Securing webservices with OPENAM

Question

I am attempting to create a secure, and possibly metered web-service in Java.

In my research I turned up a lot of information about OpenSSO and thought that it was my solution until I discovered that OpenAM had taken over the reins and that OpenSSO was no longer being developed!

I've got Tomcat7+OpenAM's latest version installed and have started to configure it.

My GOAL:

I would like to have a session/tokenbased authentication where users can request a token from the secure web-service endpoint (OpenAM seems to offer this), than include that token in subsequent HTTP requests to the web-service endpoints protected by OpenAM.

I see guides on how to create an 'agent-policy', for Apache...but so far not Tomcat? Maybe I'm I'm just naive about how this stuff works - maybe I would use a Java EE Policy for Tomcat?

Finally, a nice to have: When the user hits a particular service, I am able to take their authenticated token, and use it to 'meter' the service in some meaningful way (record information about the requests) - is there an API hook in OpenAM or should I plan on implementing this internally to the web-service?

My question is: Are there any guides out their, or sample projects that demonstrate this type of configuration. OpenAM's documentation is nice, but I guess I need a bit more hand-holding.

Answer 1

Do you know wssagents? I think that the following information solve your problem.

http://www.oracle.com/technetwork/java/wss-sdn-4-140497.html

ClientFilter corresponds to token based authentication. web-service endpoints are protected by ClientHandler and ServerHandler. OpenAM has web-service security informations,WSC Profile and WSP Profile, they have security mechanism(SAML,Kerberos,etc...),encryption and so on.

Answer 2

Have a look at this: https://wikis.forgerock.org/confluence/display/openam/OpenSSO+Spring+Security+(Acegi)+Integration

We are looking at this as a possible solution. We plan to use Spring to assist in our implementation.

Hope it helps.