Red Hat Summit13.2.11. アプリケーションにおけるサードパーティー認証システムの使用
サードパーティーのセキュリティーシステムを JBoss Enterprise Application Platform に統合することができます。このようなシステムは通常トークンベースのシステムです。外部システムが認証を実行し、要求ヘッダーよりトークンを Web アプリケーションに返します。このような認証はペリメーター認証と呼ばれることもあります。アプリケーションにペリメーターセキュリティーを設定するには、カスタムの認証バルブを追加します。サードパーティープロバイダーのバルブがある場合はクラスパスに存在するようにし、以下の例とサードパーティー認証モジュールのドキュメントに従うようにしてください。
注記
JBoss Enterprise Application Platform 6 では設定するバルブの場所が変更になりました。
context.xml デプロイメント記述子には設定されないようになりました。バルブは直接 jboss-web.xml 記述子に設定されます。context.xml は無視されるようになりました。
例13.3 基本的な認証バルブ
<jboss-web>
<security-domain>SPNEGO</security-domain>
<valve>
<class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
</valve>
</jboss-web>
このバルブは Kerberos ベースの SSO に使用されます。また、Web アプリケーションに対してサードパーティーのオーセンティケーターを指定する最も単純なパターンを示しています。
例13.4 ヘッダー属性セットを持つカスタムバルブ
<jboss-web>
<Valve>
<class-name>org.jboss.web.tomcat.security.GenericHeaderAuthenticator</class-name>
<attribute name="httpHeaderForSSOAuth>sm_ssoid,ct-remote-user,HTTP_OBLIX_UID</attribute-name>
<attribute name="sessionCookieForSSOAuth">SMSESSION,CTSESSION,ObSSOCookie</attribute>
</Valve>
</jboss-web>
この例ではバルブにカスタム属性を設定する方法が示されています。オーセンティケーターはヘッダー ID とセッション鍵の存在を確認し、ユーザー名とパスワードバルブとしてセキュリティー層を操作する JAAS フレームワークへ渡します。ユーザー名とパスワードの処理が可能で、サブジェクトに適切なロールを投入できるカスタムの JAAS ログインモジュールが必要となります。設定された値と一致するヘッダー値がない場合、通常のフォームベース認証のセマンティックが適用されます。
カスタムオーセンティケーターの作成
独自のオーセンティケーターの作成については本書の範囲外となりますが、次の Java コードが例として提供されています。
例13.5 GenericHeaderAuthenticator.java
/*
* JBoss, Home of Professional Open Source.
* Copyright 2006, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.web.tomcat.security;
import java.io.IOException;
import java.security.Principal;
import java.util.StringTokenizer;
import javax.management.JMException;
import javax.management.ObjectName;
import javax.servlet.http.Cookie;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.Constants;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.jboss.logging.Logger;
/**
* JBAS-2283: Provide custom header based authentication support
*
* Header Authenticator that deals with userid from the request header
* Requires two attributes configured on the Tomcat Service - one for
* the http header denoting the authenticated identity and the other
* is the SESSION cookie
*
* @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
* @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
* @version $Revision$
* @since Sep 11, 2006
*/
public class GenericHeaderAuthenticator extends ExtendedFormAuthenticator
{
protected static Logger log = Logger.getLogger(GenericHeaderAuthenticator.class);
protected boolean trace = log.isTraceEnabled();
// JBAS-4804: GenericHeaderAuthenticator injection of ssoid and sessioncookie name.
private String httpHeaderForSSOAuth = null;
private String sessionCookieForSSOAuth = null;
/**
* <p>
* Obtain the value of the <code>httpHeaderForSSOAuth</code> attribute. This attribute is
* used to indicate the request header ids that have to be checked in order to retrieve the SSO
* identity set by a third party security system.
* </p>
*
* @return a <code>String</code> containing the value of the <code>httpHeaderForSSOAuth</code>
* attribute.
*/
public String getHttpHeaderForSSOAuth()
{
return httpHeaderForSSOAuth;
}
/**
* <p>
* Set the value of the <code>httpHeaderForSSOAuth</code> attribute. This attribute is
* used to indicate the request header ids that have to be checked in order to retrieve the SSO
* identity set by a third party security system.
* </p>
*
* @param httpHeaderForSSOAuth a <code>String</code> containing the value of the
* <code>httpHeaderForSSOAuth</code> attribute.
*/
public void setHttpHeaderForSSOAuth(String httpHeaderForSSOAuth)
{
this.httpHeaderForSSOAuth = httpHeaderForSSOAuth;
}
/**
* <p>
* Obtain the value of the <code>sessionCookieForSSOAuth</code> attribute. This attribute is used
* to indicate the names of the SSO cookies that may be present in the request object.
* </p>
*
* @return a <code>String</code> containing the names (separated by a <code>','</code>) of the SSO cookies
* that may have been set by a third party security system in the request.
