Build Forge SSO 框架提供与市场上多个 SSO 解决方案集成的能力。该 SSO 框架基于拦截器,表示该框架拦截 HTTP 请求并提供处理该请求的方法。可以编写定制拦截器以接收并验证 HTTP 请求中的安全性工件。特别是拦截器可以在 HTTP 响应中设置令牌,然后在连续的请求中查找这些令牌。
Build Forge 随附提供以下两个 SSO 解决方案:
com.buildforge.services.server.sso.ISSOIntercaptor
它位于服务层组件中:<bfinstall>/Apache/tomcat/webapps/rbf-services/WEB-INF/classes
该接口提供以下方法。
拦截器配置在
中定义。 以下配置随 Build Forge 提供:实施拦截器类并将该类置于 Build Forge Apache Tomcat 应用程序服务器中之后,在此处配置新的 SSO 配置。该类是 SSO 配置的一个属性。
该列表的顺序确定了查阅拦截器以处理请求的顺序。可以配置多个拦截器来处理请求。在登录期间,将按顺序查阅每个拦截器。处理请求的拦截器是其属性对应于请求中的属性的第一个活动的拦截器。只有一个拦截器处理请求。 始终是对 isTargetInterceptor 作出 true 响应的第一个拦截器。
要在 Build Forge 中创建定制拦截器,请执行以下操作:
该类必须实施 ISSOInterceptor 接口。
<bfinstall>/Apache/tomcat/webapps/rbf-services/WEB-INF/classes
在请求过程中,将按活动的 SSO 配置显示在该面板中的顺序对它们进行访问。您的配置必须置于表单 SSO 配置之前,因为缺省情况下表单 SSO 配置处于活动状态,且在访问时始终返回 true。缺省情况下,SPNEGO SSO 配置处于不活动状态。
以下示例取自 WebSphere SSO 拦截器,该拦截器用于将 WebSphere 安全性与 Build Forge 集成。
该拦截器使用反射来查找 WebSphere 类 WSSubject。 该类使用 getCallerPrincipal 方法返回用于登录至 AuthServlet 的主体。需要先保护 AuthServlet,然后 WAS 将向它进行认证。
有一些其他方法能够返回更多信息。 有一些类似方法可用于任何应用程序服务器。
public Result authenticateRequest
(Request requestAttributes, Response responseAttributes)
throws SSOException {
Result result = null;
try {
Class<?> cl =
Class.forName(“com.ibm.websphere.security.auth.WSSubject”);
Method theMethod = cl.getMethod("getCallerPrincipal",
(Class[])null);
String principal = (String)theMethod.invoke((Object[])null,
(Object[])null);
if (principal != null
&& principal.length() > 0
&& !principal.equals("UNAUTHENTICATED")) {
result = new Result(Result.UseridOnlyOID, domain, principal);
responseAttributes.setStatus(HttpServletResponse.SC_OK);
} catch (Exception e) {
throw new SSOException(e);
}
return result;
}
在实施 authenticateRequest 期间,必须在返回之前设置响应状态:
responseAttributes.setStatus(HttpServletResponse.SC_OK);
responseAttributes.setStatus(HttpServletResponse,SC_FORBIDDEN);
responseAttributes.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
responseAttributes.sendRedirecct(url);
可以使用其他状态值。关于 HttpServletResponse,请参阅 JavaDoc。
如果定制的拦截器在测试时未正常运行,那么最有可能的问题是认证。您将看到一个错误页面,其中显示以下信息:
Build Forge Error
Access is denied to the Buil Forge console
"Error authenticating:
com.buildforge.services.common.api.APIException - API:
Authentication Error."
Please click here to try the same type of login again
or click here to force a form login (user ID/password).
有两个用于恢复的选项:
以下注释和源列表提供了 ISSOInterceptor 接口中有关方法的更多信息。
initInterceptor
/**
* This method is called when the interceptor is loaded. A map of the
configuration properties is passed into the init method. You can create
the configuration properties from a BuildForge Environment and associate
it with the SSO configuration.
*
* @param initializationProps used to configure the implementation
* @return true if successful, false if an error should be reported.
* @throws SSOException if the initialization fails
**/
public boolean initInterceptor (Properties initializationProps) throws SSOException;
isTargetInterceptor
/**
* This methods will review the attributes in the requestAttributes Map
to determine if there is something that this interceptor should
act on. If the interceptor return is "true", then the interceptor will
be responsible for authenticating the request and the authenticateRequest
method is invoked. If the interceptor return is "false", then this
interceptor is skipped and the next isTargetInterceptor in the list will
be called. Ordering of the interceptors during the configuration will
return which interceptor has the first shot at authenticating a request.
*
* @param requestAttributes attributes found in the inbound request
* @return true if this interceptor will authenticate the request,
false if it will not.
* @throws SSOException
*
**/
public boolean isTargetInterceptor(Request requestAttributes) throws SSOException;
authenticateRequest
/**
* This method is called on an interceptor that returns true for the
isTargetInterceptor method. The Request will contain data used
to perform the authentication. The Response is for the interceptor
to send information back to the client. The Result returned will contain
the following information if the status code is 200:
*
* OID: an object identifier of the SecurityContext that can process token
information stored in this map when going to an Agent.
* Domain: a valid BF domain name or <default> if not known
(the username must be valid in the configured realm).
* Username: a valid BF username. This will be used to lookup BFUser attributes
that are used in checking authorization policy.
* @see com.buildforge.services.common.security.context.Result
*
* @param requestAttributes attributes found in the inbound request
* @param responseAttributes sent back in the outbound response
* @return com.buildforge.services.common.security.context.Result - result
information that tells BF how to handle the authentication request.
* @throws com.buildforge.services.server.sso.SSOException
**/
public Result authenticateRequest(
Request requestAttributes,
Response responseAttributes)
throws SSOException;
logoutRequest
/**
* This method is called to logout a request. The first interceptor that
returns true for the isTargetInterceptor method will perform the logout.
The main point is to clean up any user-related security information that
should not be kept. The interceptor can inspect the request and response
objects to determine what needs to be removed.
*
* @param requestAttributes attributes found in the inbound request
* @param responseAttributes sent back in the outbound response
* @return boolean - true if request redirect to exit page,
false if redirect to login page.
* @throws com.buildforge.services.server.sso.SSOException
**/
public boolean logoutRequest(
Request requestAttributes,
Response responseAttributes)
throws SSOException;