Hp service Manager Single Sign On Implementation Integration with Integrated Windows Authentication


Custom java bean 4.1How will the setup look like ?



Download 357.16 Kb.
Page6/6
Date29.07.2017
Size357.16 Kb.
#24225
1   2   3   4   5   6

4Custom java bean

4.1How will the setup look like ?


c:\users\degraevb\documents\hp\_projects\svyaztransneft\sso\iwa custom hpsm9 sso architecture.jpg

Figure : customized IWA based SSO

Figure shows that it is possible to deploy a custom java bean that extends the OOTB beans. In the example show, the HPPSO_iwa_preAuthenticationFilter bean will extend the standard IWA based preAuthenticationFilter.

We often deploy this custom bean because it offers to keep the domain value of the authenticated user. By default, the preAuthenticationFilter will remove the domain value and only keep the userid to match with a HPSM operator record.

Some customers will have duplicate userids in their domains and want to keep the domain to ensure the right person will get the right login profile. The HPPSO_iwa_preAuthenticationFilter allows use to keep the domain value.

    1. Edit application-context.xml


Make sure the ‘preAuthenticationFilter’ is removed from the filter string and replace it with HPPSO_iwa_preAuthenticationFilter to the filterChainProxy bean.

search for /**=httpSessionContextIntegrationFilter,anonymousProcessingFilter

put the entire line in comment and replace it by:

Additionally, you need to specify the custom bean specifications. You can add it in front of the OOTB preAuthenticationFilter definition:







ROLE_PRE

true

/

-->




false

When you enable debugInfo, additional information will be written in the log file you’ve defined in log4j.properties.


    1. Copy bean in HPSM


Where to copy the bean? Place it in .war\WEB-INF\classes\com\hp\ov\cwc\security\acegi. The security and acegi subfolders do not exist be default. You need to add them yourself.


4.2Custom bean source code


// written by HP PSO - Bruno De Graeve

// requested by HP - Bruno De Graeve

// 20101025

// mainly used to convert the case (upper or lower) of the request.getRemoteUser value

// it's also possible to add the user's Domain in front of the userid and choose a hyphen between

// example: itsm-falcon instead of falcon

package com.hp.ov.cwc.security.acegi;
import javax.servlet.http.HttpServletRequest;

import org.apache.log4j.*;


public class HPPSO_iwa_preAuthenticationFilter extends PreAuthenticationFilter

//Within the public class, you define which part of the PreAuthenticationFilter

// you want to replace and how to replace it by defining the method

{

// Declaration of private class variables



private String conversionType; // The conversion type for the username (lowercase, uppercase, no conversation)

private String debugInfo; // Enable or disable debugging info.

private String domainSeparator; // choose a character that will serve as separator between the concatenated domain and userid

// improve debug information printing

static Logger logger = Logger.getLogger(HPPSO_iwa_preAuthenticationFilter.class.getName());

public void PrintDebug(String DebugInfoString)

{

// print in the log file defined in log4j.properties



java.text.DateFormat dateFormat = new java.text.SimpleDateFormat("MMM dd, yyyy HH:mm:ss z");

java.util.Date date = new java.util.Date();

//logger.info: will write debug info even if "info" is defined in log4j.properties

logger.info((new StringBuilder()).append(dateFormat.format(date)).append(" *** HPPSOiwaHeaderPreAuthenticationFilter - ").append(DebugInfoString).toString());

// make also a print in the web application stdout log file

//System.out.println((new StringBuilder()).append(dateFormat.format(date)).append(" *** HPPSOiwaHeaderPreAuthenticationFilter - ").append(DebugInfoString).toString());

}
// Constructor

public HPPSO_iwa_preAuthenticationFilter()

{

// Default values



conversionType = null;

debugInfo = null;

domainSeparator = null;

keepDomain = false;

credentialProvider = null;

}

// Overrule the getAuthenticatedUsername function of the PreAuthenticationFilter & HttpHeaderPreAuthenticationFilter class



// This way, we can change the return value, without the need of recompiling the original source files.

protected String getAuthenticatedUsername(HttpServletRequest httpservletrequest)

{

// Get the username (DOMAIN\\userid) from the HTTP header, using the getRemoteUser function to grap the REMOTE_USER variable value.



String username = null;

String userid = null;

String domain = null;

if(credentialProvider == null || credentialProvider.getUserName(httpservletrequest) != null && credentialProvider.getUserName(httpservletrequest).equals(""))

{

String remote_user = httpservletrequest.getRemoteUser();



username = httpservletrequest.getRemoteUser();

//String ReturnParameter;

// get conversion type

conversionType = getConversionType();

if(debugInfo.equals("true"))

{


PrintDebug((new StringBuilder()).append("START DEBUG ****************** ").toString());

PrintDebug((new StringBuilder()).append("keepDomain: ").append(keepDomain).toString());

PrintDebug((new StringBuilder()).append("debugInfo: ").append(debugInfo).toString());

PrintDebug((new StringBuilder()).append("conversionType: ").append(conversionType).toString());

