users@glassfish.java.net

How to build custom security provider for SiteMinder

From: <glassfish_at_javadesktop.org>
Date: Thu, 28 Feb 2008 12:11:30 PST

We are using SiteMinder as an single-sign-on solution and I am trying to figure out how to build a GF security provider.

Here is the basic setup

End user browser request -> Apache server -> Glassfish server

The Apache server is running a plug-in for SiteMinder that handles the SSO login processing. Once a user has successfully authenticated to the SSO plug-in it adds an extra HTTP request header variable with the name of the authenticated user. It also uses Cookies to push a SSO token to the client browser that will be used in later requests.

So, in this case I need to write a custom security layer for SiteMinder that looks for the user id in the HTTP request header and then checks against a DB to see if the user exists and to load the groups that the user is a member of.

So, in short this provider is similar to a JDBCRealm in the sense that the authorization decision is made based on DB lookups but in this case the authentication decision is made by the SSO layer, it is not performed in the JDBCRealm.

I've been trying to find a good starting point for something that I could customize but I have not seen a good example. I have pulled the latest source out of CVS and have been doing a bunch of searches but I have not found a good template to adapt.

Would I build a custom login module and a custom realm or would I be a JSR-196 server auth module? The code would have to be able to see the incoming HttpServletRequest object so it could look for the presence/absence of the user id in the HTTP header variables.

Any help you could provide would be appreciated.

Dave
[Message sent by forum member 'davebolt' (davebolt)]

http://forums.java.net/jive/thread.jspa?messageID=261464