Announcement Announcement Module
Collapse
No announcement yet.
Siteminder integration Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Siteminder integration

    Hi,

    I'm trying to modify an open source application (Pentaho) that uses Acegi withing a Jboss app server. I need to integrate it with our SSO solution implemented with Siteminder. I don't care about authorization, just authentication.

    I've reading about the Siteminder Authentication mechanism but saw that the provided filter only looks for "pre-authenticated requests". The only thing that I need is to know where or how to configure the application to login against the SSO site. That means:

    1. User enters into the system.
    2. Acegi filter redirects it to the SSO site
    3. Call returns with the header set and user has full access

    I've tried configuring authenticationProcessingFilter with no luck

    thanks in advance

  • #2
    If the user can access the system at all without first being authenticated, how will you be able to determine that they haven't just faked the username header to gain access?

    Comment


    • #3
      Originally posted by Luke Taylor View Post
      If the user can access the system at all without first being authenticated, how will you be able to determine that they haven't just faked the username header to gain access?
      lets say that it is not a concern so far. I've been thinking in setting the redirect if no authentication is detected in the page pointed by this property:

      <property name="defaultTargetUrl"><value>/login.jsp</value></property>

      Is that ok?


      thanks

      Comment


      • #4
        So how will you be able to tell the difference between users who have been authenticated by Siteminder and those using a faked header?

        If it is possible to access the system by setting the request header then you effectively have no security at all.

        Comment


        • #5
          In this stage is not a concern. It will be an internal proof of concept. Could you please answer my question?

          thanks in advance

          Comment


          • #6
            Not really. For the reason I've mentioned, we don't provide support for authentication via request headers without the assumption that each request from the user is forced to go through an authentication system to gain access to the site.

            Comment

            Working...
            X