Netegrity Siteminder provides enterprises with a centralized security infrastructure for managing user authentication and access to Web applications.
Via Siteminder's Web Agent, it is capable of securing access to web applications within a secured web server. The Siteminder Web Agent intercepts HTTP requests and authenticates them. Following successful authentication, it adds several parameters into the HTTP request as an HTTP header or an HTTP Cookie. The parameters usually begin with an SM- or SM prefix and contain information about Siteminder sessions and their timeouts, user domains, authentication results etc.
WSO2 SOA Enablement Server for Java™ contains a server security provider that is based on the Siteminder parameters received in the HTTP request. Its name is "Siteminder". You can set up the security provider to protect your service in the usual way. You can associate the security provider with the service using either the admin console or the command line tool as follows:
ProvidersManager -t http://localhost:6060/myservice -a Siteminder
Since the authentication is done by Netegrity, WSO2 SOA Enablement Server for Java only reuses the information stored within the passed parameters. It checks the authentication status and uses the parameter SM-USERDN as the name of the WSO2 SOA Enablement Server for Java principal used for WSO2 SOA Enablement Server authorization and authentication. It also passes selected received parameters to the Web service in the public credentials of the authenticated subject.
Example 4 is a Web service implementation that prints a WSO2 SOA Enablement Server principal name and the Siteminder parameter SM-AUTHENTIC.
Example 4. Siteminder Test Service
// Copyright 2001-2003 Systinet Corp. All rights reserved.
// Use is subject to license terms.
package security.providers.siteminder;
import org.idoox.security.WASPPrincipal;
import org.idoox.security.jaas.SmLoginParamsCredential;
import org.idoox.wasp.WaspSecurity;
import javax.security.auth.Subject;
import java.util.Iterator;
public class SmTestService {
public static class TestService {
public void ping() {
Subject subject = WaspSecurity.getInvokerSubject();
Iterator iterator =
subject.getPrincipals(WASPPrincipal.class).iterator();
WASPPrincipal waspPrincipal = null;
if (iterator.hasNext()) {
waspPrincipal = (WASPPrincipal) iterator.next();
}
iterator =
subject.getPublicCredentials(SmLoginParamsCredential.class).iterator();
SmLoginParamsCredential paramsCredential = null;
if (iterator.hasNext()) {
paramsCredential = (SmLoginParamsCredential)iterator.next();
}
System.out.println("User " + waspPrincipal.getName() +
" is authenticated : " + paramsCredential.getParam("SM-AUTHENTIC"));
}
}
}
You can find the security provider configuration in the deployment descriptor of security_providers.jar or security_providers_client.jar in the subelement securityProviderPreferences with the name Siteminder. It contains the cookie and HTTP header prefixes that are to be processed and added to the credential of authenticated subject.
A sample configuration follows:
<securityProviderPreferences
xmlns="http://systinet.com/wasp/package/extension" name="Siteminder">
<cookiePrefix>SM</cookiePrefix>
<httpHeaderPrefix>SM-</httpHeaderPrefix>
<httpHeaderPrefix>TM-</httpHeaderPrefix>
</securityProviderPreferences>