Tomcat Policy Agent communication with server

This topic contains 3 replies, has 2 voices, and was last updated by  nishant.chauhan 1 week, 1 day ago.

  • Author
    Posts
  • #19928
     h.sepers@portbase.com 
    Participant

    Hi,

    Our web applications run on tomcat servers and are protected by tomcat policy agents filters.
    I would like to know what communication takes place between the tomcat policy agent and the server while performing ‘sso only’ authentication.

    – Does the agent make a rest call to the server to validate the cookie from its filter.
    – Or does the agent make a direct call to the Ldap user store to authenticate the user.
    – What kind of caching is performed by the agent.
    – Can someone point me to the agent code where these events are performed.

    Greetings,
    Huub

    #19946
     nishant.chauhan 
    Participant

    Hi Huub,

    I hope this may help, It is just an overview how it works.

    – Does the agent make a rest call to the server to validate the cookie from its filter.
    – Or does the agent make a direct call to the Ldap user store to authenticate the user.
    – What kind of caching is performed by the agent.

    1. User wanted to access web application and request is sent to policy agent.
    
    2. Policy agent checks that the user is not authenticated and request does not have a valid Token ID in its cookie.
    
    3. Request is therefore redirected to OpenAM. OpenAM checks its database (Data store/LDAP/OpenDJ) for user details 
       and assigns a token ID for authentication. This token ID is stored in cookie so that it can used for 
       authentication as long as the session is valid.
    
    4. Request along with the cookie containing the token ID is then sent back to the policy agent. User doesn’t know 
       what is going on in the backend.
    
    5. Policy agent verifies this token ID with OpenAM. After successful verification, user is able to access the web 
       page .

    – Can someone point me to the agent code where these events are performed.

    I am not sure for which code you are looking for, as per my understanding these could be the locations to check out.
    
    1. (Optional) If you choose not to let the installer install a global filter in Tomcat's web.xml, then you must add the filter manually for each protected application's web.xml configuration, following the opening <web-app> tag. The file for the sample application delivered with the agent is /path/to/j2ee_agents/tomcat_v6_agent/sampleapp/etc/web.xml.
    
    <filter>
      <filter-name>Agent</filter-name>
      <display-name>Agent</display-name>
      <description>OpenAM Policy Agent Filter</description>
     <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
     </filter>
     <filter-mapping>
      <filter-name>Agent</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>ERROR</dispatcher>
     </filter-mapping>
    
    2. here is the agentapp.war that needs to be placed in webapps
    cp /path/to/j2ee_agents/tomcat_v6_agent/etc/agentapp.war /path/to/tomcat/webapps/
    
    3. here you can check the logs of Agent
    /path/to/j2ee_agents/tomcat_v6_agent/Agent_001/logs/debug/debug.out

    Please let me know if you need more information regarding same.

    Thanks,
    Nishant

    #19965
     h.sepers@portbase.com 
    Participant

    Nishant,

    Thanks for your answer.

    I am however looking for still more detail:

    5. Policy agent verifies this token ID with OpenAM. After successful verification, user is able to access the web
    page .

    How does the agent verify the token ID with OpenAM? Does it make a rest call (or other) to the server?
    I have scanned the agent code but could not find any code which communicates with the server.

    Thanks,
    Huub

    #19984
     nishant.chauhan 
    Participant

    Hi Huub,

    Thanks for the response, now i know what you may looking for.

    *Only problem is, this J2EE Agent only contains the binaries not the source code, so you wont be able to find the code in your J2EE Agent/OpenAM, though i could give you an idea how it works.

    Lets start from where the code starts looking for authentication!

    1. It starts with looking for the Filter , that could be in the Tomcat global web.xml or
    in the application specific web.xml and that filter code is below.

    <filter>
      <filter-name>Agent</filter-name>
      <display-name>Agent</display-name>
      <description>OpenAM Policy Agent Filter</description>
     <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
     </filter>
     <filter-mapping>
      <filter-name>Agent</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>ERROR</dispatcher>
     </filter-mapping>

    2. You could see the “filter-class” in the above code com.sun.identity.agents.filter.AmAgentFilter
    and here is link to source code of this class

    Source Code of “filter-class”

    3. Inside the above source code of “filter-class” it imports the class
    com.sun.identity.agents.arch.AgentConfiguration and here is the source code of this class

    Source Code of “Agent Configuration”

    4. Inside the above source code of “Agent Configuration” it calls agent bootstrap configuration file called
    OpenSSOAgentBootstrap.properties to get the agent startup configuration that includes the OpenSSO (OpenSSO) server
    information and the agent user credential and also exchanges the Token ID.

    refer :
    OpenAM License

    Please let me know if it is helpful or more info is needed.

    Thanks,
    Nishant

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?