지금 지원 담당자와 채팅

라이브 도움말 보기
등록 완료

로그인

가격 산정 요청

영업 담당자에게 문의

Single Sign-On for Java 3.3.2 - Administration Guide

콘텐츠 탐색

About this guide

Overview

Introducing Single Sign-on for Java

Introduction to Single Sign-on for Java About Kerberos About Active Directory

Active Directory groups

Group types Group scopes Groups and the log on process Groups and Single Sign-on for Java

Active Directory sites Mappings and objects

Names and mappings

User Principal Names (UPNs) Service Principal Names (SPNs)

Active Directory Objects

Single Sign-on and Active Directory

SPNEGO and Internet Explorer Kerberos delegation extensions

Delegation “trust” in authentication

Delegation options Unconstrained delegation Constrained delegation (S4U2Proxy) Protocol transition (S4U2Self)

How does Single Sign-on for Java work? Example domain

Preparing for Single Sign-on for Java

Pre-Installation overview Network infrastructure

Active Directory environment Domain Name Service (DNS) Time Synchronization Service

Configuring Active Directory for Single Sign-on for Java

Setting up the service account

Setup using Active Directory tools

Creating a service account Kerberos Encryption Types for Active Directory Setting Service Principal Name (SPN) Mappings SPN Mapping and DNS Aliases

Setup with Authentication Services

Authentication Services Authentication Services keytabs vastool Configuring Single Sign-on to use the Authentication Services HOST SPN Configuring Single Sign-on to use an Authentication Services HTTP service principal

Enabling delegation

Delegation configuration in different systems

Windows Server 2003 and Windows Server 2008 delegation

Setting up a Java application server host

Creating keytab files

Setting up a client machine

Operating system Browsers and authentication Setting up Internet Explorer for SSO

Windows integrated authentication NTLM authentication

Deploying Single Sign-on for Java

Getting started with Single Sign-on for Java

Obtaining a license for Single Sign-on for Java HTTP header size limits Configuring the Single Sign-on examples

Single Sign-on for Java and your web applications

Deployment options

Deploying in a web application Deploying on the CLASSPATH Deploying in application server-specific path

Creating a deployment descriptor for SSO

Deploying SSO web components

Configuring the Single Sign-On parameters Building a war file for Single Sign-on for Java

Setting up logging Controlling access to resources

Authorization using Active Directory groups

Java EE authorization model for servlets and JSPs Single Sign-on for Java authorization

Compatibility with standard Java EE deployment descriptors How authorization works in Single Sign-on for Java Declarative security using Single Sign-on for Java Programmatic security Active Directory groups as roles Active Directory principals or groups in other realms or domains

Recommendations for Managing Authorization

Writing access policy files

Overview of policy files Preconditions for writing an XML policy file

Identify the resources to be protected Identify the roles that are to access these resources Disable security constraints in existing deployment descriptor

Creating the policy XML file

Create the policy XML file Create the main body of the policy XML file Define security constraints Define roles Set the deployment descriptor parameters

Policy XML Descriptor Elements

Examples

include exclude user security-constraint web-resource-collection auth-constraint

Security Issues

Basic Recommendations Deployment risks

Service unavailability Time synchronization Replication interruptions Resource security

Client issues with security

Cookies Caching of passwords for basic fallback

SPNEGO/Windows authentication

Lifetime of authentication

Session IDs Active Directory permissions Basic fallback Keytabs and passwords Authorization

Do you need authorization Securing LDAP Using the principle of least privilege

Denial of service

Basic fallback Session state

Auditing NTLM authentication

What is NTLM Different versions of NTLM NTLM and Internet Explorer

Maintenance and Troubleshooting

Logging New users and groups Account settings Network topology changes

Troubleshooting

General Active Directory Browsers

Internet Explorer browsers Non-Internet Explorer browsers

Authentication Keytabs Network connections Credential delegation Debugging

Appendix: Configuration Parameters

Single Sign-on Configuration Parameters System properties

Appendix: Using the JKTools

Tool details jkinit

jkinit examples

jklist examples

jktutil example

Create the main body of the policy XML file

Deploying Single Sign-on for Java > Controlling access to resources > Writing access policy files > Create the main body of the policy XML file

Place all your policy definitions inside <policy> tags:

<policy>

</policy>

Define security constraints

Deploying Single Sign-on for Java > Controlling access to resources > Writing access policy files > Define security constraints

For each set of resources identified, you need to define a <security-constraint> that maps these resources to the roles you wish to allow access.

For example:

<security-constraint>

<web-resource-collection>

<web-resource-name>Customer files</web-resource-name>

<description>

Resources that may be accessed by customers

</description>

<url-pattern>/customer/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>Customer</role-name>

</auth-constraint>

</security-constraint>

You can define one or more security constraints, and they can map to multiple resources and roles.

Note: If you previously had defined security constraints in your deployment descriptor, you can copy these directly in the policy file.

Define roles

Deploying Single Sign-on for Java > Controlling access to resources > Writing access policy files > Define roles

You have two options for defining roles:

Set the idm.access.groupsAsRoles option in the SSO Servlet/Filter configuration. For each role in a security constraint you should ensure there is a group defined in Active Directory of the same name.
Define one or more <role> elements that map the roles you have specified to Active Directory groups/principals.

Either option can be used, however we recommend defining the roles directly in the policy file if you are using programmatic security. See Single Sign-on for Java authorization. This allows group membership to be resolved by querying Active Directory at load time rather than at run time.

If you are using the idm.access.groupsAsRoles option, we recommend defining Domain Local groups specific to your application in the same domain as the application server.

To define a role mapping to Active Directory groups using the role element, do the following:

<role name="Customer">

<include>

<group name="My Application Customers"/>

</include>

</role>

Note: Group names are case-sensitive.

More examples are given for the role element on Examples.

Set the deployment descriptor parameters

Deploying Single Sign-on for Java > Controlling access to resources > Writing access policy files > Set the deployment descriptor parameters

Edit the deployment descriptor (web.xml) file using either a standard text editor, or a tool supplied by your application server vendor. Add the following parameters to your SSO Servlet/Filter configuration:

<init-param>

<param-name>idm.access.policy</param-name>

<param-value>policy.xml</param-value>

</init-param>

Where policy.xml is replaced with the name of your policy file.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택

© ALL RIGHTS RESERVED. Feedback 이용 약관 개인정보 보호정책 Cookie Preference Center