*/
public String getSessionCookieForSSOAuth()
{
return sessionCookieForSSOAuth;
}
/**
* <p>
* Set the value of the <code>sessionCookieForSSOAuth</code> attribute. This attribute is used
* to indicate the names of the SSO cookies that may be present in the request object.
* </p>
*
* @param sessionCookieForSSOAuth a <code>String</code> containing the names (separated by a
* <code>','</code>) of the SSO cookies that may have been set by a third party security system in
* the request.
*/
public void setSessionCookieForSSOAuth(String sessionCookieForSSOAuth)
{
this.sessionCookieForSSOAuth = sessionCookieForSSOAuth;
}
/**
* <p>
* Creates an instance of <code>GenericHeaderAuthenticator</code>.
* </p>
*/
public GenericHeaderAuthenticator()
{
super();
}
public boolean authenticate(Request request, Response response, LoginConfig config) throws IOException
{
log.trace("Authenticating user");
Principal principal = request.getUserPrincipal();
if (principal != null)
{
if (trace)
log.trace("Already authenticated '" + principal.getName() + "'");
return true;
}
Realm realm = context.getRealm();
Session session = request.getSessionInternal(true);
String username = getUserId(request);
String password = getSessionCookie(request);
//Check if there is sso id as well as sessionkey
if (username == null || password == null)
{
log.trace("Username is null or password(sessionkey) is null:fallback to form auth");
return super.authenticate(request, response, config);
}
principal = realm.authenticate(username, password);
if (principal == null)
{
forwardToErrorPage(request, response, config);
return false;
}
session.setNote(Constants.SESS_USERNAME_NOTE, username);
session.setNote(Constants.SESS_PASSWORD_NOTE, password);
request.setUserPrincipal(principal);
register(request, response, principal, Constants.FORM_METHOD, username, password);
return true;
}
/**
* Get the username from the request header
* @param request
* @return
*/
protected String getUserId(Request request)
{
String ssoid = null;
//We can have a comma-separated ids
String ids = "";
try
{
ids = this.getIdentityHeaderId();
}
catch (JMException e)
{
if (trace)
log.trace("getUserId exception", e);
}
if (ids == null || ids.length() == 0)
throw new IllegalStateException("Http headers configuration in tomcat service missing");
StringTokenizer st = new StringTokenizer(ids, ",");
while (st.hasMoreTokens())
{
ssoid = request.getHeader(st.nextToken());
if (ssoid != null)
break;
}
if (trace)
log.trace("SSOID-" + ssoid);
return ssoid;
}
/**
* Obtain the session cookie from the request
* @param request
* @return
*/
protected String getSessionCookie(Request request)
{
Cookie[] cookies = request.getCookies();
log.trace("Cookies:" + cookies);
int numCookies = cookies != null ? cookies.length : 0;
//We can have comma-separated ids
String ids = "";
try
{
ids = this.getSessionCookieId();
log.trace("Session Cookie Ids=" + ids);
}
catch (JMException e)
{
if (trace)
log.trace("checkSessionCookie exception", e);
}
if (ids == null || ids.length() == 0)
throw new IllegalStateException("Session cookies configuration in tomcat service missing");
StringTokenizer st = new StringTokenizer(ids, ",");
while (st.hasMoreTokens())
{
String cookieToken = st.nextToken();
String val = getCookieValue(cookies, numCookies, cookieToken);
if (val != null)
return val;
}
if (trace)
log.trace("Session Cookie not found");
return null;
}
/**
* Get the configured header identity id
* in the tomcat service
* @return
* @throws JMException
*/
protected String getIdentityHeaderId() throws JMException
{
if (this.httpHeaderForSSOAuth != null)
return this.httpHeaderForSSOAuth;
return (String) mserver.getAttribute(new ObjectName("jboss.web:service=WebServer"), "HttpHeaderForSSOAuth");
}
/**
* Get the configured session cookie id in the tomcat service
* @return
* @throws JMException
*/
protected String getSessionCookieId() throws JMException
{
if (this.sessionCookieForSSOAuth != null)
return this.sessionCookieForSSOAuth;
return (String) mserver.getAttribute(new ObjectName("jboss.web:service=WebServer"), "SessionCookieForSSOAuth");
}
/**
* Get the value of a cookie if the name matches the token
* @param cookies array of cookies
* @param numCookies number of cookies in the array
* @param token Key
* @return value of cookie
*/
protected String getCookieValue(Cookie[] cookies, int numCookies, String token)
{
for (int i = 0; i < numCookies; i++)
{
Cookie cookie = cookies[i];
log.trace("Matching cookieToken:" + token + " with cookie name=" + cookie.getName());
if (token.equals(cookie.getName()))
{
if (trace)
log.trace("Cookie-" + token + " value=" + cookie.getValue());
return cookie.getValue();
}
}
return null;
}
}
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}