Vipul Kaneriya

How to protect java web application hosted on Jboss EAP with CA Single Sign On

Blog Post created by Vipul Kaneriya on Aug 4, 2016

Scenario:

Java web application is deployed on Jboss EAP on two different boxes with a clustering enabled. We are using Apache web server to redirect users’ request on both of the nodes with round robin technique. Now we want to protect our application with CA SiteMinder / CA Single Sign On.

Environment:

Jboss EAP 6.4

Apache 2.2.3

CA Single Sign On SP1 CR05

Central Secure Proxy Server (no separate Agent for Jboss)

 

We all know how to configure application url in proxyrules.xml and setup WebAgent, Realm, Authentication Scheme and other stuff through SiteMinder AdminUI interface to protect backend application. The essential intention of this article is to address what are the configurations require at java application end.

 

Steps:

1) Configure Servlet Filter in your application to accept http request header parameter (SM_USER) from SiteMinder.

2) Restrict access to application from an IP address other than through SiteMinder.

 

By following above 2 steps you will be prevented from internal user hack. Internal user can simply bypass the SiteMinder and access your application by passing a HTTP request header parameter (SM_USER) required by Servlet Filter directly from a web browser extension (e.g Modheader for Chrome).

 

Solution:

1) Configure Servlet Filter in your application to accept http request header parameter (SM_USER) from SiteMinder.

 

i] Create Servlet Filter- SMHeaderfilter.java

 

package filters;

 

import java.io.IOException;

import javax.servlet.http.*;

import javax.servlet.*;

 

public class SMHeaderfilter implements javax.servlet.Filter  {

    private FilterConfig filterConfig;

    public void doFilter(ServletRequest request, ServletResponse response,

           FilterChain chain)

           throws java.io.IOException, javax.servlet.ServletException {

 

                HttpServletRequest requestHttp = (HttpServletRequest)request;

                HttpServletResponse responseHttp = (HttpServletResponse)response;

                String sm_user = requestHttp.getHeader("sm_user");

 

                if (sm_user ==null ) {

                        throw new ServletException("User cannot be NULL. Please make sure that you login through SiteMinder");   }

                else {

                        sm_user = requestHttp.getHeader("sm_user");

System.out.println("You have successfully Logged in with SiteMinder UserID : " + sm_user);

                        chain.doFilter(request, response);   }

    }

    public void init(final FilterConfig filterConfig) {

        this.filterConfig = filterConfig; }

 

    public void destroy() {

        filterConfig = null;  }

}

ii] Compile this java code and copy SMHeaderfilter.class file into application.war/WEB-INF/classes/filters

 

iii] Edit application.war/WEB-INF/web.xml

 

<filter>

<filter-name>SMHeaderfilter</filter-name>

<filter-class>filters.SMHeaderfilter</filter-class>

</filter>

<filter-mapping>

<filter-name>SMHeaderfilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

 

 

2) Restrict access to application from an IP address other than through SiteMinder.

 

i] Create or edit application.war/WEB-INF/jboss-web.xml

 

<jboss-web>

    <valve>

<class-name>org.apache.catalina.valves.RemoteAddrValve</class-name>

       <param>

<param-name>allow</param-name>

             <param-value>127.0.0.1,127.0.0.2</param-value> (Enter SiteMinder SPS server IP)

       </param>

    </valve>

</jboss-web>

 

ii] If you are using Apache url in proxyrules.xml (SiteMinder SPS) then you need to restrict IP address in Apache with the help of mod_authz_hosts module. You can make changes in conf/httpd.conf and conf.d/ssl.conf under your VirtualHost entry like below example:

 

<VirtualHost ServerHostname:Port>

ServerAdmin ……..

DocumentRoot ……..

<Location />

   Order deny,allow

   Deny from all

   Allow from 127.0.0.1,127.0.0.2 (Enter SiteMinder SPS server IP)

</Location>

</VirtualHost>

 

Now only way to access your application is SiteMinder, and we are confident that SM request cannot be tampered.

Outcomes