Build Forge® SSO 架構提供了整合市場上許多 SSO 解決方案的功能。SSO 架構是攔截程式型,意指其會截取 HTTP 要求並提供處理方法。您可以撰寫自訂攔截程式來接收及驗證 HTTP 要求中的安全構件。特別是,攔截程式可以在 HTTP 回應中設定記號,然後在後續的要求中尋找這些記號。
Build Forge® 提供了兩個 SSO 解決方案:
com.buildforge.services.server.sso.ISSOInterceptor
其位於服務層元件中:<bfinstall>/Apache/tomcat/webapps/jas/WEB-INF/eclipse/plugins/com.ibm.jas-1.0.jar
該介面提供了下列方法。
攔截程式配置定義在Build Forge® 隨附下列配置:
中。實作攔截程式類別並將它放在 Build Forge® Apache Tomcat 應用程式伺服器之後,您就可以在這裡配置新的 SSO 配置。該類別是 SSO 配置的其中一個內容。
這份清單的順序會決定參考攔截程式以便處理要求的順序。您可以配置多個攔截程式來處理要求。在登入期間,每一個攔截程式都會依序參考。處理要求的攔截程式會是第一個作用中的攔截程式,其屬性適用於要求中的屬性。只有一個攔截程式會處理要求。其一律是第一個對 isTargetInterceptor 回應 true 的攔截程式。
若要在 Build Forge® 中建立自訂攔截程式,請完成下列步驟:
該類別必須實作 ISSOInterceptor 介面。
在要求期間,將依出現在這個畫面上的順序來存取作用中的 SSO 配置。因為依預設為作用中,且存取時一律傳回 true,所以您的配置必須放在表單 SSO 配置的前面。依預設 SPNEGO SSO 配置是在非作用中。
下列範例取自 WebSphere SSO 攔截程式,用來整合 WebSphere Application Server 安全與 Build Forge®。
該攔截程式會使用反射來尋找 WebSphere 的 WSSubject 類別。該類別具有 getCallerPrincipal 方法,來傳回用於登入 AuthServlet 的主體。AuthServlet 需要受保護,才能用來鑑別 WebSphere Application Server。
還有其他可傳回更多資訊的方法可供使用。有類似的方法可用來搭配任何應用程式伺服器使用。
public Result authenticateRequest
(Request requestAttributes, Response responseAttributes)
throws SSOException {
Result result = null;
try {
Class<?> cl =
Class.forName(“com.ibm.websphere.security.auth.WSSubject”);
Method theMethod = cl.getMethod("getCallerPrincipal",
(Class[])null);
String principal = (String)theMethod.invoke((Object[])null,
(Object[])null);
if (principal != null
&& principal.length() > 0
&& !principal.equals("UNAUTHENTICATED")) {
result = new Result(Result.UseridOnlyOID, domain, principal);
responseAttributes.setStatus(HttpServletResponse.SC_OK);} catch (Exception e) {
throw new SSOException(e);
}
return result;
}
在 authenticateRequest 的實作期間,您必須先設定回應狀態再傳回:
responseAttributes.setStatus(HttpServletResponse.SC_OK);
responseAttributes.setStatus(HttpServletResponse,SC_FORBIDDEN);
responseAttributes.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
responseAttributes.sendRedirecct(url);
有其他狀態值可供使用。請參閱 JavaDoc 中的 HttpServletResponse。
如果您的自訂攔截程式在測試時未正常運作,則會鑑別最可能的問題。這時會顯示一個錯誤頁面,並含下列資訊:
Build Forge Error
Access is denied to the Build Forge console
"Error authenticating:
com.buildforge.services.common.api.APIException - API:
Authentication Error."
Please click here to try the same type of login again
or click here to force a form login (user ID/password).
您有兩個選擇來進行回復:
下列註解和來源報表提供了 ISSOInterceptor 介面中關於方法的詳細資訊。
initInterceptor
/**
* This method is called when the interceptor is loaded. A map of the
configuration properties is passed into the init method. You can create
the configuration properties from a BuildForge Environment and associate
it with the SSO configuration.
*
* @param initializationProps used to configure the implementation
* @return true if successful, false if an error should be reported.
* @throws SSOException if the initialization fails
**/
public boolean initInterceptor (Properties initializationProps) throws SSOException;
isTargetInterceptor
/**
* This methods will review the attributes in the requestAttributes Map
to determine if there is something that this interceptor should
act on. If the interceptor return is "true", then the interceptor will
be responsible for authenticating the request and the authenticateRequest
method is invoked. If the interceptor return is "false", then this
interceptor is skipped and the next isTargetInterceptor in the list will
be called. Ordering of the interceptors during the configuration will
return which interceptor has the first shot at authenticating a request.
*
* @param requestAttributes attributes found in the inbound request
* @return true if this interceptor will authenticate the request,
false if it will not.
* @throws SSOException
*
**/
public boolean isTargetInterceptor(Request requestAttributes) throws SSOException;
authenticateRequest
/**
* This method is called on an interceptor that returns true for the
isTargetInterceptor method. The Request will contain data used
to perform the authentication. The Response is for the interceptor
to send information back to the client. The Result returned will contain
the following information if the status code is 200:
*
* OID: an object identifier of the SecurityContext that can process token
information stored in this map when going to an Agent.
* Domain: a valid BF domain name or <default> if not known
(the username must be valid in the configured realm).
* Username: a valid BF username. This will be used to lookup BFUser attributes
that are used in checking authorization policy.
* @see com.buildforge.services.common.security.context.Result
*
* @param requestAttributes attributes found in the inbound request
* @param responseAttributes sent back in the outbound response
* @return com.buildforge.services.common.security.context.Result - result
information that tells BF how to handle the authentication request.
* @throws com.buildforge.services.server.sso.SSOException
**/
public Result authenticateRequest(
Request requestAttributes,
Response responseAttributes)
throws SSOException;
logoutRequest
/**
* This method is called to logout a request. The first interceptor that
returns true for the isTargetInterceptor method will perform the logout.
The main point is to clean up any user-related security information that
should not be kept. The interceptor can inspect the request and response
objects to determine what needs to be removed.
*
* @param requestAttributes attributes found in the inbound request
* @param responseAttributes sent back in the outbound response
* @return boolean - true if request redirect to exit page,
false if redirect to login page.
* @throws com.buildforge.services.server.sso.SSOException
**/
public boolean logoutRequest(
Request requestAttributes,
Response responseAttributes)
throws SSOException;