Integrating Tivoli Access Manager with JBoss AS 4.x

Mark Bakker

Introduction

Currently I am working at a big Enterprise where they use Tivoli Access Manager as authorization and authentication source for a lot of there applications.

This Enterprise is using JBoss as open source application server platform and is using this more and more. When they began using JBoss they got a TAM plug-in for JBoss from IBM. This plug-in did the complete authorization and authentication by implementing JAAS and registering all the used security roles in TAM. This is done during deployment time.

If you have an application with a lot of roles this is very frustrating because it can take a lot of extra time to start up (think of 30 minutes per application) because TAM is synchronizing all the new roles.

Most applications at this customer are using JAAS but do not have special method level authorizations implemented by using TAM. So only the roles are important.

After realizing this I thought is could be a good idea to create a simpler solution for integration TAM and JBoss. For this I wrote some custom code (only 250 lines).

Things to keep in mind

This method is using the iv-user and iv-groups headers at http transport level. Without transport level security (i.e. ssl) it is possible to fake this by using a man in the middle attack.

If you have proper firewall rules and security zones this does not have to be a problem.

When using this method you can use a mapping file for mapping TAM roles to application roles. With the TAM module this can be centrally managed. But since these roles normally only change at deployment time I don’t think this is a real problem.


The steps to use this solution

In the following overview you see the steps you need to take, after this overview I will go into detail for each step.

clip_image002


Step 0

Download the plugin including all sources here.

Step 1

Add the jboss_sso_tam.jar file to the server classpath (server/[profile]/lib)

Step 2

Set the authorization method to BASIC in the web.xml inside the application (application.war/WEB-INF/web.xml).

Set the roles in the web.xml (or in annotations). See http://java.sun.com/javaee/5/docs/tutorial/doc/bncav.html for more information about security roles in Java.

<login-config><auth-method>BASIC</auth-method>

</login-config>

 

<security-role>

<role-name>JBossAdmin</role-name>

</security-role>

web.xml

Step 3

Add the TAM JBoss authorization Valve to the web deployer (apache). This can be done by editing jboss.web-deployer/META-INF/jboss-service.xml inside the deploy directory inside a server profile.

This authorization Valve is called before the servlet or static content is called for each request. It is important that the key is set to the same value as the authorization method in the web.xml inside the application (see step 2).

<attribute name="Authenticators" serialDataType="jbxb">…

 <java:property>

<java:key>BASIC</java:key>

<java:value>com.infra.tam.jboss.TamJBossSSOValve

</java:value>

</java:property>

</attribute>

Jboss-service.xml


Step 4

Edit the login-config.xml file inside the server/[profle]/conf directory. Here you have to add the login-module to the application-policy which is used. In this example case I edited the jmx-console policy. The security domain for an application defaults to the name of the war or ear file. (i.e. jmx-console.war à jmx-console).

You can override the security domain in a jboss-web.xml file in the WEB-INF directory of an application.

<application-policy name = “jmx-console"><authentication>

<application-policy name = "jmx-console">

<authentication>

 <login-module code="com.infra.tam.jboss.TamJBossSSOLoginModule

flag = "required">

<module-option name="tamrolesProperties">

props/tamroles.properties</module-option>

 </login-module>

</authentication>

</application-policy>

login-config.xml

<jboss-web><security-domain>java:/jaas/jmx-console</security-domain>

</jboss-web>

jboss-web.xml

After editing the login-config.xml file it is possible to use a mapping file for mapping the tam roles to application roles. Default you can use the server/[profile]/conf/props/tamroles.properties file for this.

The name of this file can be overridden with a module-option tag with the name tamrolesProperties.

TAM_ROLE_A=AppRoleATAM_ROLE_B=AppRoleB

tamroles.properties

Comments (2)

  1. Suryanto - Reply

    October 21, 2010 at 10:11 am

    Hi Mark,

    Thanks for sharing this information. Do you happen to know a solution for integrating TAM with JBoss AS 5.1?

    Thanks and regards,

    Steven

  2. Blacksad77 - Reply

    November 15, 2011 at 4:46 pm

    I have tested SSO with JBOSS 5.1, and it actually works. I think that authorization would work too. I am just too lazy to test it 🙂

Add a Comment