Configuring the OAM Security Provider
The OAM Security Provider is implemented via the OAMAuthenticatorSAM class.
You configure the OAM Security Provider as a message-security-provider (HttpServlet layer interception point),
either through the Administration Console or the create-message-security-provider command.
The following message-security-provider syntax configures an OAM Security provider:
<message-security-config auth-layer="HttpServlet">
<provider-config provider-type="server" provider-id="MySAM"
class-name="com.sun.glassfish.oamsam.OAMAuthenticatorSAM">
<property name="oam.resource.hostid.variation"
value="your-host-system.com" />
<!--property name="form.login.page" value="" /-->
</provider-config>
</message-security-config>
You must set the provider id to a unique value. The class
name must be com.sun.glassfish.oamsam.OAMAuthenticatorSAM.
You can optionally set the properties shown in Table 7-2 for the OAM
Security Provider.
Table 7-2 OAM Security Provider Properties
APPSERVER_SSL_MUTUAL_AUTH_PORT |
Option to the SAM indicating the SSL Mutual Authentication port for the
Application Server. |
APPSERVER_SSL_PORT |
Option to the SAM indicating the SSL port for the Application
Server. |
cookie.httponly |
Option to the SAM indicating if the httponly flag of the ORA_GF_ObSSOCookie should
be set. |
cookie.path |
Option to the SAM indicating the value of the path
parameter of the ORA_GF_ObSSOCookie. By default the path parameter is not set. |
cookie.secure |
Option
to the SAM indicating if the isSecure() bit of the Cookie should be
set to true/false when the ORA_GF_ObSSOCookie is created after successful authentication. |
error.page |
Option to the
SAM indicating the custom Error Page to use for Authentication/Authorization failures. Should be
a path relative to current context root, and must begin with a "/". |
form.login.page
|
Option to the SAM indicating the custom FORM Login Page to use
for FORM based login. Must be a path relative to the domain's docroot.
A default login FORM is used when this option is absent, or
when its value is set to "" (empty string) or to the value
"default". |
oam.auth.cert.param |
Option to the SAM indicating the parameter name for certificate
credential passed to create ObUserSession. |
oam.auth.hdr.external |
Option to the SAM whose value indicates the
name of Request Header that contains the UserId/Cookie corresponding to the ObUserSession. |
oam.auth.password.param |
Option to the SAM indicating the parameter name for password credential passed to
create ObUserSession |
oam.auth.userid.param |
Option to the SAM indicating the parameter name for username
credential passed to create ObUserSession. |
oam.check.resource.access |
Option to the SAM indicating if OAM should
also perform the authorization check for the resource. The value is a flag
that indicates if OAM should check (authenticate and authorize) the resource access. By
default OAM would only be consulted for authentication of any credentials and establishing
the SSO token.
Note - The GlassFish Serverauthorization has the final say as to whether the access
to the resource is finally allowed, primarily based on the group and principal
of the user being in the correct JavaEE-defined Role to access the resource.
|
oam.header.type |
Option to the SAM indicating if the External Header in the
Request is to be interpreted as a Cookie or as the User Principal
of an Authenticated user when the module is acting as an Identity Asserter. |
oam.include.port.in.resource
|
Option to the SAM indicating whether the port number of a request
should be used while constructing the request URI for the protected resource whose access
is protected by OAM. |
oam.include.query.params.in.resource |
Option to the SAM indicating whether the query-parameters of
a request should be used while constructing the request URI for the protected
resource whose access is protected by OAM. |
oam.obsso.cookie.name |
Option to the SAM indicating the
name of the ORA_GF_ObSSOCookie to use. |
oam.res.access.protocol |
Option to the SAM indicating the
protocol to be used when creating the resource representation for the protected resource
whose access is protected by OAM. |
oam.resource.hostid.variation |
Option to the SAM indicating the host-id
variation to use when constructing the request URI for the protected resource whose
access is protected by OAM. |
oam.ext.header |
Option to the SAM indicating the name of
the header to use for identity assertion. This is used by the SAM
to find the configured header and to extract the principals. The allowed value
is OAM_REMOTE_USER. |
IdentityAsserterMode |
Option to the SAM that determines whether the SAM acts
as an Identity Asserter. IdentityAsserterMode is used when set to true. |
|