Sep 2nd, 2008, 07:27 PM
I'm trying to modify an open source application (Pentaho) that uses Acegi withing a Jboss app server. I need to integrate it with our SSO solution implemented with Siteminder. I don't care about authorization, just authentication.
I've reading about the Siteminder Authentication mechanism but saw that the provided filter only looks for "pre-authenticated requests". The only thing that I need is to know where or how to configure the application to login against the SSO site. That means:
1. User enters into the system.
2. Acegi filter redirects it to the SSO site
3. Call returns with the header set and user has full access
I've tried configuring authenticationProcessingFilter with no luck
thanks in advance
Sep 2nd, 2008, 07:44 PM
If the user can access the system at all without first being authenticated, how will you be able to determine that they haven't just faked the username header to gain access?
Sep 2nd, 2008, 08:51 PM
lets say that it is not a concern so far. I've been thinking in setting the redirect if no authentication is detected in the page pointed by this property:
Originally Posted by Luke Taylor
Is that ok?
Sep 3rd, 2008, 05:34 AM
So how will you be able to tell the difference between users who have been authenticated by Siteminder and those using a faked header?
If it is possible to access the system by setting the request header then you effectively have no security at all.
Sep 3rd, 2008, 08:11 AM
In this stage is not a concern. It will be an internal proof of concept. Could you please answer my question?
thanks in advance
Sep 3rd, 2008, 09:22 AM
Not really. For the reason I've mentioned, we don't provide support for authentication via request headers without the assumption that each request from the user is forced to go through an authentication system to gain access to the site.
Tags for this Thread