PrintDebug((new StringBuilder()).append("Remote User: ").append(remote_user).toString());

PrintDebug((new StringBuilder()).append("Username before conversion: ").append(username).toString());

}

if(username != null)



if(username.length() == 0)

username = null;

else

if(!keepDomain)



// keepDomain = false in application-context.xml by default, the domain will be stripped of the userid string

// this is the default behavior since HPSM doesnt't accept userids containing a prefix as DOMAIN\

{

int i = username.indexOf('\\');



username = username.substring(i + 1);

if(debugInfo.equals("true"))

{

PrintDebug((new StringBuilder()).append("keepDomain = false : Operator ID is : ").append(username).toString());



}

}else{


// set keepDomain to true in application-context.xml, it will keep the domain id

// replace the backslashes (DOMAIN\\userid) with a dot -> domain.userid

// Note: HP Service Manager doesn't accept backslashes in operator id's

//username = username.replace('\\','.');

// get the DOMAIN

int i = username.lastIndexOf('\\');

domain = username.substring(0, i);

// get the USERid

int x = username.indexOf('\\');

userid = username.substring(x + 1);

// create a new username based on the domain, a separator set in application-context.xml and the userid

username = domain+domainSeparator+userid;

if(debugInfo.equals("true"))

{

PrintDebug((new StringBuilder()).append("keepDomain = true : domain is : ").append(domain).toString());



PrintDebug((new StringBuilder()).append("keepDomain = true : domainSeparator is : ").append(domainSeparator).toString());

PrintDebug((new StringBuilder()).append("keepDomain = true : userid is : ").append(userid).toString());

PrintDebug((new StringBuilder()).append("keepDomain = true : Converted Operator ID is : ").append(username).toString());

}

}



// check if conversion to uppercase or lowercase is necessary.

if(conversionType.equals("lowercase"))

{

username = username.toLowerCase();



}

if(conversionType.equals("uppercase"))

{

username = username.toUpperCase();



}

} else


{

username = credentialProvider.getUserName(httpservletrequest);

}

// return the parameter of type String.



if(debugInfo.equals("true"))

{

PrintDebug((new StringBuilder()).append("HP Service Manager Operator ID after Domain and Case Conversion: ").append(username).toString());



PrintDebug((new StringBuilder()).append("END DEBUG ****************** ").toString());

}

return username;



}

public void setCredentialProvider(CredentialProvider credentialprovider)

{

credentialProvider = credentialprovider;



}

///////////////////////////////////////////////////////////////////

////////////////// parameters found in application-context.xml

///////////////////////////////////////////////////////////////////

// GETTER for the conversion type

public String getConversionType()

{

return conversionType;



}

// SETTER for the conversion type. This runs when the bean is created. Value comes from application-context.xml file.

public void setConversionType(String key)

{

// This is where the value of the conversionType property in the bean will be set in the bean variable.



conversionType = key;

}


// GETTER for the debug info

public String getDebugInfo()

{

return debugInfo;



}

// SETTER for the Debug Info. This runs when the bean is created. Value comes from application-context.xml file.

public void setDebugInfo(String key)

{

if(key.equals("true") || key.equals("True") || key.equals("TRUE"))



{

debugInfo = "true";

}

else


{

debugInfo = "false";

}

}


// GETTER for the domainSeparator type

public String getdomainSeparator()

{

return domainSeparator;



}

// SETTER for the domainSeparator type. This runs when the bean is created. Value comes from application-context.xml file.

public void setdomainSeparator(String key)

{

// This is where the value of the domainSeparator property in the bean will be set in the bean variable.



domainSeparator = key;

}


}

4.3Screen shots


4.3.1Logging

When SSO with the custom bean works, you’ll see that with the settings described above, you’ll achieve this result in the GUI.



Figure : logged in HPSM as DOMAIN/userid

When debugInfo is enabled, you’ll get this kind of information in the HPSM web log file (defined in log4j.properties):
20/04/2012 14:33:11,0021 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - START DEBUG ******************

20/04/2012 14:33:11,0021 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - keepDomain: true

20/04/2012 14:33:11,0021 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - debugInfo: true

20/04/2012 14:33:11,0021 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - conversionType:

20/04/2012 14:33:11,0021 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - Remote User: CCRM\falcon

20/04/2012 14:33:11,0022 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - Username before conversion: CCRM\falcon

20/04/2012 14:33:11,0022 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - keepDomain = true : domain is : CCRM

20/04/2012 14:33:11,0022 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - keepDomain = true : domainSeparator is : /

20/04/2012 14:33:11,0022 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - keepDomain = true : userid is : falcon

20/04/2012 14:33:11,0022 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - keepDomain = true : Converted Operator ID is : CCRM/falcon

20/04/2012 14:33:11,0023 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - HP Service Manager Operator ID after Domain and Case Conversion: CCRM/falcon

