Active Response is based on the SiteMinder Authorization API which returns response values from the custom Java class. We can use C, Java and Perl scripts to write the Active Responses. This article talks about how to write an Active Response using Java to parse the Impersonators CN value from the DN.
Necessity of Active Response:
Let us consider the CSR Impersonation. It has two kinds of users namely Impersonators and Impersonatee’s. In some scenarios Impersonator performs some tasks on behalf of Impersonatee’s, For auditing purpose if we want to track that which task done by whom, then the simplest solution would be capturing the user’s CN value and store or use in your application as required. So throughout the application we need to pass both Impersonator and Impersonatee's CN value as Response.
If we specify the response attribute like CN=< %userattr = "cn" % >, it will have Impersonators CN value, (i.e. after Impersonator Authentication and before starting the Impersonation). On successful Impersonation, Impersonatee’s CN value will replace the Impersonators CN value in the SiteMinder Response. So we want to have both the Impersonator and Impersonatee’s CN value in SiteMinder Response.
To overcome this issue, we write an Active Response using JAVA to parse the Impersonators CN value from the DN value and put this CN value into the SiteMinder’s Response.
Java Code to Parse the CN value from the DN:
There is a response attribute called SM_USERIMPERSONATORNAME which returns the Impersonators DN value as SiteMinder Response.
The following java class parses the Impersonators CN value from the SiteMinder’s default attribute SM_USERIMPERSONATORNAME.
public class ParseCNFromImpersonatorDN
implements ActiveExpression
{
public int init(APIContext context)
throws Exception
{
// This example needs no initialization so just return "success"
return 0;
}
public String invoke(ActiveExpressionContext context ,String param)
throws Exception
{
int indexOfChar = -1;
if (context == null)
{
// should never happen
throw new IllegalArgumentException("ActiveResponseSample invoked without context");
}
// the User Context is required to use the methods like getProp, setProp.
UserContext theUserContext = context.getUserContext();
if (theUserContext == null)
{
//context.setErrorText("No User Context.");
return null;
}
String csrdn = theUserContext.getProp("SM_USERIMPERSONATORNAME");
if ("".equals(csrdn) csrdn == null )
{
return null;
}
indexOfChar = csrdn.indexOf("=");
if(-1 == indexOfChar)
{
//context.setErrorText("Param is not Impersonator DN "+csrdn);
return null;
}
String csrUserName = csrdn.substring(indexOfChar+1);
indexOfChar = csrUserName.indexOf(",");
if(-1 == indexOfChar)
{
//context.setErrorText("Param is not Impersonator DN "+csrUserName);
return null;
}
csrUserName = csrUserName.substring(0,indexOfChar);
return csrUserName;
}
Public int release (APIContext context)
throws Exception
{
// This example needs no shutdown so just return "success"
return 0;
}
}
Steps to implement the Active Response in SiteMinder Policy Server:
1. Compile the ParseCNFromImpersonatorDN.java file and create CNFromDN.jar file.
2. Copy the jar file CNFromDN.jar into the following Location in your SiteMinder server.
3. Add the location of CNFromDN.jar file in the JVMOptions.txt file as follows:
4. Add the CSRCN response attribute in your SiteMinder Response as below.
Create a new Response attribute as follows (either HTTP Header or Cookie):
Attribute: WebAgent-HTTP-Header-Variable
Attribute Setup:
Attribute Kind : Active Response
Variable Name : CSRCN
Library Name : smjavaapi
Function Name : JavaActiveExpression
Parameters : com.sample.ActiveResponse.ParseCNFromImpersonatorDN
5. It requires Restart of your SiteMinder Policy Server to take effect of this Active Response.
On successful Implementation of this Active Response you will have both Impersonator and Impersonatee’s CN value in your application’s response.
Abbreviation:
DN – Domain Name
CN – Common Name
CSR – Customer Service Representative
Reference:
http://www.ca.com/
