WebSEAL is based on LDAP Server and provides authentication mechanism
> based on user login/password.
> I hope my explanation is clear enough, but if not I will try to answer for
> any questions.
>
> Thanks,
> sebo
>
>
>
> > On 23 Feb 2006 10:26:32 0100, [EMAIL PROTECTED] >[EMAIL PROTECTED]> wrote:
> > > Hi All,
> > >
> > > I am looking for information about Geronimo%u2019s Web Container
> > Interceptors. It is preferred for me to use Jetty but Tomcat is good as
> > well.
> > > I plan to integrate Geronimo with Authentication Proxy like WebSEAL from
> > TAM. If you look at WAS concept, there is TAI mechanism which integrates
> > Authentication Proxy with Application Server. Does Geronimo have something
> > like TAI from WAS?
> > >
> > > I thing it will be good to add my own interceptor or change the standard
> > SecurityContextBeforeAfter one. Maybe, it will be enough to use my own
> > Authenticator. What do you thing about it?
> > >
> > > Ps
> > > I tried to use Tomcat SSO (ValveGBean) but it does not work.
> > >
> > > This is part of plan file:
> > > >gbean name="SecondValve"
> > class="org.apache.geronimo.tomcat.ValveGBean">
> > > >attribute name="className">my.own.SSOClass>/attribute>
> > > >/gbean>
> > >
> > > Tomcat calls this SSOClass but it is before Geronimo loads Security
> > Policy and when I add Credential to the request, it throws
> > NullPointerException.
> > > If someone is using this Tomcat SSO mechanism, any advices will be
> > helpful for me.
> > >
> > >
> > > Environment:
> > > Linux RedHat 4 update 2
> > > IBM JDK 1.4.8
> > > Geronimo 1.0
> > > Tivoli Access Manager 6
> > > Tivoli Directory Server 6
> > >
> > > best regards,
> > > sebo
> > >
> > >
> > > ------------------------------------------------------------------
> > > Jestes poszukiwana. Szuka Cie wysoki brunet!
> > > >> http://link.interia.pl/f190c >>
> > >
> > >
> >
> >
>
>
>
> ----------------------------------------------------------------------
> Ocen dziewczyny Playboya!!! >>> http://link.interia.pl/f190f
>
>
