Saturday, January 30. 2010
OpenSSO Reverse Proxy Extension (Part I)
This time I have been playing with another Sun (AKA Oracle) product: OpenSSO. The Open Web Single Sign-On goal is to provide an extensible foundation for an identity services infrastructure in the public domain, facilitating single sign-on (SSO) for web applications hosted on web and application servers.
OpenSSO is a web framework. Single sign-on can be achieved in any web application with any programming language. Java SDK, J2EE agents, web agents and many other techniques or extensions are available. Nevertheless the applications need to explicitly use the framework and SSO cannot be accomplished in a transparent way. Little modifications are always needed to integrate legacy web applications.
Other SSO software products usually has a password replay feature, which consists in the ability to replay (resend) the password to this legacy applications. Historically this password replay absence has been an OpenSSO weakness against other products like IBM Tivoli Access Manager.
In the roadmap to OpenSSO 8.1 a Reverse Proxy with Password Replay was announced. This title was accompanied with a short description: "Our reverse proxy is being rewritten as a 100% Java proxy that also has the ability to capture and replay passwords for web applications not protected by your single sign-on solution. In short, this will allow Enterprise Single Sign-on (screen scraping) functionality for web applications. Applications that are not protected by OpenSSO can use password replay to do simple password capture and authentication". Theoretically this brand new feature is about to appear in the Express Build 9. As I am a little impatient I was searching throughout the code and I found a new extension called proxy three months ago. These days I have been testing the progress and I am going to present the first of a three posts series about this topic.
The reverse proxy solution is a Java Servlet application which uses Apache HttpCore components to build the necessary HTTP services between client and server. The servlet can have filters to change the information that travels from the client to the server and vice versa. There are filters to manage cookies (CookieFilter), headers (HeaderFilter) or to handle a Basic Authentication (HttpBasicAuthFilter). The other basic idea is a PasswordCredentialSource interface to get the username/password pair someway.
My first goal was to install a web server protected with Basic Authentication and use OpenSSO proxy extension to bypass the login with a static (hardcoded) username and password. All this stuff is a already done sample inside the proxy code (BasicAuthProxy.java).
First of all I checked out the proxy extension directory:
And I reorganized the directories putting all java code (core, samples and contribs) together:
Then I created a new Web Application project in Netbeans using Tomcat 6.0.20 as the web container. The web.xml was copied from the basic auth sample:
And Finally the java servlet was changed to point to my basic auth protected web server (installed in a KVM solaris box):
And it works. If we first access to the web the basic auth challenge pops up. But if we reopen the browser and access directely to the tomcat the web page appears with no login (proxy is silently logging me in).
In summary the proxy extension is clearly in a very first stage, the core is done but there is no integration with OpenSSO. In the next posts I will try to extend proxy with some OpenSSO functionality.
OpenSSO is a web framework. Single sign-on can be achieved in any web application with any programming language. Java SDK, J2EE agents, web agents and many other techniques or extensions are available. Nevertheless the applications need to explicitly use the framework and SSO cannot be accomplished in a transparent way. Little modifications are always needed to integrate legacy web applications.
Other SSO software products usually has a password replay feature, which consists in the ability to replay (resend) the password to this legacy applications. Historically this password replay absence has been an OpenSSO weakness against other products like IBM Tivoli Access Manager.
In the roadmap to OpenSSO 8.1 a Reverse Proxy with Password Replay was announced. This title was accompanied with a short description: "Our reverse proxy is being rewritten as a 100% Java proxy that also has the ability to capture and replay passwords for web applications not protected by your single sign-on solution. In short, this will allow Enterprise Single Sign-on (screen scraping) functionality for web applications. Applications that are not protected by OpenSSO can use password replay to do simple password capture and authentication". Theoretically this brand new feature is about to appear in the Express Build 9. As I am a little impatient I was searching throughout the code and I found a new extension called proxy three months ago. These days I have been testing the progress and I am going to present the first of a three posts series about this topic.
The reverse proxy solution is a Java Servlet application which uses Apache HttpCore components to build the necessary HTTP services between client and server. The servlet can have filters to change the information that travels from the client to the server and vice versa. There are filters to manage cookies (CookieFilter), headers (HeaderFilter) or to handle a Basic Authentication (HttpBasicAuthFilter). The other basic idea is a PasswordCredentialSource interface to get the username/password pair someway.
My first goal was to install a web server protected with Basic Authentication and use OpenSSO proxy extension to bypass the login with a static (hardcoded) username and password. All this stuff is a already done sample inside the proxy code (BasicAuthProxy.java).
First of all I checked out the proxy extension directory:
$ cvs -d :pserver:rickyepoderi@cvs.dev.java.net:/cvs login
$ cvs -d :pserver:rickyepoderi@cvs.dev.java.net:/cvs checkout opensso/extensions/proxy
And I reorganized the directories putting all java code (core, samples and contribs) together:
com/sun/identity/proxy/auth
com/sun/identity/proxy/contrib/sjsme
com/sun/identity/proxy/contrib/pmwiki
com/sun/identity/proxy/contrib/sjsce
com/sun/identity/proxy/contrib/mediawiki
com/sun/identity/proxy/http
com/sun/identity/proxy/util
com/sun/identity/proxy/handler
com/sun/identity/proxy/sample
com/sun/identity/proxy/sample/basicauth
com/sun/identity/proxy/sample/simple
com/sun/identity/proxy/io
com/sun/identity/proxy/servlet
com/sun/identity/proxy/filter
com/sun/identity/proxy/client
Then I created a new Web Application project in Netbeans using Tomcat 6.0.20 as the web container. The web.xml was copied from the basic auth sample:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Basic Auth Proxy</display-name>
<servlet>
<servlet-name>proxy</servlet-name>
<servlet-class>com.sun.identity.proxy.sample.basicauth.BasicAuthProxy</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>proxy</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
And Finally the java servlet was changed to point to my basic auth protected web server (installed in a KVM solaris box):
public class BasicAuthProxy extends SimpleProxyServlet{
@Override
public void init() throws ServletException {
init("http", "192.168.122.11", 81);
addFilter(new HttpBasicAuthFilter(
new StaticCredentialSource("ricky", "kiosko00"),
new TemporaryStorage()));
}
}
And it works. If we first access to the web the basic auth challenge pops up. But if we reopen the browser and access directely to the tomcat the web page appears with no login (proxy is silently logging me in).
In summary the proxy extension is clearly in a very first stage, the core is done but there is no integration with OpenSSO. In the next posts I will try to extend proxy with some OpenSSO functionality.
Comments