FYI - this is how WebSEAL behaves [one use case]. 1. User wants to access a web application.
2. All the requests to the web application goes through WebSEAL 3. WebSEAL has valid credentials to access the web application 4. Once the user request hits the WebSEAL - it authenticates the user. 5. If success in 4 - it will add an HTTP header called iv-user and set the authenticated user's name there. 6. Then WebSEAL set's it's own credentials to access the web application behind - as basic auth parameters. 7. Now the request hits the web application. 8. First the Web application authenticates WebSEAL through basic auth 9. If success in 8 - it will let user iv-user in. Thanks & regards. -Prabath Prabath Siriwardena wrote: > Sanjiva Weerawarana wrote: >> Prabath, isn't there a standard protocol for this problem?? It seems >> like a common scenario right? Not WS-Trust? > The approach I suggested is based on the model behind WS-Trust. > > We can also use WS-Trust directly here - but I guess it would be a > over-kill fir this scenario. > > The other standard approach would be based on the SAML 2.0 protocol > [which we do not have support yet]. >> >> How do you do step 6 BTW? > If the Servlet trusts the Carbon for authenticating users - the > Servlet needs to have the public cert of the Carbon in it's trust store. > > Thanks & regards. > -Prabath >> >> Sanjiva. >> >> On Wed, Sep 2, 2009 at 10:14 AM, Prabath Siriwardena >> <[email protected] <mailto:[email protected]>> wrote: >> >> Srinath Perera wrote: >> > Hi Prabath; >> > Any chance you can point me to a example? e.g. WebSEAL impl >> > authentication for server/ client if that code is in our svn? >> > --Srinath >> > >> Hi Srinath; >> >> WebSEAL is IBM proprietary - so code not available. >> >> Our use case would be something similar to this. >> >> 1. User authenticates to Carbon >> >> 2. And now wants to invoke the Servlet. >> >> 3. Now, carbon adds following to the HTTP header >> >> say, for example, >> >> - carbon-user [user logged into the system] >> - carbon-user-signed [signature of carbon-user signed by Carbon] >> >> 4. Now at the Servlet end request hits the servlet filter >> >> 5. Servlet filter extracts the two header parameters. >> >> 6. Validates the signature of the 'carbon-user-signed' header >> >> 7. If validated let the user in. >> >> Thanks & regards. >> -Prabath >> >> > On Wed, Sep 2, 2009 at 9:41 AM, Prabath >> Siriwardena<[email protected] <mailto:[email protected]>> wrote: >> > >> >> Srinath Perera wrote: >> >> >> >>>> How do we generate the requests to the Servlet ? Is it from >> inside the >> >>>> Carbon after user logged in? >> >>>> >> >>>> >> >>> Yes, It is after logged in, and I use Solr client, which uses >> commons >> >>> HTTP client. >> >>> >> >>> >> >> If this is the case what we could do is - we can set a signed >> HTTP header. >> >> >> >> So - at the ServletFilter - it verifies the presence of a >> predefined HTTP >> >> header and verifies the signature. >> >> >> >> To verify a given signature - at the ServletFilter end it keeps >> the certs of >> >> trusted partners [i.e Carbon] who actually authenticated the >> users. >> >> >> >> This is the pattern [similar] WebSEAL uses. >> >> >> >> Thanks & regards. >> >> -Prabath >> >> >> >>> When I though about this I felt when https is used, SessionID >> can be >> >>> used to authenticate. For example, AFAIK even now when we move >> across >> >>> servlets/JSPs/WS in Cabron UI, this is how we authenticate, >> which is >> >>> not much different in this case. (Basically, if request has a >> valid >> >>> session ID, it is from a logged in user). Also since, Solr >> Client use >> >>> commons http client, setting session ID to it should be >> possible, and >> >>> then we do not need changes to the clients as well. >> >>> >> >>> >> >>> >> >>>> This scenario looks similar to the WebSEAL authentication. >> >>>> >> >>>> >> >>> Where can I find the code to WebSEAL?. Ideally, we should do >> this >> >>> without changing the Solr servelt, and do it though a >> extension point >> >>> like servelt filter or equivalent. >> >>> >> >>> Thanks >> >>> Srinath >> >>> >> >>> >> >>> >> >>>> Thanks & regards. >> >>>> -Prabath >> >>>> >> >>>> Srinath Perera wrote: >> >>>> >> >>>> >> >>>>> Hi All; >> >>>>> >> >>>>> I want to integrate Apache Solr as a Server in to the carbon >> (as a >> >>>>> bundle, so you just drop the bundle in and you have Solr). >> Simply, >> >>>>> Solr is a Servlet, which I can add via componet.xml, but I >> want >> >>>>> security. Basically, the Solr server should be accessible to >> only >> >>>>> users who has logged in to carbon. Dr. Sanjiva and myself >> where >> >>>>> discussing this, and we thought may be we can do this via a >> servlet >> >>>>> filter, which intercepts requests to Solr and block >> unauthenticated >> >>>>> access. >> >>>>> >> >>>>> Any thoughts on how to do this? For example, if I create a >> servlet >> >>>>> filter that gets the JSession ID from the request and allow >> only valid >> >>>>> sessions to go in, will that do what I need? This same >> Filter should >> >>>>> be useful when we integrate any Servelt in to carbon. >> >>>>> >> >>>>> Thanks >> >>>>> Srinath >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>> _______________________________________________ >> >>>> Carbon-dev mailing list >> >>>> [email protected] <mailto:[email protected]> >> >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >>>> >> >>>> >> >>>> >> >>> >> >>> >> >>> >> >> >> > >> > >> > >> > >> >> >> _______________________________________________ >> Carbon-dev mailing list >> [email protected] <mailto:[email protected]> >> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> >> >> >> -- >> Sanjiva Weerawarana, Ph.D. >> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >> email: [email protected] <mailto:[email protected]>; cell: +1 650 265 >> 8311 | +94 77 787 6880 >> blog: http://sanjiva.weerawarana.org/ >> >> The Open Source SOA Company >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Carbon-dev mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> > > _______________________________________________ Carbon-dev mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
