Siteminder integration

[ikis]

Hi,

I'm trying to modify an open source application (Pentaho) that uses Acegi withing a Jboss app server. I need to integrate it with our SSO solution implemented with Siteminder. I don't care about authorization, just authentication.

I've reading about the Siteminder Authentication mechanism but saw that the provided filter only looks for "pre-authenticated requests". The only thing that I need is to know where or how to configure the application to login against the SSO site. That means:

1. User enters into the system.
2. Acegi filter redirects it to the SSO site
3. Call returns with the header set and user has full access

I've tried configuring authenticationProcessingFilter with no luck

thanks in advance

[Luke Taylor]

If the user can access the system at all without first being authenticated, how will you be able to determine that they haven't just faked the username header to gain access?

[ikis]

If the user can access the system at all without first being authenticated, how will you be able to determine that they haven't just faked the username header to gain access?

lets say that it is not a concern so far. I've been thinking in setting the redirect if no authentication is detected in the page pointed by this property:

<property name="defaultTargetUrl"><value>/login.jsp</value></property>

Is that ok?


thanks

[Luke Taylor]

So how will you be able to tell the difference between users who have been authenticated by Siteminder and those using a faked header?

If it is possible to access the system by setting the request header then you effectively have no security at all.

[ikis]

In this stage is not a concern. It will be an internal proof of concept. Could you please answer my question?

thanks in advance

[Luke Taylor]

Not really. For the reason I've mentioned, we don't provide support for authentication via request headers without the assumption that each request from the user is forced to go through an authentication system to gain access to the site.