Configuring the CSI RADIUS provider  Enabling debugging in the Tomcat realm

Appendix A: Setting Up Authentication and Authorization

Stacked CSI providers

CSI providers can be stacked together to provide a security solution to meet special security requirements. Every CSI authentication provider has a controlFlag attribute that is used to control overall behavior when authentication proceeds through stacked authentication providers.

The control flag value and its meaning is the same as that defined in the JAAS, as shown in Table A-4.

Table A-4: JAAS control flag values

Control flag value

Description

required

The LoginModule is required to succeed. If it succeeds or fails, authentication proceeds down the LoginModule list.

requisite

The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control returns immediately to the application (authentication does not proceed down the LoginModule list).

sufficient

The LoginModule is not required to succeed. If it does succeed, control returns immediately to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.

optional

The LoginModule is not required to succeed. If it succeeds or fails, authentication proceeds down the LoginModule list.

Like the authentication provider, the CSI attributer and authorizer can also be stacked together. Normally there are CSI attributers and authorizers corresponding to an authentication provider in order to provide complete security service of backend security systems. However, attributers and authorizers do not have to be bound to a specific authenticator.

In UA 8.0, the PortalDB provider and LDAP provider are most probably stacked together to enforce UA security. For example, UA users are normally authenticated against the LDAP server. At the same time, the default “masuper” user defined in PortalDB can be used to log in to Mobile Web Studio to perform administration and development tasks. Following is a sample of stacked PortalDB providers and LDAP providers:

<?xml version="1.0" encoding="UTF-8"?>
<config:configuration xmlns:config="http://www.sybase.com/csi/2.5/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<!-- portaldatabase authentication -->
<config:authenticationProvider
name="com.sybase.security.portaldb.PortalDBLoginModule" controlFlag="optional">
<config:options name="DatasourceName" value="java:comp/env/jdbc/portaldb" />
</config:authenticationProvider>
<!-- LDAP authenticator -->
<config:authenticationProvider name="com.sybase.security.ldap.LDAPLoginModule" 
controlFlag="optional" >
<config:options name="ServerType" value="sunone5" />
<config:options name="ProviderURL" value="ldap://localhost:389" />
<config:options name="DefaultSearchBase" value="dc=sybase,dc=com" />
</config:authenticationProvider>
<config:provider name="com.sybase.security.portaldb.PortalDBAttributer" type="attributer" /> 

<!-- LDAP attributer  --><config:provider name="com.sybase.security.ldap.LDAPAttributer" type="attributer" />
<config:provider name="com.sybase.security.portaldb.PortalDBAuthorizer" type="authorizer" >
<config:options name="AlwaysUsePortalDBRoles" value="true" />
<config:options name="AlwaysUsePortalDBPermissions" value="true" />
</config:provider>
</config:configuration>



Copyright © 2007. Sybase Inc. All rights reserved. Enabling debugging in the Tomcat realm

View this book as PDF