20/04/2012 14:33:11,0023 INFO ajp-bio-8889-exec-3 com.hp.ov.cwc.security.acegi.HPPSO_iwa_preAuthenticationFilter - Apr 20, 2012 14:33:11 CEST *** HPPSOiwaHeaderPreAuthenticationFilter - END DEBUG ******************

20/04/2012 14:33:12,0049 INFO ajp-bio-8889-exec-1 com.hp.ov.sm.client.webtier.SCLogging - Apr 20, 2012 14:33:12 CEST [INFO] MODE: cwc/index.jsp

20/04/2012 14:33:12,0079 INFO ajp-bio-8889-exec-1 com.hp.ov.sm.client.webtier.SCLogging - Apr 20, 2012 14:33:12 CEST [INFO] Setting ssl.enforced because the server requires SSL

20/04/2012 14:33:12,0080 INFO ajp-bio-8889-exec-1 com.hp.ov.sm.client.webtier.SCLogging - Apr 20, 2012 14:33:12 CEST [INFO] Activating SSL in the WebClient

20/04/2012 14:33:14,0355 INFO ajp-bio-8889-exec-1 com.hp.ov.sm.client.webtier.SCLogging - Apr 20, 2012 14:33:14 CEST [INFO] Connecting with preauthenticated user: CCRM/falcon

20/04/2012 14:33:14,0445 INFO ajp-bio-8889-exec-1 com.hp.ov.sm.client.webtier.SCLogging - Apr 20, 2012 14:33:14 CEST [INFO] SOAP connection established with server at https://W2K8R2X64CCRM.CCRM.BEL.HP:13481/SM/ui
In the sm.log file it will look like:
6880( 6232) 04/20/2012 14:33:12 RTE I Language en is valid

6880( 6232) 04/20/2012 14:33:12 RTE I Set trusted sign-on login user to CCRM/falcon

6880( 6232) 04/20/2012 14:33:12 RTE I SOAP client information scguiwweb 9.30.201 (201) at fe80::249d:2f71:356f:2a28 Browser MSIE 7.0 AppServer Apache Tomcat 7.0.23

6880( 5556) 04/20/2012 14:33:12 JRTE I SSL connection accepted

6880( 6232) 04/20/2012 14:33:12 RTE I User CCRM/falcon has logged in and is using a Named license ( 2 out of a maximum 25 )

4.3.2When no matching operator is found



Figure : no matching HPSM operator is found (HPSM9.30 client)



5Monitoring


A good tool which can be used for the monitoring of tomcat is the program “PSI-Probe“. PSI Probe is a community-driven fork of Lambda Probe distributed under the same open-source license (GPLv2). It is intended to replace and extend Tomcat Manager, making it easier to manage and monitor an instance of Apache Tomcat.

More info can be found on the following website http://code.google.com/p/psi-probe/.

The functionality of PSI Probe:

Unlike many other server monitoring tools, PSI Probe does not require any changes to your existing apps. It provides all of its features through a web-accessible interface that becomes available simply by deploying it to your server. These features include:


  • Requests: Monitor traffic in real-time, even on a per-application basis.

  • Sessions: Browse/search attributes, view last IP, expire, estimate size.

  • JSP: Browse, view source, compile.

  • Data Sources: View pool usage, execute queries.

  • Logs: View contents, download, change levels at runtime.

  • Threads: View execution stack, kill.

  • Connectors: Status, usage charts.

  • Cluster: Status, usage charts.

  • JVM: Memory usage charts, advise GC

  • Java Service Wrapper: Restart JVM.

  • System: CPU usage, memory usage, swap file usage.



6Debugging SSO


  • Adopt the log4j.properties file for debugging purpose. This is described in paragraph 3.7.4.1 extended log4j.properties above.

  • Stop the web tier, cleanup all web logs and restart the web tier

  • Monitor SM log files.

  • Keep track of time, IP address, login, on which IIS, which webserver and which SM application server the issue occurred.

  • Additionally, install HTTPWATCH v7 (http://www.httpwatch.com/download/ ) and trace the HTTP traffic which can be analyzed by HP RnD

  • Install diagnostic.jsp in the root of the web application. Call it be replacing index.do by diagnostic.jsp






1 More information on http://tomcat.apache.org/connectors-doc/reference/iis.html

2 By default, HP Service Manager authenticates web client users by comparing the user name and password to a matching operator record in the system. To enable trusted sign-on you must disable the default authentication method. This causes Service Manager to send the current user name in the HTTP header. Trusted sign-on uses the user name to determine if a web client is already authenticated or not.

Caution: You should only disable this parameter if you are using a trusted sign-on configuration. Disabling this parameter without a trusted sign-on configuration will prevent your web client users from logging in to Service Manager.



3 This parameter controls the encryption of network communication between the Web application server and the Web browser. Enabling this parameter causes Web browsers to use SSL connections to the Web application server.

4 This parameter controls the encryption of network communication between the Web application server and the Web browser. Enabling this parameter causes Web browsers to use SSL connections to the Web application server.



Download 357.16 Kb.

Share with your friends:
1   2   3   4   5   6



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy