The Build Forge SSO framework provides the capability to integrate with many SSO solutions on the market. The SSO framework is interceptor-based, meaning that it intercepts an HTTP request and provides methods for handling it. You can write custom interceptors to receive and validate security artifacts in the HTTP request. In particular, the interceptor can set tokens in the HTTP response and then look for those tokens in a successive request.
Two SSO solutions are provided with Build Forge:
com.buildforge.services.server.sso.ISSOIntercaptor
It
is located in the services layer component:<bfinstall>/Apache/tomcat/webapps/rbf-services/WEB-INF/classes
The interface provides the following methods.
Interceptor configurations are defined in
. The following configurations are shipped with Build Forge:After you implement an interceptor class and place it in the Build Forge Apache Tomcat application server, you configure a new SSO configuration here. The class is one property of the SSO configuration.
The order of this list determines the order in which interceptors are consulted to handle requests. You can configure multiple interceptors to handle requests. During a login, each interceptor is consulted in order. The interceptor that handles the request is the first active interceptor whose attributes are appropriate for the attributes in the request. Only one interceptor handles the request. It is always the first one that responds true for isTargetInterceptor.
To create a custom interceptor in Build Forge, do the following:
The class must implement the ISSOInterceptor interface.
<bfinstall>/Apache/tomcat/webapps/rbf-services/WEB-INF/classes
During a request, active SSO configurations are accessed in the order in which they appear in this panel. Your configuration must be placed before the Form SSO configuration, because it is active by default and always returns true when accessed. The SPNEGO SSO configuration is inactive by default.
The following example is taken from the WebSphere SSO Interceptor, which is used to integrate WebSphere security with Build Forge.
The interceptor uses reflection to find the WebSphere class WSSubject. The class has a getCallerPrincipal method to return the principal used to log in to the AuthServlet. The AuthServlet needs to be protected before WAS will authenticate with it.
Other methods are available that can return even more information. Similar methods are available to work with any application server.
public Result authenticateRequest
(Request requestAttributes, Response responseAttributes)
throws SSOException {
Result result = null;
try {
Class<?> cl =
Class.forName(“com.ibm.websphere.security.auth.WSSubject”);
Method theMethod = cl.getMethod("getCallerPrincipal",
(Class[])null);
String principal = (String)theMethod.invoke((Object[])null,
(Object[])null);
if (principal != null
&& principal.length() > 0
&& !principal.equals("UNAUTHENTICATED")) {
result = new Result(Result.UseridOnlyOID, domain, principal);
responseAttributes.setStatus(HttpServletResponse.SC_OK);
} catch (Exception e) {
throw new SSOException(e);
}
return result;
}
During the implementation of authenticateRequest, you must set a response status before returning:
responseAttributes.setStatus(HttpServletResponse.SC_OK);
responseAttributes.setStatus(HttpServletResponse,SC_FORBIDDEN);
responseAttributes.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
responseAttributes.sendRedirecct(url);
There are additional status values that can be used. See the JavaDoc for HttpServletResponse.
If your custom interceptor does not work correctly when tested, the most likely issue is authentication. You see an error page with the following information:
Build Forge Error
Access is denied to the Buil Forge console
"Error authenticating:
com.buildforge.services.common.api.APIException - API:
Authentication Error."
Please click here to try the same type of login again
or click here to force a form login (user ID/password).
You have two options for recovery:
The following comments and source listings provide more information about the methods in the ISSOInterceptor interface.
initInterceptor
/**
* This method is called when the interceptor is loaded. A map of the
configuration properties is passed into the init method. You can create
the configuration properties from a BuildForge Environment and associate
it with the SSO configuration.
*
* @param initializationProps used to configure the implementation
* @return true if successful, false if an error should be reported.
* @throws SSOException if the initialization fails
**/
public boolean initInterceptor (Properties initializationProps) throws SSOException;
isTargetInterceptor
/**
* This methods will review the attributes in the requestAttributes Map
to determine if there is something that this interceptor should
act on. If the interceptor return is "true", then the interceptor will
be responsible for authenticating the request and the authenticateRequest
method is invoked. If the interceptor return is "false", then this
interceptor is skipped and the next isTargetInterceptor in the list will
be called. Ordering of the interceptors during the configuration will
return which interceptor has the first shot at authenticating a request.
*
* @param requestAttributes attributes found in the inbound request
* @return true if this interceptor will authenticate the request,
false if it will not.
* @throws SSOException
*
**/
public boolean isTargetInterceptor(Request requestAttributes) throws SSOException;
authenticateRequest
/**
* This method is called on an interceptor that returns true for the
isTargetInterceptor method. The Request will contain data used
to perform the authentication. The Response is for the interceptor
to send information back to the client. The Result returned will contain
the following information if the status code is 200:
*
* OID: an object identifier of the SecurityContext that can process token
information stored in this map when going to an Agent.
* Domain: a valid BF domain name or <default> if not known
(the username must be valid in the configured realm).
* Username: a valid BF username. This will be used to lookup BFUser attributes
that are used in checking authorization policy.
* @see com.buildforge.services.common.security.context.Result
*
* @param requestAttributes attributes found in the inbound request
* @param responseAttributes sent back in the outbound response
* @return com.buildforge.services.common.security.context.Result - result
information that tells BF how to handle the authentication request.
* @throws com.buildforge.services.server.sso.SSOException
**/
public Result authenticateRequest(
Request requestAttributes,
Response responseAttributes)
throws SSOException;
logoutRequest
/**
* This method is called to logout a request. The first interceptor that
returns true for the isTargetInterceptor method will perform the logout.
The main point is to clean up any user-related security information that
should not be kept. The interceptor can inspect the request and response
objects to determine what needs to be removed.
*
* @param requestAttributes attributes found in the inbound request
* @param responseAttributes sent back in the outbound response
* @return boolean - true if request redirect to exit page,
false if redirect to login page.
* @throws com.buildforge.services.server.sso.SSOException
**/
public boolean logoutRequest(
Request requestAttributes,
Response responseAttributes)
throws SSOException;