This section provides the following information.
The JBoss Agent is configured and is deployed in the JBoss Application Server for the clients to access any J2EE application deployed on the JBoss Application Server.
Figure 58-1 illustrates the various clients (whether browser, EJB, or Web service) that can securely access any J2EE application deployed on the JBoss Application Server. The JBoss Agent is configured for this access and is deployed within the JBoss Application Server.
Figure 58-1 Various Clients Deployed on JBoss Application Server
In addition to operating alone, the JBoss Agent can be also work in conjunction with an Oracle HTTP Server (proxy) configured with a WebGate.
Figure 58-2illustrates the topology for the JBoss Agent Behind Web Server Configured with WebGate.
Figure 58-2 JBoss Agent Deployed with an Oracle HTTP Server WebGate
Applications are deployed in the JBoss Application Server protected with the JBoss Agent. Additionally the request comes through an Oracle HTTP Server instance that is configured with a WebGate. Both the WebGate and the JBoss Agent are configured against the same Access Manager deployment. Here, the JBoss Agent plays the role of an Identity Asserter that simply validates that the token forwarded by the WebGate is valid and uses the identity established by the WebGate.
Here is the topology for integration between Access Manager and JBoss.
Figure 58-3 illustrates the topology used in this chapter for integration between Access Manager and JBoss.
Figure 58-3 Sample Integration Topology
Details for this deployment are described in "Preparing Your Environment for JBoss 5.x Integration".
The topology in Figure 58-3 supports:
Protecting Web Applications
This use case is Application specific and JBoss specific. It uses Access Manager SSO with the JBoss Agent and an authorization policy for browsers accessing Web applications on JBoss (with local EJB invocation, if any).
Access Manager (Host 1)
Application hosted on JBoss Application Server (Host 2)
Invoking Secured EJBs using Rich Java Clients
The client can access an EJB in different ways depending on the client architecture, as follows:
Configure the JAAS-compliant Login Module on the JBoss Container to secure access to the EJB. The client can then make use of JBoss-specific mechanism to propagate the Access Manager SSO token to the JBoss Container.
The client can either make use of an already procured Access Manager SSO token or the client can use the JAAS-compliant Access Manager Login Module to obtain the SSO token based on user's credentials.
Alternatively, the Access Manager SSO token can be obtained using a custom HTTP Web server-based Access Manager Authentication Service exposed to Rich Java clients.
EJB invocation as a Web Service Provider (WSP)
JAAS-compliant Access Manager Login Module can be configured on the Web Service Provider side to validate the Username and Password or the SSO Token.
Alternatively: If only the Username is available for Web Services Consumption (WSC), you need the WSP requiring the SAML token issued by Security Token Service asserting the Username, followed by invocation of JAAS-compliant Access Manager Login Module with extra username-only assertion capability).
Secure EJB access using the JAAS-compliant Access Manager Login Module on (Host 2)
Host the EJB Application on the JBoss server (Host 2)
Access Manager (Host 1)
Remaining sections in this chapter describe how to complete this integration.